On Fri, 2020-08-28 at 14:49 +0200, Petr Vorel wrote: > > On Fri, 2020-08-28 at 08:05 +0200, Petr Vorel wrote: > > > BTW there are also plans for reboot support [1] [2], that could be used as > > > workaround for configuration without CONFIG_IMA_READ_POLICY=y and > > > CONFIG_IMA_WRITE_POLICY=y. > > The reboot support could also be used for carrying the IMA measurement > > list across kexec and verifying the TPM PCRs. > Adding into my TODO list. I'd just run whole test ima_kexec.sh twice and reboot > in between. The ima_kexec.sh tests measures the kexec boot cmdline and kernel image. What's needed is walking the measurement list re-calculating the PCRs and then verifying them against the actual TPM PCRs. Maybe running the ima_tpm.sh test twice. Mimi
