On Tue, 2019-09-24 at 15:31 -0700, Lakshmi Ramasubramanian wrote: [...] > In one configuration I am testing, I see the TPM appear post IMA > Init. Likely this is rare, but I was wondering if there was a reason > why TPM information is only queried during IMA init, but never > updated at a later point. IMA involves a chain of custody attested through the TPM. If the TPM isn't present on IMA init then that custody chain is broken and the measurements can't be relied upon. For this reason to use the TPM, it must be present when IMA is initialized ... so the drivers all need building in to the kernel. There has been some discussion that we could, for UEFI systems, use the UEFI runtime drivers for the TPM until the actual driver is inserted but no-one's looked into doing that. James
