Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64
From: Mimi Zohar
Date: Wed Mar 07 2018 - 17:19:42 EST
On Wed, 2018-03-07 at 11:41 -0800, James Bottomley wrote:
> On Wed, 2018-03-07 at 14:21 -0500, Mimi Zohar wrote:
> > On Wed, 2018-03-07 at 11:08 -0800, James Bottomley wrote:
> > >
> > > On Wed, 2018-03-07 at 13:55 -0500, Mimi Zohar wrote:
> > > >
> > > > On Wed, 2018-03-07 at 11:51 -0700, Jason Gunthorpe wrote:
> > > > >
> > > > >
> > > > > On Tue, Mar 06, 2018 at 11:26:26PM -0600, Jiandi An wrote:
> > > > > >
> > > > > >
> > > > > > TPM_CRB driver is the TPM support for ARM64.ÂÂIf it
> > > > > > is built as module, TPM chip is registered after IMA
> > > > > > init.ÂÂtpm_pcr_read() in IMA driver would fail and
> > > > > > display the following message even though eventually
> > > > > > there is TPM chip on the system:
> > > > > >
> > > > > > ima: No TPM chip found, activating TPM-bypass! (rc=-19)
> > > > > >
> > > > > > Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is
> > > > > > built in kernel and initializes before IMA driver.
> > > > > >
> > > > > > Signed-off-by: Jiandi An <anjiandi@xxxxxxxxxxxxxx>
> > > > > > Âsecurity/integrity/ima/Kconfig | 1 +
> > > > > > Â1 file changed, 1 insertion(+)
> > > > > >
> > > > > > diff --git a/security/integrity/ima/Kconfig
> > > > > > b/security/integrity/ima/Kconfig
> > > > > > index 35ef693..6a8f677 100644
> > > > > > +++ b/security/integrity/ima/Kconfig
> > > > > > @@ -10,6 +10,7 @@ config IMA
> > > > > > Â select CRYPTO_HASH_INFO
> > > > > > Â select TCG_TPM if HAS_IOMEM && !UML
> > > > > > Â select TCG_TIS if TCG_TPM && X86
> > >
> > > Well, this explains why IMA doesn't work on one of my X86 systems:
> > > it's got a non i2c infineon TPM.
> > >
> > > >
> > > > >
> > > > > >
> > > > > > + select TCG_CRB if TCG_TPM && ACPI
> > > > > > Â select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
> > > > > > Â help
> > > > > > Â ÂÂThe Trusted Computing Group(TCG) runtime Integrity
> > > > >
> > > > > This seems really weird, why are any specific TPM drivers
> > > > > linked to IMA config, we have lots of drivers..
> > > > >
> > > > > I don't think I've ever seen this pattern in Kconfig before?
> > > >
> > > > As you've seen by the current discussions, the TPM driver needs
> > > > to be initialized prior to IMA. ÂOtherwise IMA goes into TPM-
> > > > bypass mode. ÂThat implies that the TPM must be builtin to the
> > > > kernel, and not as a kernel module.
> > >
> > > Actually, that's not necessarily true: ÂIf we don't begin appraisal
> > > until after the initrd phase, then the initrd can load TPM modules
> > > before IMA starts.
> > >
> > > This would involve a bit of code rejigging to not require a TPM
> > > until IMA wants to write its first measurement, but it looks doable
> > > and would get us out of having to second guess TPM selections.
> >
> > The question is about measurement, not appraisal. ÂAlthough the
> > initramfs might be measured, the initramfs can access files on the
> > real root filesystem. ÂThose files need to be measured, before they
> > are used/accessed.
>
> Isn't it a question of threat model? ÂBecause the initrd is measured,
> you know it's the one you specified and you should know its security
> properties, so measurement doesn't really need to begin until the root
> pivots.
Perhaps in the case where the initramfs is signed and the signature is
verified, I would agree that I know the security properties of the
initramfs. ÂThat still doesn't negate the fact that the initramfs
could access files on real root, without first measuring them.
> At that point you pick up the boot aggregate so the log now is
> tied to the initrd measurement. ÂConversely, I can't really see a
> threat model where you could trick a correctly measured initrd into
> subverting IMA, especially because listening network daemons aren't
> usually active at this stage.
Linux based boot loaders can be configured to download remote kernel
images and initramfs files - network boot.
> I'm not saying there isn't a use case for wanting your TPM built in,
> I'm just saying I don't think it needs to be required for everyone who
> uses IMA.
If the TPM module is not builtin, there are no guarantees when it was
loaded. ÂThere could be a disconnect between the IMA measurement list
and the TPM PCRs.
If someone has a special use case, then I agree with you, that we
could theoretically support it, but I don't think we want to confuse
distros or anyone else. ÂThe TPM should be builtin, so that IMA
measurements can begin before accessing real root.
Mimi