On Tue, 2023-08-01 at 11:19 -0700, Tushar Sugandhi wrote: > IMA log entries can be lost due to a variety of causes, such as code bugs > or error conditions, leading to a mismatch between TPM PCRs and > the IMA log. Measuring TPM PCR update counter during ima_init would > provide a baseline counter for the number of times the TPM PCRs are > updated. The remote attestation service can compare this baseline > counter with a subsequent measured one (e.g., post-kexec soft-boot) to > identify if there are any lost IMA log events. > > Measure the TPM update counter at ima init. No need for separate patches for one line changes like this. Either merge patches 5/6 and 6/6 or all three 4/6, 5/6, 6/6 together. > > Signed-off-by: Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx> > --- > security/integrity/ima/ima_init.c | 3 +++ > security/integrity/ima/ima_main.c | 1 + > 2 files changed, 4 insertions(+) > > diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c > index 63979aefc95f..9bb18d6c2fd6 100644 > --- a/security/integrity/ima/ima_init.c > +++ b/security/integrity/ima/ima_init.c > @@ -154,5 +154,8 @@ int __init ima_init(void) > UTS_RELEASE, strlen(UTS_RELEASE), false, > NULL, 0); > > + /* Measures TPM update counter at ima_init */ > + ima_measure_update_counter("ima_init_tpm_update_counter"); > + With "ima_policy=critical_data" on the boot command line, the IMA measurement list record looks like: 6e190cc643ff0b718485966a0300473baedface735 ima_init_tpm_update_counter 7570646174655f636f756e7465723d3330383b Please change the "ima_init_tpm_update_counter" to something shorter and the hex encoded ascii string and pcr counter to something readable. Perhaps name this critical-data "tpm" and "tpm-info", similar to the SELinux "selinux" and "selinux-state". Then again, if this is TPM critical-data we should rethink what other info should be included. > return rc; > } > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 1bcd45cc5a6a..93357c245e82 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -1035,6 +1035,7 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) > buf, size, "kexec-cmdline", KEXEC_CMDLINE, 0, > NULL, false, NULL, 0); > fdput(f); > + > } > > /** Unnecessary change. -- thanks, Mimi