Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64

From: Mimi Zohar
Date: Mon Mar 12 2018 - 17:53:35 EST


On Fri, 2018-03-09 at 09:11 -0800, James Bottomley wrote:
> On Thu, 2018-03-08 at 12:42 -0600, Jiandi An wrote:
> [...]
> > I'm no expert on IMA and its driver.ÂÂJames, will you be kind enough
> > to look into overhauling the IMA driver to not measure until afterÂ
> > initrd phase if that's the consensus on resolving this?
>
> I'll add it to my todo list.
>
> Since my TPM 2.0 test environment is a VM with a tpm that has a network
> connection to an emulator on my host, it's impossible to set it up so
> that it's built in (because you need the network config before you init
> the TPM) so I might accelerate if I suddenly need to debug IMA issues
> in this configuration.

There are a number of different issues being discussed.

- When IMA is enabled, unlike some other TPM device drivers, the TPM
2.0 is not forced to be builtin.

This is addressed by Jiandi's patch.

- Jason's comment questioning having Kconfig force the TPM to be
builtin.

Using Kconfig to force the TPM to be builtin is not required, but
helpful. ÂUsers interested in IMA-measurement could configure the TPM
as builtin themselves. ÂWithout the TPM builtin, IMA goes into TPM-
bypass mode.

Extending a TPM with IMA measurements, which was not builtin, but
loaded at some unspecified point in time, changes the existing meaning
of the IMA-measurement list.

- This use case, when the TPM is not builtin and unavailable before
IMA is initialized.

I would classify this use case as an IMA testing/debugging
environment, when it cannot, for whatever reason, be builtin the
kernel or initialized before IMA.

>From Dave Safford:
For the TCG chain of trust to have any meaning, all files have to
be measured and extended into the TPM before they are accessed. If
the TPM driver is loaded after any unmeasured file, the chain is
broken, and IMA is useless for any use case or any threat model.

While the initramfs may be measured by the bootloader, there are
two problems:
1.ÂIMA has no way of knowing if the kernel or initramfs has
accessed any unmeasured files before TPM driver loading and IMA
initialization.
2. Even if we can somehow guarantee that nothing outside the
initramfs has been accessed prior to IMA initialization, it is
difficult if not impossible for the attestation server to know what
a good initramfs measurement should be, as the initramfs is built
on the suspect device in the first place. ÂWe can sort of trust the
initramfs measurement in the reference manifest, but after that,
the attestation server has no way to trust a reported initramfs
measurement.

Mimi