[OpenPower-Firmware] [PATCH] linux: configure CONFIG_I2C_OPAL as in-built.

Mimi Zohar zohar at linux.ibm.com
Tue Sep 29 22:19:06 AEST 2020


Hi Joel,

On Tue, 2020-09-29 at 06:14 +0000, Joel Stanley wrote:
> On Fri, 25 Sep 2020 at 18:19, Mimi Zohar <zohar at linux.ibm.com> wrote:
> >
> > Hi Nayna,
> >
> > On Wed, 2020-09-23 at 14:25 -0400, Nayna Jain wrote:
> > > Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
> > > module rather than builtin, even if CONFIG_I2C=y is defined. This
> > > results in a delay in the TPM initialization, causing IMA to go into
> > > TPM bypass mode. As a result, the IMA measurements are added to the
> > > measurement list, but do not extend the TPM. Because of this, it is
> > > impossible to verify or attest to the system's integrity, either from
> > > skiroot or the target Host OS.
> >
> > The patch description is good, but perhaps we could provide a bit more
> > context before.
> >
> > The concept of trusted boot requires the measurement to be added to the
> > measurement list and extend the TPM, prior to allowing access to the
> > file. By allowing access to a file before its measurement is included
> > in the measurement list and extended into the TPM PCR, a malicious file
> > could potentially prevent its own measurement from being added. As the
> > PCRs are tamper proof, measuring and extending the TPM prior to giving
> > access to the file, guarantees that all file measurements are included
> > in the measurement list, including the malicious file.
> >
> > IMA needs to be enabled before any files are accessed in order to
> > verify a file's integrity and extend the TPM with the file
> > measurement.  Queueing file measurements breaks the measure and extend,
> > before usage, trusted boot paradigm.
> >
> > The ima-evm-utils package includes a test for walking the IMA
> > measurement list, calculating the expected TPM PCRs, and comparing the
> > calculated PCR values with the physical TPM.  Testing is important to
> > ensure the TPM is initialized prior to IMA.  Failure to validate the
> > IMA measurement list may indicate IMA went into TPM bypass mode, like
> > in this case.
> 
> Thanks for the explanation Mimi. It's lucky that the TPM drivers can
> be loaded early enough!
> 
> Should we add something like this to security/integrity/ima/Kconfig?
> 
> select I2C_OPAL if PPC_POWERNV
> 
> It's generally frowned upon to select user visible symbols, but IMA
> does this for the TCG options already.

The other examples enable the TPM.  I2C_OPAL is dependent on I2C being
builtin.  I'm not sure if this select is complete, nor if this is where
it belongs.

Mimi



More information about the OpenPower-Firmware mailing list