IMA log entries can be lost due to a variety of causes, such as code bugs or error conditions, leading to a mismatch between TPM PCRs and the IMA log. Measuring TPM PCR update counter during ima_init would provide a baseline counter for the number of times the TPM PCRs are updated. The remote attestation service can compare this baseline counter with a subsequent measured one (e.g., post-kexec soft-boot) to identify if there are any lost IMA log events.
Measure the TPM update counter at ima init. Signed-off-by: Tushar Sugandhi <[email protected]> --- security/integrity/ima/ima_init.c | 3 +++ security/integrity/ima/ima_main.c | 1 + 2 files changed, 4 insertions(+) diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 63979aefc95f..9bb18d6c2fd6 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -154,5 +154,8 @@ int __init ima_init(void) UTS_RELEASE, strlen(UTS_RELEASE), false, NULL, 0); + /* Measures TPM update counter at ima_init */ + ima_measure_update_counter("ima_init_tpm_update_counter"); + return rc; } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 1bcd45cc5a6a..93357c245e82 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -1035,6 +1035,7 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) buf, size, "kexec-cmdline", KEXEC_CMDLINE, 0, NULL, false, NULL, 0); fdput(f); + } /** -- 2.25.1 _______________________________________________ kexec mailing list [email protected] http://lists.infradead.org/mailman/listinfo/kexec
