On Thu, 2019-10-03 at 08:40 -0700, Lakshmi Ramasubramanian wrote: > On 9/24/19 3:37 PM, James Bottomley wrote: > > On Tue, 2019-09-24 at 15:31 -0700, Lakshmi Ramasubramanian wrote: > > > > There has been some discussion that we could, for UEFI systems, use > > the > > UEFI runtime drivers for the TPM until the actual driver is > > inserted > > but no-one's looked into doing that. > > > > James > > Can IMA take a dependency on TPM and postpone IMA initialization > until a TPM device shows up? I don't believe we can postpone IMA initialization because it has to start before any user space execution so it logs everything correctly and the measurement chain is unbroken. There are potentially two ways of fixing the IMA before TPM is ready problem: one is to use the TPM BIOS device ... or really the UEFI device since getting non-UEFI to measure external things is very non- standard. And the other is to cache all the measurements and then replay them through the TPM when it shows up. > Has anyone looked into this? I don't believe anyone has, no. James
