• State
  • Locked Locked
  • Replies 5 replies
  • Subscribers 99 subscribers
  • Views 837 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TDA4VM: IMA vs TPM builtin driver boot order

Romain Naour
Intellectual 561 points
Part Number: TDA4VM


Tool/software:

Hello,

I'm using the kernel 6.1.80-ti-arm64-r50 provided by Debian Bullseye image for the beaglebone-ai-64 (the same happen with a Yocto/Buildroot based image)

uname -a
Linux BeagleBone 6.1.80-ti-arm64-r50 #1bullseye SMP PREEMPT_DYNAMIC Fri May 24 19:44:30 UTC 2024 aarch64 GNU/Linux

But I noticed that the i2c bis is probed after the IMA/EVM infra.
What if a TPM is connected by i2c bus ?

[ 1.306865] ima: No TPM chip found, activating TPM-bypass!
...
[ 1.370601] ti-sci 44083000.system-controller: ABI: 3.1 (firmware rev 0x0015 '21.5.0--v2021.05 (Terrific Llam')
[ 1.428399] omap_i2c 42120000.i2c: bus 0 rev0.12 at 400 kHz
[ 1.434666] omap_i2c 2000000.i2c: bus 4 rev0.12 at 400 kHz
[ 1.440738] omap_i2c 2010000.i2c: bus 5 rev0.12 at 400 kHz
[ 1.446798] omap_i2c 2020000.i2c: bus 2 rev0.12 at 100 kHz
[ 1.452907] omap_i2c 2030000.i2c: bus 6 rev0.12 at 400 kHz
[ 1.458983] omap_i2c 2040000.i2c: bus 3 rev0.12 at 100 kHz
[ 1.465082] omap_i2c 2050000.i2c: bus 7 rev0.12 at 400 kHz
[ 1.471146] omap_i2c 2060000.i2c: bus 1 rev0.12 at 100 kHz

I'm not sure this issue is really specific to the board, there were a similar issue on rpi board.
github.com/.../tpm-ima-patch


Update: After digging into this problem, I did two changes to ima/evm driver to replace late_initcall() by late_initcall_sync()
Tested on a vanilla 6.6.33 kernel

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index ff9a939dad8e..339f6e8d7e56 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -960,4 +960,4 @@ static int __init init_evm(void)
        return error;
 }
 
-late_initcall(init_evm);
+late_initcall_sync(init_evm);  /* Start EVM after the IMA */
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index cc1217ac2c6f..1e9417ffdf08 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -1120,4 +1120,4 @@ static int __init init_ima(void)
        return error;
 }
 
-late_initcall(init_ima);       /* Start IMA after the TPM is available */
+late_initcall_sync(init_ima);  /* Start IMA after the TPM is available */

Now, the IMA/EVM stack are initialized *after* the TPM device.

[    0.285986] omap_i2c 42120000.i2c: bus 0 rev0.12 at 400 kHz
[    0.286706] omap_i2c 2000000.i2c: bus 4 rev0.12 at 400 kHz
[    0.287382] omap_i2c 2010000.i2c: bus 5 rev0.12 at 400 kHz
[    0.331503] tpm_tis_i2c 2-002e: 2.0 TPM (device-id 0x1C, rev-id 22)
[    0.677185] omap_i2c 2020000.i2c: bus 2 rev0.12 at 100 kHz
[    0.677904] omap_i2c 2030000.i2c: bus 6 rev0.12 at 400 kHz
[    0.678557] omap_i2c 2040000.i2c: bus 3 rev0.12 at 100 kHz
[    0.679167] omap_i2c 2050000.i2c: bus 7 rev0.12 at 400 kHz
[    0.679792] omap_i2c 2060000.i2c: bus 1 rev0.12 at 100 kHz

[    3.062788] ima: Allocated hash algorithm: sha256

    3.318975] ima: No architecture policies found
[    3.323536] evm: Initialising EVM extended attributes:
[    3.328662] evm: security.selinux (disabled)
[    3.332919] evm: security.SMACK64 (disabled)
[    3.337177] evm: security.SMACK64EXEC (disabled)
[    3.341781] evm: security.SMACK64TRANSMUTE (disabled)
[    3.346819] evm: security.SMACK64MMAP (disabled)
[    3.351422] evm: security.apparmor (disabled)
[    3.355764] evm: security.ima
[    3.358721] evm: security.capability
[    3.362285] evm: HMAC attrs: 0x1

Thoughts?

Best regards,
Romain