Re: [PATCH 0/6] Measuring TPM update counter in IMA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 8/3/23 18:36, Mimi Zohar wrote:
On Thu, 2023-08-03 at 18:09 -0400, Stefan Berger wrote:
I can remove the kexec example if it is causing confusion.> Please let me know.

I am not convinced we need this series  ... :-( Your kexec series prevents
further logging and especially PCR extensions after the frozen measurement log
has been created and in ima_add_template_entry(), if we hit an oom condition,
then we luckily do not extend the PCR either. If either the log was to have one
more entry than number PCR extensions occurred or vice versa, then the remote
attestation service will see this mismatch no matter what and all the PCR update
counter won't help (and is generally not a good indicator for this purpose imo)
for it to recover from this. It's better to declare the system as un-trusted/
corrupted in this case then.

As previously mentioned, there is a patch set that doesn't carry any
records across kexec, if the the measurement list is too large, and
another proposal to trim the measurement list.

In both of these cases including a new IMA mesaurement record, at least
after the boot_aggregate, would help simplify detecting whether the
measurement list has been trimmed/truncated.


And if you can detect that I would log an event but not using the PCR update counter.
Unless the state of PCRs is also logged, it's going to be unrecoverable for a log+quote
verifier from there.

   Stefan



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux