On 8/3/23 18:22, Mimi Zohar wrote:
On Thu, 2023-08-03 at 16:01 -0700, Tushar Sugandhi wrote:
+ scnprintf(buf, IMA_TPM_UPDATE_CTR_BUF_SIZE, "update_counter=%u;",
+ update_counter);
+
+ buf_len = strlen(buf);
+
+ result = ima_measure_critical_data("tpm_pcr_update_counter", event_name,
+ buf, buf_len, false, NULL, 0);
The new record should contain everything needed to verify the
pcrCounter. For example, each IMA measurement record updates the
pcrCounter for each TPM bank enabled. So the number of enabled TPM
banks and number of IMA measurements should also be included in this
record.
Agreed. That should be valuable information.
How does the below format look like for the buf above?
version=<N>.<N>.<N>;num_enabled_pcr_banks=<N>;pcrUpdateCounter=<N>;num_ima_measurements=<N>;
Refer to comment in 5/6.
Responded.
Perhaps include a version number as well, so that if we ever want to
include other information, we could.
By version number, do you mean kernel_version, or a new version
number specific to this record? Or something else?
This is a record version type number. The record format shouldn't
change, but we should be prepared for it changing. A single number
should be fine.
Sounds good.