| Joel Stanley | cb9bf57 | 2020-09-29 16:18:12 +0930 | [diff] [blame] | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: Joel Stanley <joel@jms.id.au> |
| 3 | Date: Tue, 29 Sep 2020 16:07:53 +0930 |
| 4 | Subject: [PATCH 18/19] linux: configure CONFIG_I2C_OPAL as in-built. |
| 5 | |
| 6 | Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable |
| 7 | module rather than builtin, even if CONFIG_I2C=y is defined. This |
| 8 | results in a delay in the TPM initialization, causing IMA to go into |
| 9 | TPM bypass mode. As a result, the IMA measurements are added to the |
| 10 | measurement list, but do not extend the TPM. Because of this, it is |
| 11 | impossible to verify or attest to the system's integrity, either from |
| 12 | skiroot or the target Host OS. |
| 13 | |
| 14 | Mimi Zohar <zohar@linux.ibm.com> explains more: |
| 15 | |
| 16 | The concept of trusted boot requires the measurement to be added to the |
| 17 | measurement list and extend the TPM, prior to allowing access to the |
| 18 | file. By allowing access to a file before its measurement is included |
| 19 | in the measurement list and extended into the TPM PCR, a malicious file |
| 20 | could potentially prevent its own measurement from being added. As the |
| 21 | PCRs are tamper proof, measuring and extending the TPM prior to giving |
| 22 | access to the file, guarantees that all file measurements are included |
| 23 | in the measurement list, including the malicious file. |
| 24 | |
| 25 | IMA needs to be enabled before any files are accessed in order to |
| 26 | verify a file's integrity and extend the TPM with the file |
| 27 | measurement. Queueing file measurements breaks the measure and extend, |
| 28 | before usage, trusted boot paradigm. |
| 29 | |
| 30 | The ima-evm-utils package includes a test for walking the IMA |
| 31 | measurement list, calculating the expected TPM PCRs, and comparing the |
| 32 | calculated PCR values with the physical TPM. Testing is important to |
| 33 | ensure the TPM is initialized prior to IMA. Failure to validate the |
| 34 | IMA measurement list may indicate IMA went into TPM bypass mode, like |
| 35 | in this case. |
| 36 | |
| 37 | Reported-by: Mimi Zohar <zohar@linux.ibm.com> |
| 38 | Signed-off-by: Nayna Jain <nayna@linux.ibm.com> |
| 39 | Signed-off-by: Joel Stanley <joel@jms.id.au> |
| 40 | --- |
| 41 | arch/powerpc/configs/skiroot_defconfig | 2 +- |
| 42 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 43 | |
| 44 | diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig |
| 45 | index 44309e12d84a..a555adb23591 100644 |
| 46 | --- a/arch/powerpc/configs/skiroot_defconfig |
| 47 | +++ b/arch/powerpc/configs/skiroot_defconfig |
| 48 | @@ -216,7 +216,7 @@ CONFIG_I2C=y |
| 49 | CONFIG_I2C_CHARDEV=y |
| 50 | # CONFIG_I2C_HELPER_AUTO is not set |
| 51 | CONFIG_I2C_ALGOBIT=y |
| 52 | -CONFIG_I2C_OPAL=m |
| 53 | +CONFIG_I2C_OPAL=y |
| 54 | CONFIG_PPS=y |
| 55 | CONFIG_SENSORS_IBMPOWERNV=m |
| 56 | CONFIG_DRM=m |