[OpenPower-Firmware] [PATCH] linux: configure CONFIG_I2C_OPAL as in-built.

Mimi Zohar zohar at linux.ibm.com
Sat Sep 26 04:18:53 AEST 2020 

Hi Nayna,

On Wed, 2020-09-23 at 14:25 -0400, Nayna Jain wrote:
> Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
> module rather than builtin, even if CONFIG_I2C=y is defined. This
> results in a delay in the TPM initialization, causing IMA to go into
> TPM bypass mode. As a result, the IMA measurements are added to the
> measurement list, but do not extend the TPM. Because of this, it is
> impossible to verify or attest to the system's integrity, either from
> skiroot or the target Host OS.

The patch description is good, but perhaps we could provide a bit more
context before.

The concept of trusted boot requires the measurement to be added to the
measurement list and extend the TPM, prior to allowing access to the
file. By allowing access to a file before its measurement is included
in the measurement list and extended into the TPM PCR, a malicious file
could potentially prevent its own measurement from being added. As the
PCRs are tamper proof, measuring and extending the TPM prior to giving
access to the file, guarantees that all file measurements are included
in the measurement list, including the malicious file.

IMA needs to be enabled before any files are accessed in order to
verify a file's integrity and extend the TPM with the file
measurement.  Queueing file measurements breaks the measure and extend,
before usage, trusted boot paradigm.

The ima-evm-utils package includes a test for walking the IMA
measurement list, calculating the expected TPM PCRs, and comparing the
calculated PCR values with the physical TPM.  Testing is important to
ensure the TPM is initialized prior to IMA.  Failure to validate the
IMA measurement list may indicate IMA went into TPM bypass mode, like
in this case.

thanks,

Mimi

> 
> Reported-by: Mimi Zohar <zohar at linux.ibm.com>
> Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
> ---
>  openpower/configs/linux/skiroot_defconfig | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/openpower/configs/linux/skiroot_defconfig b/openpower/configs/linux/skiroot_defconfig
> index 44309e12..a555adb2 100644
> --- a/openpower/configs/linux/skiroot_defconfig
> +++ b/openpower/configs/linux/skiroot_defconfig
> @@ -216,7 +216,7 @@ CONFIG_I2C=y
>  CONFIG_I2C_CHARDEV=y
>  # CONFIG_I2C_HELPER_AUTO is not set
>  CONFIG_I2C_ALGOBIT=y
> -CONFIG_I2C_OPAL=m
> +CONFIG_I2C_OPAL=y
>  CONFIG_PPS=y
>  CONFIG_SENSORS_IBMPOWERNV=m
>  CONFIG_DRM=m

More information about the OpenPower-Firmware mailing list