[tpmdd-devel] IMA running as a Kernel module against TPM 2.0 driver

Mon, 11 Sep 2017 14:30:24 -0700 

Hi folks,

Im stumped with some issues with getting IMA to talk to the TPM interface 
driver, and was hoping you guys could help me out.

I am building IMA as an out-of-tree Kernel module. We are based off CentOS v7.3 
which is still sitting at the Linux v3.10 baseline (sad I know!). Everything 
seems to be fine but when I load the IMA module, it cannot seem to do a PCR 
read from the TPM driver:

2017-09-11T19:06:47.438 controller-1 kernel: info [  228.152893] ima: No TPM 
chip found, activating TPM-bypass! (rc=-19)


We also had to build TPM as an out-of-tree Kernel module, since we had to use 
the in-Kernel TPM resource manager which was unavailable till Jan 2017. TPM 
driver is loaded and operational:

2017-09-11T19:03:07.818 controller-1 kernel: info [    5.929071] tpm_tis 
MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)



controller-1:~$ sudo lsmod | grep ima
ima                    47169  0
integrity               6430  1 ima


controller-1:~$ sudo lsmod | grep tpm
tpm_crb                 6458  0
tpm_tis                 5950  0
tpm_tis_core           10054  1 tpm_tis
tpm                    48093  3 tpm_crb,tpm_tis,tpm_tis_core


I've tracked down the failure to the tpm_pcr_read() in tpm-interface.c, this 
was added as an interface to integrity:

commit 659aaf2bb5496a425ba14036b5b5900f593e4484
Author: Rajiv Andrade 
<sra...@linux.vnet.ibm.com<mailto:sra...@linux.vnet.ibm.com>>
Date:   Mon Feb 2 15:23:44 2009 -0200

    TPM: integrity interface

    This patch adds internal kernel support for:
     - reading/extending a pcr value
     - looking up the tpm_chip for a given chip number

    Signed-off-by: Rajiv Andrade 
<sra...@linux.vnet.ibm.com<mailto:sra...@linux.vnet.ibm.com>>
    Signed-off-by: Mimi Zohar <zo...@us.ibm.com<mailto:zo...@us.ibm.com>>
    Signed-off-by: James Morris jmor...@namei.org<mailto:jmor...@namei.org>


The comment above the function implies that it cannot be executed if TPM is 
built as a Kernel module?

"The TPM driver should be built-in, but for whatever reason it
* isn't, protect against the chip disappearing, by incrementing
* the module usage count."


Is this understanding correct? If so then how do I get the IMA Kernel module to 
do a Kernel PCR read?


Any help you guys can offer me would be greatly appreciated.


Thanks,
Kam


P.S: I don't see a /sys/devices/pnp0/<pnp#>/pcrs file on my system although 
TSS2 commands seem to indicate that the PCR list is active



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel

Reply via email to