security/integrity/ima/Kconfig | 12 +- security/integrity/ima/Makefile | 3 +- security/integrity/ima/ima.h | 11 +- security/integrity/ima/ima_api.c | 4 +- security/integrity/ima/ima_crypto.c | 139 +++---------------- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_init.c | 14 +- security/integrity/ima/ima_main.c | 4 +- security/integrity/ima/ima_queue.c | 39 ++---- security/integrity/ima/ima_rot.c | 108 +++++++++++++++ security/integrity/ima/ima_rot.h | 42 ++++++ security/integrity/ima/ima_template.c | 2 +- security/integrity/ima/ima_template_lib.c | 4 +- security/integrity/ima/ima_tpm.c | 154 ++++++++++++++++++++++ security/integrity/ima/ima_tpm.h | 19 +++ 15 files changed, 388 insertions(+), 171 deletions(-) create mode 100644 security/integrity/ima/ima_rot.c create mode 100644 security/integrity/ima/ima_rot.h create mode 100644 security/integrity/ima/ima_tpm.c create mode 100644 security/integrity/ima/ima_tpm.h
Currently, the IMA subsystem can only use TPM as the Root of Trust
(RoT) device, and its coding is tightly coupled with TPM operations.
┌──────────┐ ┌───────────┐
┌┴─────────┐│ ┌┴──────────┐│
│ Programs ├┘ │ Libraries ├┘
└────┬─────┘ └────┬──────┘ User
─ ─ ─ ─ ─ ─ │ ─ ─ ─ ─ ─ ─ ─ │ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
└────────┬──────┘ Kernel
▼
┌────────────────────────────────────┐ ┌────────────────┐
│ IMA Hooks │ │ │
│ (file read, executed, mmapped etc) │ │ │
└──────────────────┬─────────────────┘ │ IMA │
▼ │ Initialization │
┌────────────────────────────────────┐ │ │
│ IMA Measurement List │ │ │
└──────────────────┬─────────────────┘ └────┬───────┬───┘
extend│ calc_boot_aggregate│ init│
▼ ▼ ▼
┌────────────────────────────────────────────────────────┐
│ TPM Device Driver │
└─────────────────────────────┬──────────────────────────┘
│
─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ │ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
▼ Hardware
┌──────────────────┐
│ TPM Device │
└──────────────────┘
In recent years, new scenarios such as Confidential Computing have
emerged, requiring IMA to use various new RoT devices proposed by
different vendors, such as Intel TDX[1] and Huawei VirtCCA[2]. To make
it easier for these devices to be integrated into the IMA subsystem, it
is necessary to decouple TPM specific code from IMA, while abstracting
IMA's configuration and operation to RoT devices into multiple
independent interfaces, ultimately forming an IMA RoT device framework.
This framework abstracts away the underlying details of various RoT
devices for IMA, and each type of RoT devices can be "plugged in" and
utilized by IMA simply via implementing the framework interfaces.
┌──────────┐ ┌───────────┐
┌┴─────────┐│ ┌┴──────────┐│
│ Programs ├┘ │ Libraries ├┘
└────┬─────┘ └────┬──────┘ User
─ ─ ─ ─ ─ ─ ─ ─ │ ─ ─ ─ ─ ─ ─ ─ │ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─
└───────┬───────┘ Kernel
▼
┌────────────────────────────────────┐ ┌────────────────┐
│ IMA Hooks │ │ │
│ (file read, executed, mmapped etc) │ │ │
└──────────────────┬─────────────────┘ │ IMA │
▼ │ Initialization │
┌────────────────────────────────────┐ │ │
│ IMA Measurement List │ │ │
└──────────────────┬─────────────────┘ └────┬───────┬───┘
extend│ calc_boot_aggregate│ init│
▼ ▼ ▼
┌────────────────────────────────────────────────────────┐
│ IMA RoT │
│ Framework │
└───────────────────────────┬────────────────────────────┘
┌───────────────┬───────┴─────────┬─────────────────┐
▼ ▼ ▼ ▼
┌────────────────┐ ┌────────────┐ ┌──────────────────┐ ┌────────────┐
│ VirtCCA Driver │ │ TPM Driver │ │ Intel TDX Driver │ │ xxx Driver │
└────────┬───────┘ └─────┬──────┘ └────────┬─────────┘ └─────┬──────┘
│ │ │ │
─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─
│ │ │ │ Hardware
▼ ▼ ▼ ▼
┌────────────────┐ ┌────────────┐ ┌──────────────────┐ ┌────────────┐
│ VirtCCA Device │ │ TPM Device │ │ Intel TDX Device │ │ xxx Device │
└────────────────┘ └────────────┘ └──────────────────┘ └────────────┘
This patch set provides an implementation of the aforementioned IMA RoT
framework, which can facilitate easier adaptation for new devices such
as Intel TDX and Huawei VirtCCA, as well as the classic TPM, to be an
RoT that IMA can utilize to maintain system's integrity.
[1]: Reference for Intel TDX with IMA:
https://www.intel.cn/content/www/cn/zh/developer/articles/community/runtime-integrity-measure-and-attest-trust-domain.html
[2]: Reference for Huawei VirtCCA:
https://gitee.com/openeuler/kernel/blob/OLK-6.6/Documentation/virtcca/virtcca.txt
GONG Ruiqi (4):
ima: rot: Introduce basic framework
ima: rot: Prepare TPM as an RoT
ima: rot: Make RoT kick in
ima: rot: Involve per-RoT default PCR index
security/integrity/ima/Kconfig | 12 +-
security/integrity/ima/Makefile | 3 +-
security/integrity/ima/ima.h | 11 +-
security/integrity/ima/ima_api.c | 4 +-
security/integrity/ima/ima_crypto.c | 139 +++----------------
security/integrity/ima/ima_fs.c | 4 +-
security/integrity/ima/ima_init.c | 14 +-
security/integrity/ima/ima_main.c | 4 +-
security/integrity/ima/ima_queue.c | 39 ++----
security/integrity/ima/ima_rot.c | 108 +++++++++++++++
security/integrity/ima/ima_rot.h | 42 ++++++
security/integrity/ima/ima_template.c | 2 +-
security/integrity/ima/ima_template_lib.c | 4 +-
security/integrity/ima/ima_tpm.c | 154 ++++++++++++++++++++++
security/integrity/ima/ima_tpm.h | 19 +++
15 files changed, 388 insertions(+), 171 deletions(-)
create mode 100644 security/integrity/ima/ima_rot.c
create mode 100644 security/integrity/ima/ima_rot.h
create mode 100644 security/integrity/ima/ima_tpm.c
create mode 100644 security/integrity/ima/ima_tpm.h
--
2.25.1
Hi Ruiqi, IMA has different roots of trust for secure and trusted boot. I assume this patch set is discussing the IMA measurement root of trust. Acronyms are "an abbreviation consisting of the first letters of each word in the name of something, pronounced as a word"[1]. Not all acronyms are pronounced as a word, but in this case it would be. I suggest you consider a different acronym. [1] https://dictionary.cambridge.org/us/dictionary/english/acronym On Mon, 2025-06-30 at 20:59 +0800, GONG Ruiqi wrote: > Currently, the IMA subsystem can only use TPM as the Root of Trust > (RoT) device, and its coding is tightly coupled with TPM operations. > > ┌──────────┐ ┌───────────┐ > ┌┴─────────┐│ ┌┴──────────┐│ > │ Programs ├┘ │ Libraries ├┘ > └────┬─────┘ └────┬──────┘ User > ─ ─ ─ ─ ─ ─ │ ─ ─ ─ ─ ─ ─ ─ │ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ > └────────┬──────┘ Kernel > ▼ > ┌────────────────────────────────────┐ ┌────────────────┐ > │ IMA Hooks │ │ │ > │ (file read, executed, mmapped etc) │ │ │ > └──────────────────┬─────────────────┘ │ IMA │ > ▼ │ Initialization │ > ┌────────────────────────────────────┐ │ │ > │ IMA Measurement List │ │ │ > └──────────────────┬─────────────────┘ └────┬───────┬───┘ > extend│ calc_boot_aggregate│ init│ > ▼ ▼ ▼ > ┌────────────────────────────────────────────────────────┐ > │ TPM Device Driver │ > └─────────────────────────────┬──────────────────────────┘ > │ > ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ │ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ > ▼ Hardware > ┌──────────────────┐ > │ TPM Device │ > └──────────────────┘ > > In recent years, new scenarios such as Confidential Computing have > emerged, requiring IMA to use various new RoT devices proposed by > different vendors, such as Intel TDX[1] and Huawei VirtCCA[2]. To make > it easier for these devices to be integrated into the IMA subsystem, it > is necessary to decouple TPM specific code from IMA, while abstracting > IMA's configuration and operation to RoT devices into multiple > independent interfaces, ultimately forming an IMA RoT device framework. > This framework abstracts away the underlying details of various RoT > devices for IMA, and each type of RoT devices can be "plugged in" and > utilized by IMA simply via implementing the framework interfaces. > > ┌──────────┐ ┌───────────┐ > ┌┴─────────┐│ ┌┴──────────┐│ > │ Programs ├┘ │ Libraries ├┘ > └────┬─────┘ └────┬──────┘ User > ─ ─ ─ ─ ─ ─ ─ ─ │ ─ ─ ─ ─ ─ ─ ─ │ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ > └───────┬───────┘ Kernel > ▼ > ┌────────────────────────────────────┐ ┌────────────────┐ > │ IMA Hooks │ │ │ > │ (file read, executed, mmapped etc) │ │ │ > └──────────────────┬─────────────────┘ │ IMA │ > ▼ │ Initialization │ > ┌────────────────────────────────────┐ │ │ > │ IMA Measurement List │ │ │ > └──────────────────┬─────────────────┘ └────┬───────┬───┘ > extend│ calc_boot_aggregate│ init│ > ▼ ▼ ▼ > ┌────────────────────────────────────────────────────────┐ > │ IMA RoT │ > │ Framework │ > └───────────────────────────┬────────────────────────────┘ > ┌───────────────┬───────┴─────────┬─────────────────┐ > ▼ ▼ ▼ ▼ > ┌────────────────┐ ┌────────────┐ ┌──────────────────┐ ┌────────────┐ > │ VirtCCA Driver │ │ TPM Driver │ │ Intel TDX Driver │ │ xxx Driver │ > └────────┬───────┘ └─────┬──────┘ └────────┬─────────┘ └─────┬──────┘ > │ │ │ │ > ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ > │ │ │ │ Hardware > ▼ ▼ ▼ ▼ > ┌────────────────┐ ┌────────────┐ ┌──────────────────┐ ┌────────────┐ > │ VirtCCA Device │ │ TPM Device │ │ Intel TDX Device │ │ xxx Device │ > └────────────────┘ └────────────┘ └──────────────────┘ └────────────┘ > > This patch set provides an implementation of the aforementioned IMA RoT > framework, which can facilitate easier adaptation for new devices such > as Intel TDX and Huawei VirtCCA, as well as the classic TPM, to be an > RoT that IMA can utilize to maintain system's integrity. When extending an existing subsystem, the existing security guarantees need to persist. If they don't, there needs to be a clear explanation as to why they don't. For example, if no measurement root of trust is specified on the boot command line, the default measurement root of trust should be configured at build to default to the TPM. Do you expect to support multiple measurement roots of trust at the same time? Mimi > > [1]: Reference for Intel TDX with IMA: > https://www.intel.cn/content/www/cn/zh/developer/articles/community/runtime-integrity-measure-and-attest-trust-domain.html > > [2]: Reference for Huawei VirtCCA: > https://gitee.com/openeuler/kernel/blob/OLK-6.6/Documentation/virtcca/virtcca.txt > > > GONG Ruiqi (4): > ima: rot: Introduce basic framework > ima: rot: Prepare TPM as an RoT > ima: rot: Make RoT kick in > ima: rot: Involve per-RoT default PCR index > > security/integrity/ima/Kconfig | 12 +- > security/integrity/ima/Makefile | 3 +- > security/integrity/ima/ima.h | 11 +- > security/integrity/ima/ima_api.c | 4 +- > security/integrity/ima/ima_crypto.c | 139 +++---------------- > security/integrity/ima/ima_fs.c | 4 +- > security/integrity/ima/ima_init.c | 14 +- > security/integrity/ima/ima_main.c | 4 +- > security/integrity/ima/ima_queue.c | 39 ++---- > security/integrity/ima/ima_rot.c | 108 +++++++++++++++ > security/integrity/ima/ima_rot.h | 42 ++++++ > security/integrity/ima/ima_template.c | 2 +- > security/integrity/ima/ima_template_lib.c | 4 +- > security/integrity/ima/ima_tpm.c | 154 ++++++++++++++++++++++ > security/integrity/ima/ima_tpm.h | 19 +++ > 15 files changed, 388 insertions(+), 171 deletions(-) > create mode 100644 security/integrity/ima/ima_rot.c > create mode 100644 security/integrity/ima/ima_rot.h > create mode 100644 security/integrity/ima/ima_tpm.c > create mode 100644 security/integrity/ima/ima_tpm.h >
[+cc linux-coco] On Mon, 2025-06-30 at 20:59 +0800, GONG Ruiqi wrote: [...] > This patch set provides an implementation of the aforementioned IMA > RoT framework, which can facilitate easier adaptation for new devices > such as Intel TDX and Huawei VirtCCA, as well as the classic TPM, to > be an RoT that IMA can utilize to maintain system's integrity. This is inventing a separate but parallel system to the Coco TSM one. If IMA is going to measure to TDX RTMRs, there should at least be some integration. In theory the TSM backend can also do TPMs, so it looks like it should become what you're calling the ROT for IMA subsystem and IMA should simply make use of it. Regards, James
© 2016 - 2025 Red Hat, Inc.