From: Jonathan McDowell <noodles@earth.li>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, Romain Naour <romain.naour@smile.fr>
Subject: Re: IMA vs TPM (SPI) boot order problems
Date: Fri, 6 Feb 2026 19:45:10 +0000 [thread overview]
Message-ID: <aYZExjwPPLOLoWGk@earth.li> (raw)
In-Reply-To: <f8b3451a6ef619dd2934bc839618fabc9408967c.camel@linux.ibm.com>
On Fri, Feb 06, 2026 at 10:36:36AM -0500, Mimi Zohar wrote:
>On Fri, 2026-02-06 at 10:37 +0000, Jonathan McDowell wrote:
>> I'm seeing an issue with a SPI attached TPM, where it's not coming up
>> early enough for IMA to decide there's a TPM available that it can
>> measure into. The TPM is definitely present, and by the time we get to
>> userspace it's working fine.
>>
>> This is sort of resurrecting a post from 2024 by Romain, though that
>> concerned an i2c TPM:
>>
>> https://lore.kernel.org/all/9b98d912-ba78-402c-a5c8-154bef8794f7@smile.fr/
>>
>> There doesn't seem to have actually been a fixed applied, so I tried the
>> late_initcall_sync suggestion, but that didn't change things:
>>
>> [ 0.000000] ACPI: TPM2 0x0000004044BCA998 00004C (v04 ALASKA A M I 00000001 AMI 00000000)
>> [ 0.000000] GICv3: 960 SPIs implemented
>> [ 0.000000] GICv3: 320 Extended SPIs implemented
>> [ 0.000447] LSM: initializing lsm=capability,bpf,ima
>> [ 0.394832] Trying to unpack rootfs image as initramfs...
>> [ 0.681134] tegra-qspi NVDA1513:00: Adding to iommu group 1
>> [ 0.681241] tegra-qspi NVDA1513:00: device reset failed
>> [ 0.686925] tpm_tis_spi spi-PRP0001:01: 2.0 TPM (device-id 0x1B, rev-id 22)
>> [ 0.894451] ima: No TPM chip found, activating TPM-bypass!
>> [ 0.894462] ima: Allocated hash algorithm: sha256
>> [ 0.894471] ima: No architecture policies found
>>
>> This seems to show SPI + the TPM coming up before IMA, but still not in
>> a way that makes IMA happy.
>
>Here's an example with really well written patch descriptions, that was
>upstreamed:
>
>746d9e9f62a6 ("tpm: tpm_crb_ffa: try to probe tpm_crb_ffa when it's built-in")
>0e0546eabcd6 ("firmware: arm_ffa: Change initcall level of ffa_init() to
>rootfs_initcall")
Thanks Mimi, really useful pointers. I think the TPM/SPI chain is a
little bit more tricky (I guess I can just fix the path that works for
me, rather than *any* SPI bus driver), but I'll investigate.
J.
--
Shall I call the United Nations?
This .sig brought to you by the letter W and the number 30
Product of the Republic of HuggieTag
prev parent reply other threads:[~2026-02-06 19:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-06 10:37 IMA vs TPM (SPI) boot order problems Jonathan McDowell
2026-02-06 15:36 ` Mimi Zohar
2026-02-06 19:45 ` Jonathan McDowell [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYZExjwPPLOLoWGk@earth.li \
--to=noodles@earth.li \
--cc=linux-integrity@vger.kernel.org \
--cc=romain.naour@smile.fr \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.