From: Paul Menzel <pmenzel@molgen.mpg.de>
To: Romain Naour <romain.naour@smile.fr>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, serge@hallyn.com,
jmorris@namei.org, paul@paul-moore.com, eric.snowberg@oracle.com,
dmitry.kasatkin@gmail.com, roberto.sassu@huawei.com,
zohar@linux.ibm.com, Romain Naour <romain.naour@skf.com>
Subject: Re: [RFC] integrity: wait for completion of i2c initialization using late_initcall_sync()
Date: Mon, 1 Jul 2024 15:53:44 +0200 [thread overview]
Message-ID: <c090cd3c-f4c6-4923-a9fa-b54768ca2a26@molgen.mpg.de> (raw)
In-Reply-To: <20240701133814.641662-1-romain.naour@smile.fr>
Dear Romain,
Thank you for your patch.
Am 01.07.24 um 15:38 schrieb Romain Naour:
> From: Romain Naour <romain.naour@skf.com>
>
> It has been reported that on some plateforms the ima and evm
platforms
> initialization were performed too early during initcall initialization
> process and misses TPM chip detection [1] [2].
>
> Indeed, ima may uses a TPM chip but requires to wait for bus
> interface (spi or i2c) and TPM driver initialization.
>
> [ 0.166261] ima: No TPM chip found, activating TPM-bypass!
> ...
> [ 0.166322] evm: Initialising EVM extended attributes:
> ...
> [ 0.182571] ti-sci 44083000.system-controller: ABI: 3.1 (firmware rev 0x0009 '9.2.4--v09.02.04 (Kool Koala)')
> [ 0.281540] omap_i2c 42120000.i2c: bus 0 rev0.12 at 400 kHz
> [ 0.282314] omap_i2c 2000000.i2c: bus 4 rev0.12 at 400 kHz
> [ 0.282972] omap_i2c 2010000.i2c: bus 5 rev0.12 at 400 kHz
> [ 0.335177] tpm_tis_i2c 2-002e: 2.0 TPM (device-id 0x1C, rev-id 22)
> [ 0.471596] omap_i2c 2020000.i2c: bus 2 rev0.12 at 100 kHz
> [ 0.472310] omap_i2c 2030000.i2c: bus 6 rev0.12 at 400 kHz
> [ 0.472951] omap_i2c 2040000.i2c: bus 3 rev0.12 at 100 kHz
> [ 0.473596] omap_i2c 2050000.i2c: bus 7 rev0.12 at 400 kHz
> [ 0.474274] omap_i2c 2060000.i2c: bus 1 rev0.12 at 100 kHz
>
> The ima stack was expecting to start after the TPM device (hence the
> comment) using late_initcall() but fail to do so on such plateforms:
platforms
>
> late_initcall(init_ima); /* Start IMA after the TPM is available */
>
> Using late_initcall_sync() variant allows to really wait for i2c
> initialization completion.
>
> [ 0.285986] omap_i2c 42120000.i2c: bus 0 rev0.12 at 400 kHz
> [ 0.286706] omap_i2c 2000000.i2c: bus 4 rev0.12 at 400 kHz
> [ 0.287382] omap_i2c 2010000.i2c: bus 5 rev0.12 at 400 kHz
> [ 0.331503] tpm_tis_i2c 2-002e: 2.0 TPM (device-id 0x1C, rev-id 22)
> [ 0.677185] omap_i2c 2020000.i2c: bus 2 rev0.12 at 100 kHz
> [ 0.677904] omap_i2c 2030000.i2c: bus 6 rev0.12 at 400 kHz
> [ 0.678557] omap_i2c 2040000.i2c: bus 3 rev0.12 at 100 kHz
> [ 0.679167] omap_i2c 2050000.i2c: bus 7 rev0.12 at 400 kHz
> [ 0.679792] omap_i2c 2060000.i2c: bus 1 rev0.12 at 100 kHz
> ...
> [ 3.062788] ima: Allocated hash algorithm: sha256
> ...
> [ 3.318975] ima: No architecture policies found
> [ 3.323536] evm: Initialising EVM extended attributes:
> [ 3.328662] evm: security.selinux (disabled)
> [ 3.332919] evm: security.SMACK64 (disabled)
> [ 3.337177] evm: security.SMACK64EXEC (disabled)
> [ 3.341781] evm: security.SMACK64TRANSMUTE (disabled)
> [ 3.346819] evm: security.SMACK64MMAP (disabled)
> [ 3.351422] evm: security.apparmor (disabled)
> [ 3.355764] evm: security.ima
> [ 3.358721] evm: security.capability
> [ 3.362285] evm: HMAC attrs: 0x1
>
> [1] https://lore.kernel.org/linux-integrity/9b98d912-ba78-402c-a5c8-154bef8794f7@smile.fr/
> [2] https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1375425/tda4vm-ima-vs-tpm-builtin-driver-boot-order
>
> Signed-off-by: Romain Naour <romain.naour@skf.com>
Should this get a Fixes: tag and be also applied to the stable series?
> ---
> security/integrity/evm/evm_main.c | 2 +-
> security/integrity/ima/ima_main.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 62fe66dd53ce..316f8d140825 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -1180,4 +1180,4 @@ DEFINE_LSM(evm) = {
> .blobs = &evm_blob_sizes,
> };
>
> -late_initcall(init_evm);
> +late_initcall_sync(init_evm); /* Start EVM after IMA */
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index f04f43af651c..0aa7cd9aabfa 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -1220,4 +1220,4 @@ DEFINE_LSM(ima) = {
> .blobs = &ima_blob_sizes,
> };
>
> -late_initcall(init_ima); /* Start IMA after the TPM is available */
> +late_initcall_sync(init_ima); /* Start IMA after the TPM is available */
Looks good to me.
Kind regards,
Paul
next prev parent reply other threads:[~2024-07-01 13:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-01 13:38 [RFC] integrity: wait for completion of i2c initialization using late_initcall_sync() Romain Naour
2024-07-01 13:53 ` Paul Menzel [this message]
2024-07-01 14:58 ` Romain Naour
2024-07-02 2:37 ` Mimi Zohar
2024-07-11 14:06 ` Mimi Zohar
2024-08-01 10:12 ` Romain Naour
2024-08-07 0:41 ` Mimi Zohar
2024-08-16 12:46 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c090cd3c-f4c6-4923-a9fa-b54768ca2a26@molgen.mpg.de \
--to=pmenzel@molgen.mpg.de \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=romain.naour@skf.com \
--cc=romain.naour@smile.fr \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).