Seiji Munetoh
seiji****@gmail*****
Thu Sep 26 07:12:44 JST 2013
Hi On Thu, Sep 26, 2013 at 1:18 AM, Mudassar Aslam <mudassar �� sics.se> wrote: > I am setting up OpenPTS on Fedora 19 and following the user guide for Fedora > 12 (section 5.2 in version 0.2.4). I have couple of questions: There are new setup guide for some OSs. https://github.com/openpts/openpts/wiki > 1. Fedora 19 comes with grub2 whereas all the help I could find so far to > set up measurements for IPL is about GRUB legacy (0.97 with patch). Even the > OpenPTS user guide describes about old grub. I don't mind if my reference > manifests don't have measurements for the grub. Is is necessary to have grub > measurements when Linux-IMA is used? If yes, is it necessary to use old grub > with patch or I can configure grub2 as well somehow? Unfortunately, the grub2 does not supports trusted boot. Therefore we cannot establish a transitive trust chain from CRTM to Linux kernel for F19. The alternative is DRTM by boot if your machine supports Intel TXT. In this case, you can validate the BIOS and IMA measurements (without trust chain) by attestation. > 2. I am asking this beacuse when I initialize the collector (ptsc -i), I get > level 0 and level 1 RMs (i.e. rm0.xml, rm1.xml). However, when I check the > status (ptsc -D), the FSM models it displays are only for BIOS (pcr0 to > pcr7). Which means that GRUB models (pcr4,5,8) are not generated (may be > because I don't have GRUB-IMA). But at the same time model and RM for pcr 10 > (Linux-IMA) is also missing even though I have complied kernel with IMA > enabled and have IMA measurements in /sys/kernel/security/ima/. Is this due > to the missing GRUB-IMA? Probably, the current validation model does not support validation of IMA measurements without trust chain (lack of GRUB-IMA). > 3. The UML model for PCR10 in /usr/share/openpts/models is > ima_rhel6_pcr10.uml. Is it OK to use this model in my /etc/ptsc.conf file > when I am using Fedora? I have not tested this with F19. Also the validation of all IMA measurements has still some challenges. - Limit the number of measurements by policy to solve the performance problem. - Setup whitelist database -- Seiji
Fork