On Fri, 25 Sep 2020 at 18:19, Mimi Zohar <zo...@linux.ibm.com> wrote: > > Hi Nayna, > > On Wed, 2020-09-23 at 14:25 -0400, Nayna Jain wrote: > > Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable > > module rather than builtin, even if CONFIG_I2C=y is defined. This > > results in a delay in the TPM initialization, causing IMA to go into > > TPM bypass mode. As a result, the IMA measurements are added to the > > measurement list, but do not extend the TPM. Because of this, it is > > impossible to verify or attest to the system's integrity, either from > > skiroot or the target Host OS. > > The patch description is good, but perhaps we could provide a bit more > context before. > > The concept of trusted boot requires the measurement to be added to the > measurement list and extend the TPM, prior to allowing access to the > file. By allowing access to a file before its measurement is included > in the measurement list and extended into the TPM PCR, a malicious file > could potentially prevent its own measurement from being added. As the > PCRs are tamper proof, measuring and extending the TPM prior to giving > access to the file, guarantees that all file measurements are included > in the measurement list, including the malicious file. > > IMA needs to be enabled before any files are accessed in order to > verify a file's integrity and extend the TPM with the file > measurement. Queueing file measurements breaks the measure and extend, > before usage, trusted boot paradigm. > > The ima-evm-utils package includes a test for walking the IMA > measurement list, calculating the expected TPM PCRs, and comparing the > calculated PCR values with the physical TPM. Testing is important to > ensure the TPM is initialized prior to IMA. Failure to validate the > IMA measurement list may indicate IMA went into TPM bypass mode, like > in this case.
Thanks for the explanation Mimi. It's lucky that the TPM drivers can be loaded early enough! Should we add something like this to security/integrity/ima/Kconfig? select I2C_OPAL if PPC_POWERNV It's generally frowned upon to select user visible symbols, but IMA does this for the TCG options already. Cheers, Joel > > thanks, > > Mimi > > > > > Reported-by: Mimi Zohar <zo...@linux.ibm.com> > > Signed-off-by: Nayna Jain <na...@linux.ibm.com> > > --- > > openpower/configs/linux/skiroot_defconfig | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/openpower/configs/linux/skiroot_defconfig > > b/openpower/configs/linux/skiroot_defconfig > > index 44309e12..a555adb2 100644 > > --- a/openpower/configs/linux/skiroot_defconfig > > +++ b/openpower/configs/linux/skiroot_defconfig > > @@ -216,7 +216,7 @@ CONFIG_I2C=y > > CONFIG_I2C_CHARDEV=y > > # CONFIG_I2C_HELPER_AUTO is not set > > CONFIG_I2C_ALGOBIT=y > > -CONFIG_I2C_OPAL=m > > +CONFIG_I2C_OPAL=y > > CONFIG_PPS=y > > CONFIG_SENSORS_IBMPOWERNV=m > > CONFIG_DRM=m > >