All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: [PATCH] linux: configure CONFIG_I2C_OPAL as in-built.
       [not found] ` <8dc1ad002dcdc02122725dcc3ba27e1fd8c78b78.camel@linux.ibm.com>
@ 2020-09-29  6:14   ` Joel Stanley
  2020-09-29 12:19     ` Mimi Zohar
  2020-09-29 13:17     ` Nayna
  0 siblings, 2 replies; 3+ messages in thread
From: Joel Stanley @ 2020-09-29  6:14 UTC (permalink / raw)
  To: Mimi Zohar, linuxppc-dev; +Cc: openpower-firmware, Nayna Jain, klaus

On Fri, 25 Sep 2020 at 18:19, Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> Hi Nayna,
>
> On Wed, 2020-09-23 at 14:25 -0400, Nayna Jain wrote:
> > Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
> > module rather than builtin, even if CONFIG_I2C=y is defined. This
> > results in a delay in the TPM initialization, causing IMA to go into
> > TPM bypass mode. As a result, the IMA measurements are added to the
> > measurement list, but do not extend the TPM. Because of this, it is
> > impossible to verify or attest to the system's integrity, either from
> > skiroot or the target Host OS.
>
> The patch description is good, but perhaps we could provide a bit more
> context before.
>
> The concept of trusted boot requires the measurement to be added to the
> measurement list and extend the TPM, prior to allowing access to the
> file. By allowing access to a file before its measurement is included
> in the measurement list and extended into the TPM PCR, a malicious file
> could potentially prevent its own measurement from being added. As the
> PCRs are tamper proof, measuring and extending the TPM prior to giving
> access to the file, guarantees that all file measurements are included
> in the measurement list, including the malicious file.
>
> IMA needs to be enabled before any files are accessed in order to
> verify a file's integrity and extend the TPM with the file
> measurement.  Queueing file measurements breaks the measure and extend,
> before usage, trusted boot paradigm.
>
> The ima-evm-utils package includes a test for walking the IMA
> measurement list, calculating the expected TPM PCRs, and comparing the
> calculated PCR values with the physical TPM.  Testing is important to
> ensure the TPM is initialized prior to IMA.  Failure to validate the
> IMA measurement list may indicate IMA went into TPM bypass mode, like
> in this case.

Thanks for the explanation Mimi. It's lucky that the TPM drivers can
be loaded early enough!

Should we add something like this to security/integrity/ima/Kconfig?

select I2C_OPAL if PPC_POWERNV

It's generally frowned upon to select user visible symbols, but IMA
does this for the TCG options already.

Cheers,

Joel

>
> thanks,
>
> Mimi
>
> >
> > Reported-by: Mimi Zohar <zohar@linux.ibm.com>
> > Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
> > ---
> >  openpower/configs/linux/skiroot_defconfig | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/openpower/configs/linux/skiroot_defconfig b/openpower/configs/linux/skiroot_defconfig
> > index 44309e12..a555adb2 100644
> > --- a/openpower/configs/linux/skiroot_defconfig
> > +++ b/openpower/configs/linux/skiroot_defconfig
> > @@ -216,7 +216,7 @@ CONFIG_I2C=y
> >  CONFIG_I2C_CHARDEV=y
> >  # CONFIG_I2C_HELPER_AUTO is not set
> >  CONFIG_I2C_ALGOBIT=y
> > -CONFIG_I2C_OPAL=m
> > +CONFIG_I2C_OPAL=y
> >  CONFIG_PPS=y
> >  CONFIG_SENSORS_IBMPOWERNV=m
> >  CONFIG_DRM=m
>
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] linux: configure CONFIG_I2C_OPAL as in-built.
  2020-09-29  6:14   ` [PATCH] linux: configure CONFIG_I2C_OPAL as in-built Joel Stanley
@ 2020-09-29 12:19     ` Mimi Zohar
  2020-09-29 13:17     ` Nayna
  1 sibling, 0 replies; 3+ messages in thread
From: Mimi Zohar @ 2020-09-29 12:19 UTC (permalink / raw)
  To: Joel Stanley, linuxppc-dev; +Cc: openpower-firmware, Nayna Jain, klaus

Hi Joel,

On Tue, 2020-09-29 at 06:14 +0000, Joel Stanley wrote:
> On Fri, 25 Sep 2020 at 18:19, Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > Hi Nayna,
> >
> > On Wed, 2020-09-23 at 14:25 -0400, Nayna Jain wrote:
> > > Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
> > > module rather than builtin, even if CONFIG_I2C=y is defined. This
> > > results in a delay in the TPM initialization, causing IMA to go into
> > > TPM bypass mode. As a result, the IMA measurements are added to the
> > > measurement list, but do not extend the TPM. Because of this, it is
> > > impossible to verify or attest to the system's integrity, either from
> > > skiroot or the target Host OS.
> >
> > The patch description is good, but perhaps we could provide a bit more
> > context before.
> >
> > The concept of trusted boot requires the measurement to be added to the
> > measurement list and extend the TPM, prior to allowing access to the
> > file. By allowing access to a file before its measurement is included
> > in the measurement list and extended into the TPM PCR, a malicious file
> > could potentially prevent its own measurement from being added. As the
> > PCRs are tamper proof, measuring and extending the TPM prior to giving
> > access to the file, guarantees that all file measurements are included
> > in the measurement list, including the malicious file.
> >
> > IMA needs to be enabled before any files are accessed in order to
> > verify a file's integrity and extend the TPM with the file
> > measurement.  Queueing file measurements breaks the measure and extend,
> > before usage, trusted boot paradigm.
> >
> > The ima-evm-utils package includes a test for walking the IMA
> > measurement list, calculating the expected TPM PCRs, and comparing the
> > calculated PCR values with the physical TPM.  Testing is important to
> > ensure the TPM is initialized prior to IMA.  Failure to validate the
> > IMA measurement list may indicate IMA went into TPM bypass mode, like
> > in this case.
> 
> Thanks for the explanation Mimi. It's lucky that the TPM drivers can
> be loaded early enough!
> 
> Should we add something like this to security/integrity/ima/Kconfig?
> 
> select I2C_OPAL if PPC_POWERNV
> 
> It's generally frowned upon to select user visible symbols, but IMA
> does this for the TCG options already.

The other examples enable the TPM.  I2C_OPAL is dependent on I2C being
builtin.  I'm not sure if this select is complete, nor if this is where
it belongs.

Mimi


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] linux: configure CONFIG_I2C_OPAL as in-built.
  2020-09-29  6:14   ` [PATCH] linux: configure CONFIG_I2C_OPAL as in-built Joel Stanley
  2020-09-29 12:19     ` Mimi Zohar
@ 2020-09-29 13:17     ` Nayna
  1 sibling, 0 replies; 3+ messages in thread
From: Nayna @ 2020-09-29 13:17 UTC (permalink / raw)
  To: Joel Stanley, linuxppc-dev
  Cc: openpower-firmware, Nayna Jain, klaus, Mimi Zohar


On 9/29/20 2:14 AM, Joel Stanley wrote:
> On Fri, 25 Sep 2020 at 18:19, Mimi Zohar <zohar@linux.ibm.com> wrote:
>> Hi Nayna,
>>
>> On Wed, 2020-09-23 at 14:25 -0400, Nayna Jain wrote:
>>> Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
>>> module rather than builtin, even if CONFIG_I2C=y is defined. This
>>> results in a delay in the TPM initialization, causing IMA to go into
>>> TPM bypass mode. As a result, the IMA measurements are added to the
>>> measurement list, but do not extend the TPM. Because of this, it is
>>> impossible to verify or attest to the system's integrity, either from
>>> skiroot or the target Host OS.
>> The patch description is good, but perhaps we could provide a bit more
>> context before.
>>
>> The concept of trusted boot requires the measurement to be added to the
>> measurement list and extend the TPM, prior to allowing access to the
>> file. By allowing access to a file before its measurement is included
>> in the measurement list and extended into the TPM PCR, a malicious file
>> could potentially prevent its own measurement from being added. As the
>> PCRs are tamper proof, measuring and extending the TPM prior to giving
>> access to the file, guarantees that all file measurements are included
>> in the measurement list, including the malicious file.
>>
>> IMA needs to be enabled before any files are accessed in order to
>> verify a file's integrity and extend the TPM with the file
>> measurement.  Queueing file measurements breaks the measure and extend,
>> before usage, trusted boot paradigm.
>>
>> The ima-evm-utils package includes a test for walking the IMA
>> measurement list, calculating the expected TPM PCRs, and comparing the
>> calculated PCR values with the physical TPM.  Testing is important to
>> ensure the TPM is initialized prior to IMA.  Failure to validate the
>> IMA measurement list may indicate IMA went into TPM bypass mode, like
>> in this case.
> Thanks for the explanation Mimi. It's lucky that the TPM drivers can
> be loaded early enough!
>
> Should we add something like this to security/integrity/ima/Kconfig?
>
> select I2C_OPAL if PPC_POWERNV
>
> It's generally frowned upon to select user visible symbols, but IMA
> does this for the TCG options already.


I think yes, but in drivers/i2c/Kconfig and not in IMA Kconfig.

IMA is dependent on TPM, and it is specified in IMA Kconfig.

TPM NUVOTON driver has its dependency on I2C, which is taken care in 
drivers/char/tpm/Kconfig

It is I2C driver which is dependent on I2C_OPAL for its functioning on 
POWERNV Systems.

Thanks & Regards,

    - Nayna



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-09-29 13:23 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <1600885506-18734-1-git-send-email-nayna@linux.ibm.com>
     [not found] ` <8dc1ad002dcdc02122725dcc3ba27e1fd8c78b78.camel@linux.ibm.com>
2020-09-29  6:14   ` [PATCH] linux: configure CONFIG_I2C_OPAL as in-built Joel Stanley
2020-09-29 12:19     ` Mimi Zohar
2020-09-29 13:17     ` Nayna

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.