Ubuntu
linux package

[17.04 FEAT] Build IMA and the TPM device drivers into the KVM on POWER host/NV kernel

Bug #1643652 reported by bugproxy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Tim Gardner
Xenial
Won't Fix
Undecided
Tim Gardner
Yakkety
Won't Fix
Undecided
Tim Gardner
Zesty
Fix Released
High
Tim Gardner

Bug Description

Update the kernel config such that the I2C TPM device drivers and their dependencies are built into the kernel so that IMA can start measuring from the first file the kernel loads from storage:

CONFIG_TCG_TPM=y
CONFIG_TCG_TIS_I2C_ATMEL=y
CONFIG_TCG_TIS_I2C_INFINEON=y
CONFIG_TCG_TIS_I2C_NUVOTON=y

Also update IMA and EVM config options and their dependencies such that IMA and EVM are enabled:

CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_SIG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_DEFAULT_HASH="sha256"
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="y"
CONFIG_EVM=y
CONFIG_EVM_ATTR_FSUUID=y
CONFIG_EVM_LOAD_X509=y
CONFIG_EVM_X509_PATH="y"

bugproxy (bugproxy)
tags: added: architecture-ppc64le bugnameltc-148911 severity-critical targetmilestone-inin1704
Changed in ubuntu:
assignee: nobody → Taco Screen team (taco-screen-team)
affects: ubuntu → linux (Ubuntu)
Leann Ogasawara (leannogasawara)
Changed in linux (Ubuntu):
assignee: Taco Screen team (taco-screen-team) → Canonical Kernel Team (canonical-kernel-team)
importance: Undecided → High
status: New → Triaged
Revision history for this message
Tim Gardner (timg-tpi) wrote :

How should I set IMA_APPRAISE_SIGNED_INIT ? (y/n)

The X509 paths do not appear to be correct, so I've changed them to

CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"

Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Xenial):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in linux (Ubuntu Yakkety):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Changed in linux (Ubuntu Zesty):
assignee: Canonical Kernel Team (canonical-kernel-team) → Tim Gardner (timg-tpi)
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.9.0-11.12

---------------
linux (4.9.0-11.12) zesty; urgency=low

  * Miscellaneous Ubuntu changes
    - UBUNTU: SAUCE: Add '-fno-pie -no-pie' to cflags for x86 selftests
    - UBUNTU: SAUCE: (no-up) aufs: for v4.9-rc1, support setattr_prepare()

  [ Upstream Kernel Changes ]

  * rebase to v4.9

 -- Tim Gardner <email address hidden> Mon, 12 Dec 2016 06:40:40 -0700

Changed in linux (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2017-01-12 17:23 EDT-------
*** Bug 148837 has been marked as a duplicate of this bug. ***

Revision history for this message
Tim Gardner (timg-tpi) wrote :

No response

Changed in linux (Ubuntu Xenial):
status: In Progress → Won't Fix
Changed in linux (Ubuntu Yakkety):
status: In Progress → Won't Fix
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2017-02-23 16:09 EDT-------
I've verified that the kernel config options we requested are in fact enabled in the Ubuntu 17.04 daily kernel. However, there are 2 problems for which I'll open separate bugs.

1. Some additional options that were not requested and should not be enabled were enabled:

CONFIG_IMA_APPRAISE_SIGNED_INIT
CONFIG_IMA_BLACKLIST_KEYRING
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
CONFIG_IIMA_READ_POLICY
CONFIG_IIMA_WRITE_POLICY

2. We've found that msleep() is buggy and causes excessive delays in TPM extend operations during bursts of measurements from IMA. Currently with IMA enabled by passing ima_tcb on the kernel command line, the kernel will not boot. We have a proof of concept patch that changes msleep() to usleep_ranged() in the Nuvoton I2C TPM device driver, which remedies the problem on our platform.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.