Hi Mimi, > On Fri, 2020-08-28 at 14:49 +0200, Petr Vorel wrote: > > > On Fri, 2020-08-28 at 08:05 +0200, Petr Vorel wrote: > > > > BTW there are also plans for reboot support [1] [2], that could be used as > > > > workaround for configuration without CONFIG_IMA_READ_POLICY=y and > > > > CONFIG_IMA_WRITE_POLICY=y. > > > The reboot support could also be used for carrying the IMA measurement > > > list across kexec and verifying the TPM PCRs. > > Adding into my TODO list. I'd just run whole test ima_kexec.sh twice and reboot > > in between. > The ima_kexec.sh tests measures the kexec boot cmdline and kernel > image. What's needed is walking the measurement list re-calculating > the PCRs and then verifying them against the actual TPM PCRs. Maybe > running the ima_tpm.sh test twice. Right, thanks for clarification :). It takes some time till reboot implementation in LTP API is implemented. But I hope to send fix for TPM 2.0 and sha256 hash (these changes in v5.8) for ima_tpm.sh this week. Kind regards, Petr
