@@ -167,6 +167,7 @@ void ima_init_template_list(void);
int __init ima_init_digests(void);
int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
void *lsm_data);
+int ima_tpm_get_update_counter(u32 *cpu_update_counter);
/*
* used to protect h_table and sha_table
@@ -135,6 +135,22 @@ unsigned long ima_get_binary_runtime_size(void)
return binary_runtime_size + sizeof(struct ima_kexec_hdr);
}
+int ima_tpm_get_update_counter(u32 *update_counter)
+{
+ int result;
+
+ if (!update_counter)
+ return -EINVAL;
+
+ result = tpm_pcr_get_update_counter(ima_tpm_chip,
+ CONFIG_IMA_MEASURE_PCR_IDX, TPM_ALG_SHA1, update_counter);
+
+ if (result != 0)
+ pr_err("Failed to get TPM PCR update counter, result: %d\n", result);
+
+ return result;
+}
+
static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr)
{
int result = 0;
Measuring the TPM PCR update counter will help the remote attestation service to validate if there are any missing entries in the IMA log, when the system goes through certain important state changes (e.g. kexec soft boot, IMA log snapshotting etc.). Detecting such missing entries would help the remote attestation service functionality to be more robust. It should also help the system administrators with manual investigations when TPM PCR quotes go out of sync with IMA measurements. Implement a new function, 'ima_tpm_get_update_counter()', which uses the 'tpm_pcr_get_update_counter()' function from the TPM driver interface to retrieve the PCR update counter of the TPM chip in use. Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_queue.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+)