Received: by 10.223.185.116 with SMTP id b49csp5405358wrg;
        Wed, 7 Mar 2018 11:10:08 -0800 (PST)
X-Google-Smtp-Source: AG47ELsmVNZciTZflnssS2o3hbtq4L6+WuZ5pGRLHgIR0NYCHcZLDqjslmyyixwZtjrtye4GpPxh
X-Received: by 10.98.10.219 with SMTP id 88mr23641871pfk.202.1520449808185;
        Wed, 07 Mar 2018 11:10:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520449808; cv=none;
        d=google.com; s=arc-20160816;
        b=GfhWxGUWf0AIadUmrAJDksmJSsAUcybA1WQoRi8rsFIJ2OVzo5NKtk1L7VXZwysuEB
         c48VVpgVdQSK2FEf6m6ZwUjU5XNUOmdL8a4p2awtRgJFimqPy42HuNA/1C8KeqCGvDqW
         PtwKJi3K4VC4190D1rOu/aiJFXEJaKVTne7ckXUtsN/IHcsDIQ5v8f7Kk3lDz+QZDCVk
         IcOC/qKR0hd26lsWpPTp0qo1gLQTUUqTt6PEfnWUd+bavXwO4lQ/mFui7zZhvPMcwy94
         /H5iHM3qdy+vyKWCd09KsqgKaYive6AWehAuEBxmwrTvtYyeeFLsAfH4JfJiN59hEt3g
         U1nA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id
         :dkim-signature:arc-authentication-results;
        bh=+LbrceMu1braNR6RNmpiVQREv06w2cXid4ugObNvh0o=;
        b=xNYoik6evax7e/ytR2gWJtRS3lE/E1955nS5Nh9OFOLgU7fvQk/tytSPofNdRElc2u
         HocThcmNqz6Fp2/cyCbJI+N0NzSM57OHqPqJm4GnidSq0BHPr8NVFrfhw3ZnH7OuNVeg
         ER2LT04knse5a9nWaVfFmb61yXehmVRIbGN9CJfGyUhsIGs7pBEJRr6r3fkdcXcmY7JT
         9OVayZUwCMUbn34n2m9HDMgRzWy5CLqdPxtF/FQ99tWzjugm36R3XJeL0k397LVQo3EZ
         vov8DGk+P2EDd2SZsc1ZJntK4hnWPVTehhTk3SS82RhT/6F6oCzvhKpbPTmTGbZ9Jyx8
         TGPw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=F1XnG3g2;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y8si11831616pgp.602.2018.03.07.11.09.53;
        Wed, 07 Mar 2018 11:10:08 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=F1XnG3g2;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754579AbeCGTIo (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 99 others); Wed, 7 Mar 2018 14:08:44 -0500
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:51268 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1754333AbeCGTIm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 7 Mar 2018 14:08:42 -0500
Received: from localhost (localhost [127.0.0.1])
        by bedivere.hansenpartnership.com (Postfix) with ESMTP id 95AE78EE1BF;
        Wed,  7 Mar 2018 11:08:41 -0800 (PST)
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
        by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id s-7XiWsw7WrU; Wed,  7 Mar 2018 11:08:41 -0800 (PST)
Received: from [153.66.254.194] (unknown [50.35.65.221])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id C056C8EE0D3;
        Wed,  7 Mar 2018 11:08:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com;
        s=20151216; t=1520449721;
        bh=3M9+Wbs+RC2KboqG8MExjqVnKeav81M6blxrn6JrA60=;
        h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
        b=F1XnG3g2WWuzJNnWRpJDwyWE80+J1Ye3WpF0FSFOdLy488QTkEibC6Ki+Zct3zhoA
         w2ql5jmsifk01/USGN3913kbTmTJmkthj6omaosXexxQ5dp4gh0XbDefPcPwm55eCi
         4l0BeGqoQ71n98LWO+1htsbnozaESu8b8rzjNGRI=
Message-ID: <1520449719.5558.28.camel@HansenPartnership.com>
Subject: Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64
From:   James Bottomley <James.Bottomley@HansenPartnership.com>
To:     Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Jason Gunthorpe <jgg@ziepe.ca>,
        Jiandi An <anjiandi@codeaurora.org>
Cc:     dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
        linux-integrity@vger.kernel.org,
        linux-ima-devel@lists.sourceforge.net,
        linux-ima-user@lists.sourceforge.net,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Date:   Wed, 07 Mar 2018 11:08:39 -0800
In-Reply-To: <1520448953.10396.565.camel@linux.vnet.ibm.com>
References: <1520400386-17674-1-git-send-email-anjiandi@codeaurora.org>
         <20180307185132.GA30102@ziepe.ca>
         <1520448953.10396.565.camel@linux.vnet.ibm.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2018-03-07 at 13:55 -0500, Mimi Zohar wrote:
> On Wed, 2018-03-07 at 11:51 -0700, Jason Gunthorpe wrote:
> > 
> > On Tue, Mar 06, 2018 at 11:26:26PM -0600, Jiandi An wrote:
> > > 
> > > TPM_CRB driver is the TPM support for ARM64.  If it
> > > is built as module, TPM chip is registered after IMA
> > > init.  tpm_pcr_read() in IMA driver would fail and
> > > display the following message even though eventually
> > > there is TPM chip on the system:
> > > 
> > > ima: No TPM chip found, activating TPM-bypass! (rc=-19)
> > > 
> > > Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is
> > > built in kernel and initializes before IMA driver.
> > > 
> > > Signed-off-by: Jiandi An <anjiandi@codeaurora.org>
> > >  security/integrity/ima/Kconfig | 1 +
> > >  1 file changed, 1 insertion(+)
> > > 
> > > diff --git a/security/integrity/ima/Kconfig
> > > b/security/integrity/ima/Kconfig
> > > index 35ef693..6a8f677 100644
> > > +++ b/security/integrity/ima/Kconfig
> > > @@ -10,6 +10,7 @@ config IMA
> > >  	select CRYPTO_HASH_INFO
> > >  	select TCG_TPM if HAS_IOMEM && !UML
> > >  	select TCG_TIS if TCG_TPM && X86

Well, this explains why IMA doesn't work on one of my X86 systems: it's
got a non i2c infineon TPM.

> > > +	select TCG_CRB if TCG_TPM && ACPI
> > >  	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
> > >  	help
> > >  	  The Trusted Computing Group(TCG) runtime Integrity
> > 
> > This seems really weird, why are any specific TPM drivers linked to
> > IMA config, we have lots of drivers..
> > 
> > I don't think I've ever seen this pattern in Kconfig before?
> 
> As you've seen by the current discussions, the TPM driver needs to be
> initialized prior to IMA.  Otherwise IMA goes into TPM-bypass mode.
>  That implies that the TPM must be builtin to the kernel, and not as
> a kernel module.

Actually, that's not necessarily true:  If we don't begin appraisal
until after the initrd phase, then the initrd can load TPM modules
before IMA starts.

This would involve a bit of code rejigging to not require a TPM until
IMA wants to write its first measurement, but it looks doable and would
get us out of having to second guess TPM selections.

James