-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IMA & TPM load order broken, resulting in no hardware root of trust for Integrity Measurement Architecture #3291
Comments
This doesn't sound like a Raspberry Pi-specific problem. We haven't done any work in the area of TPM or IMA, so this is pure upstream code. If the system is relying on a specific driver load order without any attempt to guarantee it then failure is likely under some circumstances. |
I am yet to find out and trying to read through the code. I will see if I can get others know the code better to comment.
I believe so, in that the right load order occurs (its a widely used feature in Linux distributions). Sorry I can't be of much value explaining how this happens, will again try and get someone who knows this area to comment while I get up to speed myself.
This is from mimi the IMA maintainer in the linux Kernel (the conversation is based on getting IMA working on a pi)
Last she states:
The conversation then concludes with:
|
To add, the above quotes are from this thread: https://www.spinics.net/lists/linux-integrity/msg00051.html |
The reason is that with On other platforms the SPI clocks are usually initialized early not depending on a firmware file (like before Besided the thread linked by Luke, there is another thread on the same issue: We (Infineon) get the inquiry of enabling IMA on RPI quite often, as people love the rpi as a great kit for dipping into the world of (embedded) trusted computing. |
That's what I suspected - it works in most situations. but it sounds a bit fragile. There should be a hard dependency between IMA and TPM (for configurations where there is a TPM, obviously). |
It's not a Raspberry Pi specific issue. It seems that the behavior is depending on the plattforms and configurations. I didn't test in bcmxxxx but I work on Xilinx Zynq and ZynqMP. On Zynq (Cortex A9-MP) all works as expected with linux-stable 4.14.x and 4.19.x. The loading sequence is ok when drivers for ccf, spi and tpm are statically linked. |
I'm watching this thread with interest, but at the moment I don't think it's a problem we can solve in anything but a hacky, makeshift way. |
I've been watching. Cannot help much but wanted to express the importance to us... |
Hmm, The order of tpm first, then ima seems correct. However the clock driver is called before its dependency of the firmware. By reversing the order clk-bcm2835 and firmware Markku was able to get it working
|
I'm glad you found that. I was about to post the same thing. I had to use the exact same hack, and it was hell finding it for me. I was also thinking that the Raspberry folks need to address, but in the meantime, we have this messy fix of playing with init calls. FYI, I tested this on an aarch64 Ubuntu server installation for RPi 4, and I can confirm it works there too, but there's no reason it shouldn't. |
I was just about to post how it did not work for me, perhaps I need to double check. Do you mind sharing your .config and what version of kernel you built against (master perhaps)? |
I'm open to a change like this (although it feels like a sticking plaster where something more fundamental is needed) provided it a) solves the problem, b) doesn't break anything else, and c) is acceptable upstream. |
scrap my previous comment, it works:
|
That's great! I guess there's no need to post my config then? The only other thing I may have done differently is make sure the SPI and TPM drivers were directly built into the kernel as opposed to being loaded as a module. On an unrelated note, does anyone out there can know how to restrict the IMA policy to a point where PCR 10 has the same hash value upon subsequent reboots? That would be extremely useful. |
These were my steps: https://gist.github.com/lukehinds/18785b3e1f625dba49c8bcac57cbe6c7
To my knowledge, boot a completely unchanged system (which I don't think is even possible). |
Since a few of you seem happy editing kernel source code, can you put together a Pull Request with the necessary change? It will act as a focal point for the discussion of whether or not it is acceptable. |
On it's way. |
Awiting comment on #3297 |
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: raspberrypi/linux#3291 raspberrypi/linux#3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: raspberrypi/linux#3291 raspberrypi/linux#3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: raspberrypi/linux#3291 raspberrypi/linux#3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: raspberrypi/linux#3291 raspberrypi/linux#3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: raspberrypi/linux#3291 raspberrypi/linux#3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
so that special/critical clocks can get enabled early on in the boot process avoiding the risk of disabling a clock, pll_divider or pll when a claiming driver fails to install propperly - maybe it needs to defer. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> clk: clk-bcm2835: Use %zd when printing size_t The debug text for how many clocks have been registered uses "%d" with a size_t. Correct it to "%zd". Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Initialise rpi-firmware before clk-bcm2835 The IMA (Integrity Measurement Architecture) looks for a TPM (Trusted Platform Module) having been registered when it initialises; otherwise it assumes there is no TPM. It has been observed on BCM2835 that IMA is initialised before TPM, and that initialising the BCM2835 clock driver before the firmware driver has the effect of reversing this order. Change the firmware driver to initialise at core_initcall, delaying the BCM2835 clock driver to postcore_initcall. See: #3291 #3297 Signed-off-by: Luke Hinds <lhinds@redhat.com> Co-authored-by: Phil Elwell <phil@raspberrypi.org> clk-bcm2835: use subsys_initcall for the clock driver when IMA is enabled Co-authored-by: Davide Scovotto <scovottodavide@gmail.com> Co-developed-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Davide Scovotto <scovottodavide@gmail.com> Signed-off-by: Alberto Solavagione <albertosolavagione30@gmail.com>
Describe the bug
The load order of IMA and a TPM device is incorrect , which results in IMA not seeing the TPM and activating a TPM-bypass.
As the TPM is bypassed, IMA cannot benefit from the hardware root of trust that is possible with a Trusted Platform Module.
The TPM should initialize first, and then IMA.
This is a key security feature for protecting run time environments.
To reproduce
Place a TPM chip onto GPIO (I used the Infineon Optiga™ SLB 9670 from letstrust.de)
Compile the Kernel with the below configs set to enable IMA, securityfs and the TPM
Put a basic IMA-policy in place:
reoot the pi, and run
dmesg
After some investigation I found the following mailing list discussion on the IMA list
One of the IMA developers was able to initialize the TPM prior to IMA, by reverting commit acddd39
And disabling the self test
This was from 2017 so a fresh RCA might play out differently.
Expected behaviour
The TPM should load first, which will result in IMA finding the TPM and using it for cryptographic extend operations in PCR 10.
Actual behaviour
The load order is wrong.
System
Which model of Raspberry Pi?
Raspberry Pi 3 Model B+
Which OS and version (
cat /etc/rpi-issue
)?vcgencmd version
)?uname -a
)?Additional context
I will continue to debug this, but truth be told I don't know the clock functionality in code very well, so if anyone thinks they can fix this, please do go ahead and if you want any tests run against a HW TPM, I am happy to help.
The text was updated successfully, but these errors were encountered: