Received: by 10.223.185.116 with SMTP id b49csp5405358wrg; Wed, 7 Mar 2018 11:10:08 -0800 (PST) X-Google-Smtp-Source: AG47ELsmVNZciTZflnssS2o3hbtq4L6+WuZ5pGRLHgIR0NYCHcZLDqjslmyyixwZtjrtye4GpPxh X-Received: by 10.98.10.219 with SMTP id 88mr23641871pfk.202.1520449808185; Wed, 07 Mar 2018 11:10:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520449808; cv=none; d=google.com; s=arc-20160816; b=GfhWxGUWf0AIadUmrAJDksmJSsAUcybA1WQoRi8rsFIJ2OVzo5NKtk1L7VXZwysuEB c48VVpgVdQSK2FEf6m6ZwUjU5XNUOmdL8a4p2awtRgJFimqPy42HuNA/1C8KeqCGvDqW PtwKJi3K4VC4190D1rOu/aiJFXEJaKVTne7ckXUtsN/IHcsDIQ5v8f7Kk3lDz+QZDCVk IcOC/qKR0hd26lsWpPTp0qo1gLQTUUqTt6PEfnWUd+bavXwO4lQ/mFui7zZhvPMcwy94 /H5iHM3qdy+vyKWCd09KsqgKaYive6AWehAuEBxmwrTvtYyeeFLsAfH4JfJiN59hEt3g U1nA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=+LbrceMu1braNR6RNmpiVQREv06w2cXid4ugObNvh0o=; b=xNYoik6evax7e/ytR2gWJtRS3lE/E1955nS5Nh9OFOLgU7fvQk/tytSPofNdRElc2u HocThcmNqz6Fp2/cyCbJI+N0NzSM57OHqPqJm4GnidSq0BHPr8NVFrfhw3ZnH7OuNVeg ER2LT04knse5a9nWaVfFmb61yXehmVRIbGN9CJfGyUhsIGs7pBEJRr6r3fkdcXcmY7JT 9OVayZUwCMUbn34n2m9HDMgRzWy5CLqdPxtF/FQ99tWzjugm36R3XJeL0k397LVQo3EZ vov8DGk+P2EDd2SZsc1ZJntK4hnWPVTehhTk3SS82RhT/6F6oCzvhKpbPTmTGbZ9Jyx8 TGPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=F1XnG3g2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y8si11831616pgp.602.2018.03.07.11.09.53; Wed, 07 Mar 2018 11:10:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=F1XnG3g2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754579AbeCGTIo (ORCPT + 99 others); Wed, 7 Mar 2018 14:08:44 -0500 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:51268 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754333AbeCGTIm (ORCPT ); Wed, 7 Mar 2018 14:08:42 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 95AE78EE1BF; Wed, 7 Mar 2018 11:08:41 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s-7XiWsw7WrU; Wed, 7 Mar 2018 11:08:41 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id C056C8EE0D3; Wed, 7 Mar 2018 11:08:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1520449721; bh=3M9+Wbs+RC2KboqG8MExjqVnKeav81M6blxrn6JrA60=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=F1XnG3g2WWuzJNnWRpJDwyWE80+J1Ye3WpF0FSFOdLy488QTkEibC6Ki+Zct3zhoA w2ql5jmsifk01/USGN3913kbTmTJmkthj6omaosXexxQ5dp4gh0XbDefPcPwm55eCi 4l0BeGqoQ71n98LWO+1htsbnozaESu8b8rzjNGRI= Message-ID: <1520449719.5558.28.camel@HansenPartnership.com> Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64 From: James Bottomley To: Mimi Zohar , Jason Gunthorpe , Jiandi An Cc: dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, linux-integrity@vger.kernel.org, linux-ima-devel@lists.sourceforge.net, linux-ima-user@lists.sourceforge.net, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Date: Wed, 07 Mar 2018 11:08:39 -0800 In-Reply-To: <1520448953.10396.565.camel@linux.vnet.ibm.com> References: <1520400386-17674-1-git-send-email-anjiandi@codeaurora.org> <20180307185132.GA30102@ziepe.ca> <1520448953.10396.565.camel@linux.vnet.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-03-07 at 13:55 -0500, Mimi Zohar wrote: > On Wed, 2018-03-07 at 11:51 -0700, Jason Gunthorpe wrote: > > > > On Tue, Mar 06, 2018 at 11:26:26PM -0600, Jiandi An wrote: > > > > > > TPM_CRB driver is the TPM support for ARM64.  If it > > > is built as module, TPM chip is registered after IMA > > > init.  tpm_pcr_read() in IMA driver would fail and > > > display the following message even though eventually > > > there is TPM chip on the system: > > > > > > ima: No TPM chip found, activating TPM-bypass! (rc=-19) > > > > > > Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is > > > built in kernel and initializes before IMA driver. > > > > > > Signed-off-by: Jiandi An > > >  security/integrity/ima/Kconfig | 1 + > > >  1 file changed, 1 insertion(+) > > > > > > diff --git a/security/integrity/ima/Kconfig > > > b/security/integrity/ima/Kconfig > > > index 35ef693..6a8f677 100644 > > > +++ b/security/integrity/ima/Kconfig > > > @@ -10,6 +10,7 @@ config IMA > > >   select CRYPTO_HASH_INFO > > >   select TCG_TPM if HAS_IOMEM && !UML > > >   select TCG_TIS if TCG_TPM && X86 Well, this explains why IMA doesn't work on one of my X86 systems: it's got a non i2c infineon TPM. > > > + select TCG_CRB if TCG_TPM && ACPI > > >   select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES > > >   help > > >     The Trusted Computing Group(TCG) runtime Integrity > > > > This seems really weird, why are any specific TPM drivers linked to > > IMA config, we have lots of drivers.. > > > > I don't think I've ever seen this pattern in Kconfig before? > > As you've seen by the current discussions, the TPM driver needs to be > initialized prior to IMA.  Otherwise IMA goes into TPM-bypass mode. >  That implies that the TPM must be builtin to the kernel, and not as > a kernel module. Actually, that's not necessarily true:  If we don't begin appraisal until after the initrd phase, then the initrd can load TPM modules before IMA starts. This would involve a bit of code rejigging to not require a TPM until IMA wants to write its first measurement, but it looks doable and would get us out of having to second guess TPM selections. James