IMA Reports No TPM Device

IMA Reports No TPM Device

[Thangavel, Karthik]

Hi,

We are booting linux v6.1.30 on Xilinx ZynqMP SoC which is using ARM-A53.
We want to run IMA on TPM device connected over SPI interface.
During booting found that IMA reports "No TPM chip found".

Please find the below logs which shows IMA subsystem init 
called before TPM device.


[    0.000000] Linux version 6.1.30-xilinx-v2023.2 (oe-user@oe-host) (aarch64-xilinx-linux-gcc (GCC) 12.2.0, GNU ld (GNU Binutils) 2.39.0.20220819) #1 SMP Fri Sep 22 10:41:01 UTC 2023
[    0.000000] Machine model: xlnx,zynqmp
...
[    2.561405] ima: No TPM chip found, activating TPM-bypass!
[    2.567199] ima: Allocated hash algorithm: sha256
...
[    3.727105] tpm_tis_spi spi1.0: 2.0 TPM (device-id 0x1B, rev-id 22)
[    3.764152] tpm tpm0: starting up the TPM manually
...

In security/integrity/ima/ima_main.c 
late_initcall(init_ima);	/* Start IMA after the TPM is available */

As per above comment line IMA should start after TPM is available.
But we are observing the opposite behavior. 
Please let us know how to fix this issue.

-Karthik

RE: IMA Reports No TPM Device

[Thangavel, Karthik]

Hi,

Can you pls let us know how to resolve this issue. 
Looks many reported the same issue in forums.

Regards,
Karthik

> -----Original Message-----
> From: Thangavel, Karthik
> Sent: Friday, June 7, 2024 12:49 PM
> To: linux-security-module@vger.kernel.org; linux-spi@vger.kernel.org
> Cc: Gaddipati, Naveen <naveen.gaddipati@amd.com>; Narra, Bharath Kumar
> <BharathKumar.Narra@amd.com>
> Subject: IMA Reports No TPM Device
> 
> Hi,
> 
> We are booting linux v6.1.30 on Xilinx ZynqMP SoC which is using ARM-A53.
> We want to run IMA on TPM device connected over SPI interface.
> During booting found that IMA reports "No TPM chip found".
> 
> Please find the below logs which shows IMA subsystem init called before TPM
> device.
> 
> 
> [    0.000000] Linux version 6.1.30-xilinx-v2023.2 (oe-user@oe-host) (aarch64-
> xilinx-linux-gcc (GCC) 12.2.0, GNU ld (GNU Binutils) 2.39.0.20220819) #1 SMP Fri
> Sep 22 10:41:01 UTC 2023
> [    0.000000] Machine model: xlnx,zynqmp
> ...
> [    2.561405] ima: No TPM chip found, activating TPM-bypass!
> [    2.567199] ima: Allocated hash algorithm: sha256
> ...
> [    3.727105] tpm_tis_spi spi1.0: 2.0 TPM (device-id 0x1B, rev-id 22)
> [    3.764152] tpm tpm0: starting up the TPM manually
> ...
> 
> In security/integrity/ima/ima_main.c
> late_initcall(init_ima);	/* Start IMA after the TPM is available */
> 
> As per above comment line IMA should start after TPM is available.
> But we are observing the opposite behavior.
> Please let us know how to fix this issue.
> 
> -Karthik

Re: IMA Reports No TPM Device

[Roberto Sassu]

On Tue, 2024-06-18 at 10:24 +0000, Thangavel, Karthik wrote:
> Hi,
> 
> Can you pls let us know how to resolve this issue. 
> Looks many reported the same issue in forums.

Hi

this discussion seems to be related:

https://lore.kernel.org/all/1550753358.17768.85.camel@linux.ibm.com/t/#m5fd27cc9c80e90e781ccc5e1c3e693014d0278a2


Maybe there could be suggestions that apply to your case. We can also
resume the discussion, if the fix is not yet upstreamed.

Roberto

> Regards,
> Karthik
> 
> > -----Original Message-----
> > From: Thangavel, Karthik
> > Sent: Friday, June 7, 2024 12:49 PM
> > To: linux-security-module@vger.kernel.org; linux-spi@vger.kernel.org
> > Cc: Gaddipati, Naveen <naveen.gaddipati@amd.com>; Narra, Bharath Kumar
> > <BharathKumar.Narra@amd.com>
> > Subject: IMA Reports No TPM Device
> > 
> > Hi,
> > 
> > We are booting linux v6.1.30 on Xilinx ZynqMP SoC which is using ARM-A53.
> > We want to run IMA on TPM device connected over SPI interface.
> > During booting found that IMA reports "No TPM chip found".
> > 
> > Please find the below logs which shows IMA subsystem init called before TPM
> > device.
> > 
> > 
> > [    0.000000] Linux version 6.1.30-xilinx-v2023.2 (oe-user@oe-host) (aarch64-
> > xilinx-linux-gcc (GCC) 12.2.0, GNU ld (GNU Binutils) 2.39.0.20220819) #1 SMP Fri
> > Sep 22 10:41:01 UTC 2023
> > [    0.000000] Machine model: xlnx,zynqmp
> > ...
> > [    2.561405] ima: No TPM chip found, activating TPM-bypass!
> > [    2.567199] ima: Allocated hash algorithm: sha256
> > ...
> > [    3.727105] tpm_tis_spi spi1.0: 2.0 TPM (device-id 0x1B, rev-id 22)
> > [    3.764152] tpm tpm0: starting up the TPM manually
> > ...
> > 
> > In security/integrity/ima/ima_main.c
> > late_initcall(init_ima);	/* Start IMA after the TPM is available */
> > 
> > As per above comment line IMA should start after TPM is available.
> > But we are observing the opposite behavior.
> > Please let us know how to fix this issue.
> > 
> > -Karthik

RE: IMA Reports No TPM Device

[Thangavel, Karthik]

Hi,

Patch in below link helped us to resolve this issue,
https://community.infineon.com/t5/OPTIGA-TPM/i-MX8MP-with-TPM-SLB9670/td-p/403949#.

Now TPM driver is probed before IMA test.

Regards,
Karthik

> -----Original Message-----
> From: Roberto Sassu <roberto.sassu@huaweicloud.com>
> Sent: Tuesday, June 18, 2024 6:12 PM
> To: Thangavel, Karthik <karthik.thangavel@amd.com>; linux-security-
> module@vger.kernel.org; linux-spi@vger.kernel.org
> Cc: Gaddipati, Naveen <naveen.gaddipati@amd.com>; Narra, Bharath Kumar
> <BharathKumar.Narra@amd.com>
> Subject: Re: IMA Reports No TPM Device
> 
> On Tue, 2024-06-18 at 10:24 +0000, Thangavel, Karthik wrote:
> > Hi,
> >
> > Can you pls let us know how to resolve this issue.
> > Looks many reported the same issue in forums.
> 
> Hi
> 
> this discussion seems to be related:
> 
> https://lore.kernel.org/all/1550753358.17768.85.camel@linux.ibm.com/t/#m5fd
> 27cc9c80e90e781ccc5e1c3e693014d0278a2
> 
> 
> Maybe there could be suggestions that apply to your case. We can also resume
> the discussion, if the fix is not yet upstreamed.
> 
> Roberto
> 
> > Regards,
> > Karthik
> >
> > > -----Original Message-----
> > > From: Thangavel, Karthik
> > > Sent: Friday, June 7, 2024 12:49 PM
> > > To: linux-security-module@vger.kernel.org; linux-spi@vger.kernel.org
> > > Cc: Gaddipati, Naveen <naveen.gaddipati@amd.com>; Narra, Bharath
> > > Kumar <BharathKumar.Narra@amd.com>
> > > Subject: IMA Reports No TPM Device
> > >
> > > Hi,
> > >
> > > We are booting linux v6.1.30 on Xilinx ZynqMP SoC which is using ARM-A53.
> > > We want to run IMA on TPM device connected over SPI interface.
> > > During booting found that IMA reports "No TPM chip found".
> > >
> > > Please find the below logs which shows IMA subsystem init called
> > > before TPM device.
> > >
> > >
> > > [    0.000000] Linux version 6.1.30-xilinx-v2023.2 (oe-user@oe-host)
> (aarch64-
> > > xilinx-linux-gcc (GCC) 12.2.0, GNU ld (GNU Binutils)
> > > 2.39.0.20220819) #1 SMP Fri Sep 22 10:41:01 UTC 2023
> > > [    0.000000] Machine model: xlnx,zynqmp
> > > ...
> > > [    2.561405] ima: No TPM chip found, activating TPM-bypass!
> > > [    2.567199] ima: Allocated hash algorithm: sha256
> > > ...
> > > [    3.727105] tpm_tis_spi spi1.0: 2.0 TPM (device-id 0x1B, rev-id 22)
> > > [    3.764152] tpm tpm0: starting up the TPM manually
> > > ...
> > >
> > > In security/integrity/ima/ima_main.c
> > > late_initcall(init_ima);	/* Start IMA after the TPM is available */
> > >
> > > As per above comment line IMA should start after TPM is available.
> > > But we are observing the opposite behavior.
> > > Please let us know how to fix this issue.
> > >
> > > -Karthik