Re: Question on permissions of runtime and bios measurements files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/5/2022 9:59 AM, William Roberts wrote:
Currently the tss command line tools can't access the system
measurement logs for users even if they are in the group tss:

crw-rw---- 1 tss root 10, 224 Mai  3 17:22 /dev/tpm0
-r--r----- 1 root root 0 Mai  3 17:22
/sys/kernel/security/ima/binary_runtime_measurements
-r--r----- 1 root root 0 Mai  3 17:22
/sys/kernel/security/tpm0/binary_bios_measurements

So with tss2_quote, a quote can be computed but not the pcrLog for the
system PCRs.
The problem could be solved if the log files would be owned by tss.
But that could create privacy issues because the pcrLog would e.g.
contain executables in user home directories.
Do you have any suggestions how the problem could be addressed?

If it were me, I'd change the group to tss.

The privacy issue doesn't bother me because

- the attestation program has to get the log in some way.
- typically, only root executed files are measured.
- it contains the hashes, not the executables.

keylime opens the file as root, keeps it open forever, and
then drops its privilege.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux