On Thu, 2021-12-02 at 11:45 -0500, Stefan Berger wrote:
On 12/2/21 11:29, James Bottomley wrote:But that's what doesn't seem to happen ... ima_pcr_extend isn't
On Thu, 2021-12-02 at 08:41 -0500, Stefan Berger wrote:host log goes with host TPM and vice versa
On 12/2/21 07:46, James Bottomley wrote:I get that the host can set up a policy to log everything in the
On Tue, 2021-11-30 at 11:06 -0500, Stefan Berger wrote:*Not at all.* The measurement list of the namespace is
Move measurement list related variables into theThis one worries me quite a lot. What seems to be happening in
ima_namespace.
This
way a
front-end like SecurityFS can show the measurement list
inside an
IMA
namespace.
Implement ima_free_measurements() to free a list of
measurements
and call it when an IMA namespace is deleted.
this
code:
@@ -107,7 +100,7 @@ static int ima_add_digest_entry(structis that we now only add the measurements to the namespace list,
ima_namespace *ns,
qe->entry = entry;
INIT_LIST_HEAD(&qe->later);
- list_add_tail_rcu(&qe->later, &ima_measurements);
+ list_add_tail_rcu(&qe->later, &ns->ima_measurements);
atomic_long_inc(&ns->ima_htable.len);
if (update_htable) {
but
that list is freed when the namespace dies. However, the
measurement
is still extended through the PCRs meaning we have incomplete
information for a replay after the namespace dies?
independent
of
the host.
The cover letter states:
namespace, but that wasn't my question. My question is can the
guest
set up a policy to log something that doesn't go into the host log
(because the host hasn't asked for it to be logged) but extends a
PCR
anyway, thus destroying the ability of the host to do log replay.
guest log goes with (optional) vTPM and vice version
virtualized and it's always called from ima_add_template_entry()
meaning the physical TPM is always extended even for a namespace only
entry.
Extending the PCR of the host's TPM would require the data to beWell, exactly: if you don't have or want a vTPM per container the only
logged in the host log as well. So, no, it's not possible.
way to attest is via the physical TPM which means all entries in the
namespace must be in the host log, so the host owner can quote and
reply and they can split the attested log and give assurance to the
namespaces that their entries are correct.
James