On Mon, 2018-03-12 at 15:59 -0600, Jason Gunthorpe wrote:

On Mon, Mar 12, 2018 at 05:53:18PM -0400, Mimi Zohar wrote:

quoted

Using Kconfig to force the TPM to be builtin is not required, but
helpful. ?Users interested in IMA-measurement could configure the TPM
as builtin themselves. ?Without the TPM builtin, IMA goes into TPM-
bypass mode.

This issues, broadly speaking, we have lots of TPM drivers, selecting
only some to actually support IMA shows we have some kind of problem
here.

True, IMA is not selecting the older TPM vendor specific modules, but
only the newer TPM_TIS and now TPM_CRB modules. ?That doesn't imply
that IMA only supports some TPMs. ?It means that by default, these
TPMs are builtin. ?Anyone building a kernel, can select the vendor
specific TPM to be builtin.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html