Discussion:
Bug#1051535: linux: HW_RANDOM_TPM disabled due to IMA=y
(too old to reply)
Tj
2023-09-09 11:40:01 UTC
Permalink
Source: linux
Severity: normal

Working with a Debian user in Matrix channel #Debian where they report
that the TPM hardware random number generator that was available in
v5.10* series is missing from v6.1* series for the amd64 kernel.

After examining the Kconfig options and the Debian configs I found that
due to commit 6e679322d7d "Re-enable IMA" that possibly inadvertently
it disabled HW_RANDOM_TPM.

The reason being that we have:

config HW_RANDOM_TPM
bool "TPM HW Random Number Generator support"
depends on TCG_TPM && HW_RANDOM && !(TCG_TPM=y && HW_RANDOM=m)

And when IMA=y that does:

config IMA
bool "Integrity Measurement Architecture(IMA)"
...
select TCG_TPM if HAS_IOMEM

And `select` will force the target to the same value as this option.

TCG_TPM is tri-state (n,y,m) but IMA is boolean (n,y) so this select
forces TCG_TPM=y.

so !(TCG_TPM=y && HW_RANDOM=m) is true and therefore HW_RANDOM_TPM is
not set.

$ grep -rnE 'CONFIG_(IMA|TCG_TPM|HW_RANDOM)=' debian/config /boot/config-6.1.0-11-amd64
debian/config/config:457:CONFIG_HW_RANDOM=m
debian/config/config:7752:CONFIG_IMA=y
debian/config/arm64/config:172:CONFIG_TCG_TPM=m
debian/config/kernelarch-x86/config:332:CONFIG_TCG_TPM=m
debian/config/config.cloud:149:CONFIG_TCG_TPM=m
/boot/config-6.1.0-11-amd64:4324:CONFIG_HW_RANDOM=m
/boot/config-6.1.0-11-amd64:4352:CONFIG_TCG_TPM=y
/boot/config-6.1.0-11-amd64:9774:CONFIG_IMA=y


-- System Information:
Debian Release: 12.1
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Salvatore Bonaccorso
2023-09-09 12:10:02 UTC
Permalink
Hi,

Thanks for the report.
Post by Tj
Source: linux
Severity: normal
Working with a Debian user in Matrix channel #Debian where they report
that the TPM hardware random number generator that was available in
v5.10* series is missing from v6.1* series for the amd64 kernel.
After examining the Kconfig options and the Debian configs I found that
due to commit 6e679322d7d "Re-enable IMA" that possibly inadvertently
it disabled HW_RANDOM_TPM.
config HW_RANDOM_TPM
bool "TPM HW Random Number Generator support"
depends on TCG_TPM && HW_RANDOM && !(TCG_TPM=y && HW_RANDOM=m)
config IMA
bool "Integrity Measurement Architecture(IMA)"
...
select TCG_TPM if HAS_IOMEM
And `select` will force the target to the same value as this option.
TCG_TPM is tri-state (n,y,m) but IMA is boolean (n,y) so this select
forces TCG_TPM=y.
so !(TCG_TPM=y && HW_RANDOM=m) is true and therefore HW_RANDOM_TPM is
not set.
$ grep -rnE 'CONFIG_(IMA|TCG_TPM|HW_RANDOM)=' debian/config /boot/config-6.1.0-11-amd64
debian/config/config:457:CONFIG_HW_RANDOM=m
debian/config/config:7752:CONFIG_IMA=y
debian/config/arm64/config:172:CONFIG_TCG_TPM=m
debian/config/kernelarch-x86/config:332:CONFIG_TCG_TPM=m
debian/config/config.cloud:149:CONFIG_TCG_TPM=m
/boot/config-6.1.0-11-amd64:4324:CONFIG_HW_RANDOM=m
/boot/config-6.1.0-11-amd64:4352:CONFIG_TCG_TPM=y
/boot/config-6.1.0-11-amd64:9774:CONFIG_IMA=y
The issue is handled already in #1041007, so merging both.

There is a MR to get the change first in unstable:
https://salsa.debian.org/kernel-team/linux/-/merge_requests/821
after that it can go into bookworm (likely in the next bookworm point
release).

Regards,
Salvatore
Debian Bug Tracking System
2023-09-29 09:00:02 UTC
Permalink
Your message dated Fri, 29 Sep 2023 08:50:03 +0000
with message-id <E1qm9CF-004JAZ-***@fasolo.debian.org>
and subject line Bug#1041007: fixed in linux 6.1.55-1
has caused the Debian Bug report #1041007,
regarding linux: HW_RANDOM_TPM disabled due to IMA=y
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1041007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041007
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2023-09-29 09:00:13 UTC
Permalink
Your message dated Fri, 29 Sep 2023 08:50:03 +0000
with message-id <E1qm9CF-004JAZ-***@fasolo.debian.org>
and subject line Bug#1041007: fixed in linux 6.1.55-1
has caused the Debian Bug report #1041007,
regarding linux-image-6.1.0-0.deb11.7-amd64: Please enable TPM hardware RNG support (CONFIG_HW_RANDOM_TPM)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1041007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041007
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...