linux icon indicating copy to clipboard operation
linux copied to clipboard
verified publisher icon raspberrypi

IMA does not detect TPM while using RPi 5

Open Mangelmesa opened this issue 1 year ago • 0 comments

Describe the bug

IMA seems to not detect the TPM on boot on the RPi 5, and therefore the message "No TPM chip found, activating TPM-bypass!" is displayed. The same building configuration for the kernel and a RPi 4 does not produce the error, and IMA is capable of extending the PCRs of the TPM. Looks like some merged fixes like #5003 do not solve this issue.

Steps to reproduce the behaviour

Modify the Kernel by adding support for the IMA module (using ima-sig as default template and SHA256 as the hash algorithm), set the TPM module as built in: Device Drivers --->Character devices ---> -*- TPM Hardware Support ---> <*> TPM Interface Specification 1.3 Interface / TPM 2.0 FIFO Interface - (SPI), as well as the SPI: Device Drivers --->[*] SPI support ---><*> BCM2835 SPI controller. Build and copy the kernel to the SD card. Add dtparam=spi=on and dtoverlay=tpm-slb9670 to /boot/firmware/config.txt, add ima_policy=tcb to /boot/firmware/cmdline.txt. Finally, add an IMA policy. After a reboot, the expected behavior is to see some value in boot_aggregate given that the TPM is connected. However, all zeroes is obtained in this case, as if it does not exist: image

Device (s)

Raspberry Pi 5

System

Raspberry Pi reference 2024-03-15 OS and version: Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, f19ee211ddafcae300827f953d143de92a5c6624, stage5

Firmware version: 30cc5f37 (release) (embedded)

Kernel version: 6.6.31-v8-16k+ #2 SMP PREEMPT Fri Jun 7 10:41:54 CEST 2024 aarch64 GNU/Linux

Logs

Obtained running dmesg | grep IMA and dmesg | grep TPM: [ 0.397724] ima: No TPM chip found, activating TPM-bypass! [ 1.970687] systemd[1]: systemd 252.22-1-deb12u1 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified) [ 4.445048] tpm_tis_spi spi0.1: 2.0 TPM (device-id 0x1D, rev-id 54) [ 1.868523] systemd[1]: Successfully loaded the IMA custom policy /etc/ima/ima-policy. [ 1.970687] systemd[1]: systemd 252.22-1~deb12u1 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified) [ 2.416665] device-mapper: core: CONFIG_IMA_DISABLE_HTABLE is disabled. Duplicate IMA measurements will not be recorded in the IMA log.

Additional context

No response

Mangelmesa avatar Jun 11 '24 06:06 Mangelmesa