[OpenPower-Firmware] [PATCH] linux: configure CONFIG_I2C_OPAL as in-built.
Joel Stanley
joel at jms.id.au
Tue Sep 29 16:14:43 AEST 2020
On Fri, 25 Sep 2020 at 18:19, Mimi Zohar <zohar at linux.ibm.com> wrote:
>
> Hi Nayna,
>
> On Wed, 2020-09-23 at 14:25 -0400, Nayna Jain wrote:
> > Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
> > module rather than builtin, even if CONFIG_I2C=y is defined. This
> > results in a delay in the TPM initialization, causing IMA to go into
> > TPM bypass mode. As a result, the IMA measurements are added to the
> > measurement list, but do not extend the TPM. Because of this, it is
> > impossible to verify or attest to the system's integrity, either from
> > skiroot or the target Host OS.
>
> The patch description is good, but perhaps we could provide a bit more
> context before.
>
> The concept of trusted boot requires the measurement to be added to the
> measurement list and extend the TPM, prior to allowing access to the
> file. By allowing access to a file before its measurement is included
> in the measurement list and extended into the TPM PCR, a malicious file
> could potentially prevent its own measurement from being added. As the
> PCRs are tamper proof, measuring and extending the TPM prior to giving
> access to the file, guarantees that all file measurements are included
> in the measurement list, including the malicious file.
>
> IMA needs to be enabled before any files are accessed in order to
> verify a file's integrity and extend the TPM with the file
> measurement. Queueing file measurements breaks the measure and extend,
> before usage, trusted boot paradigm.
>
> The ima-evm-utils package includes a test for walking the IMA
> measurement list, calculating the expected TPM PCRs, and comparing the
> calculated PCR values with the physical TPM. Testing is important to
> ensure the TPM is initialized prior to IMA. Failure to validate the
> IMA measurement list may indicate IMA went into TPM bypass mode, like
> in this case.
Thanks for the explanation Mimi. It's lucky that the TPM drivers can
be loaded early enough!
Should we add something like this to security/integrity/ima/Kconfig?
select I2C_OPAL if PPC_POWERNV
It's generally frowned upon to select user visible symbols, but IMA
does this for the TCG options already.
Cheers,
Joel
>
> thanks,
>
> Mimi
>
> >
> > Reported-by: Mimi Zohar <zohar at linux.ibm.com>
> > Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
> > ---
> > openpower/configs/linux/skiroot_defconfig | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/openpower/configs/linux/skiroot_defconfig b/openpower/configs/linux/skiroot_defconfig
> > index 44309e12..a555adb2 100644
> > --- a/openpower/configs/linux/skiroot_defconfig
> > +++ b/openpower/configs/linux/skiroot_defconfig
> > @@ -216,7 +216,7 @@ CONFIG_I2C=y
> > CONFIG_I2C_CHARDEV=y
> > # CONFIG_I2C_HELPER_AUTO is not set
> > CONFIG_I2C_ALGOBIT=y
> > -CONFIG_I2C_OPAL=m
> > +CONFIG_I2C_OPAL=y
> > CONFIG_PPS=y
> > CONFIG_SENSORS_IBMPOWERNV=m
> > CONFIG_DRM=m
>
>
More information about the OpenPower-Firmware
mailing list