On Fri, 2018-03-09 at 09:11 -0800, James Bottomley wrote: > On Thu, 2018-03-08 at 12:42 -0600, Jiandi An wrote: > [...] > > I'm no expert on IMA and its driver. James, will you be kind enough > > to look into overhauling the IMA driver to not measure until after > > initrd phase if that's the consensus on resolving this? > > I'll add it to my todo list. > > Since my TPM 2.0 test environment is a VM with a tpm that has a network > connection to an emulator on my host, it's impossible to set it up so > that it's built in (because you need the network config before you init > the TPM) so I might accelerate if I suddenly need to debug IMA issues > in this configuration. There are a number of different issues being discussed. - When IMA is enabled, unlike some other TPM device drivers, the TPM 2.0 is not forced to be builtin. This is addressed by Jiandi's patch. - Jason's comment questioning having Kconfig force the TPM to be builtin. Using Kconfig to force the TPM to be builtin is not required, but helpful. Users interested in IMA-measurement could configure the TPM as builtin themselves. Without the TPM builtin, IMA goes into TPM- bypass mode. Extending a TPM with IMA measurements, which was not builtin, but loaded at some unspecified point in time, changes the existing meaning of the IMA-measurement list. - This use case, when the TPM is not builtin and unavailable before IMA is initialized. I would classify this use case as an IMA testing/debugging environment, when it cannot, for whatever reason, be builtin the kernel or initialized before IMA. >From Dave Safford: For the TCG chain of trust to have any meaning, all files have to be measured and extended into the TPM before they are accessed. If the TPM driver is loaded after any unmeasured file, the chain is broken, and IMA is useless for any use case or any threat model. While the initramfs may be measured by the bootloader, there are two problems: 1. IMA has no way of knowing if the kernel or initramfs has accessed any unmeasured files before TPM driver loading and IMA initialization. 2. Even if we can somehow guarantee that nothing outside the initramfs has been accessed prior to IMA initialization, it is difficult if not impossible for the attestation server to know what a good initramfs measurement should be, as the initramfs is built on the suspect device in the first place. We can sort of trust the initramfs measurement in the reference manifest, but after that, the attestation server has no way to trust a reported initramfs measurement. Mimi