Re: [PATCH] ima: remove ACPI dependency

From: Jean-Christophe Dubois
Date: Sun Oct 25 2009 - 14:18:21 EST

Next message: Paul Rolland: "Re: Intel Video : screen is "flickering""
Previous message: Greg KH: "Re: [PATCH 0/7] ark3116: (3rd try) driver rework"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

le mardi 20 octobre 2009 Mimi Zohar a écrit
> Remove ACPI dependency on systems without a TPM enabled.
>
> Reported-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx>

This patch requires that another patch is first applied (as reported by Mimi in
the attached email).

Tested on top of 2.6.30 and 2.6.31 on armv5 platform (versatilePB) with both
patches applied.

Acked-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>

> ---
> security/integrity/ima/Kconfig | 16 +++++++---------
> 1 files changed, 7 insertions(+), 9 deletions(-)
>
> diff --git a/security/integrity/ima/Kconfig
> b/security/integrity/ima/Kconfig index 53d9764..3ca39e7 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -2,14 +2,12 @@
> #
> config IMA
> bool "Integrity Measurement Architecture(IMA)"
> - depends on ACPI
> select SECURITYFS
> select CRYPTO
> select CRYPTO_HMAC
> select CRYPTO_MD5
> select CRYPTO_SHA1
> - select TCG_TPM
> - select TCG_TIS
> + select ACPI if TCG_TPM
> help
> The Trusted Computing Group(TCG) runtime Integrity
> Measurement Architecture(IMA) maintains a list of hash
> @@ -18,12 +16,12 @@ config IMA
> to change the contents of an important system file
> being measured, we can tell.
>
> - If your system has a TPM chip, then IMA also maintains
> - an aggregate integrity value over this list inside the
> - TPM hardware, so that the TPM can prove to a third party
> - whether or not critical system files have been modified.
> - Read <http://www.usenix.org/events/sec04/tech/sailer.html>
> - to learn more about IMA.
> + If your system has a TPM chip, and it is enabled, then
> + IMA also maintains an aggregate integrity value over
> + this list inside the TPM hardware, so that the TPM can
> + prove to a third party whether or not critical system
> + files have been modified. To learn more about IMA, read
> + <http://www.usenix.org/events/sec04/tech/sailer.html>
> If unsure, say N.
>
> config IMA_MEASURE_PCR_IDX

--- Begin Message --- JC,

Sorry, this patch requires changes in the include/linux/tpm.h. Attached
is a TPM patch.

Mimi

On Thu, 2009-10-22 at 16:23 -0400, Mimi Zohar wrote:
> JC,
>
> It seems that James is waiting for an ACK or some type of
> acknowledgement from you. Would you mind giving it a try?
>
> Thanks!
>
> Mimi
>
> -------- Forwarded Message --------
> From: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> To: linux-kernel@xxxxxxxxxxxxxxx
> Cc: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>, Jean-Christophe Dubois
> <jcd@xxxxxxxxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, David Safford
> <safford@xxxxxxxxxxxxxx>, Mimi Zohar <zohar@xxxxxxxxxx>
> Subject: [PATCH] ima: remove ACPI dependency
> Date: Tue, 20 Oct 2009 16:12:38 -0400
>
> Remove ACPI dependency on systems without a TPM enabled.
>
> Reported-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx>
> ---
> security/integrity/ima/Kconfig | 16 +++++++---------
> 1 files changed, 7 insertions(+), 9 deletions(-)
>
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index 53d9764..3ca39e7 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -2,14 +2,12 @@
> #
> config IMA
> bool "Integrity Measurement Architecture(IMA)"
> - depends on ACPI
> select SECURITYFS
> select CRYPTO
> select CRYPTO_HMAC
> select CRYPTO_MD5
> select CRYPTO_SHA1
> - select TCG_TPM
> - select TCG_TIS
> + select ACPI if TCG_TPM
> help
> The Trusted Computing Group(TCG) runtime Integrity
> Measurement Architecture(IMA) maintains a list of hash
> @@ -18,12 +16,12 @@ config IMA
> to change the contents of an important system file
> being measured, we can tell.
>
> - If your system has a TPM chip, then IMA also maintains
> - an aggregate integrity value over this list inside the
> - TPM hardware, so that the TPM can prove to a third party
> - whether or not critical system files have been modified.
> - Read <http://www.usenix.org/events/sec04/tech/sailer.html>
> - to learn more about IMA.
> + If your system has a TPM chip, and it is enabled, then
> + IMA also maintains an aggregate integrity value over
> + this list inside the TPM hardware, so that the TPM can
> + prove to a third party whether or not critical system
> + files have been modified. To learn more about IMA, read
> + <http://www.usenix.org/events/sec04/tech/sailer.html>
> If unsure, say N.
>
> config IMA_MEASURE_PCR_IDX
tpm add default function definitions

Add default tpm_pcr_read/extend function definitions required
by IMA/Kconfig changes.

Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx>

Index: security-testing-2.6/include/linux/tpm.h
===================================================================
--- security-testing-2.6.orig/include/linux/tpm.h
+++ security-testing-2.6/include/linux/tpm.h
@@ -31,5 +31,12 @@

extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
+#else
+static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
+ return -ENODEV;
+}
+static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
+ return -ENODEV;
+}
#endif
#endif

--- End Message ---

Next message: Paul Rolland: "Re: Intel Video : screen is "flickering""
Previous message: Greg KH: "Re: [PATCH 0/7] ark3116: (3rd try) driver rework"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]