Thread (17 messages) 17 messages, 4 authors, 2025-07-02

Re: [PATCH v4 0/2] generate boot_aggregate log in IMA with TPM using CRB over FF-A

From: Sudeep Holla <hidden>
Date: 2025-06-25 19:35:41
Also in: linux-integrity, lkml 

On Wed, Jun 25, 2025 at 08:01:51PM +0300, Jarkko Sakkinen wrote:
On Wed, Jun 25, 2025 at 07:59:53PM +0300, Jarkko Sakkinen wrote:
quoted
On Wed, Jun 25, 2025 at 11:36:19AM +0100, Yeoreum Yun wrote:
quoted
Hi Jarkko,
quoted
On Wed, Jun 18, 2025 at 11:23:00AM +0100, Yeoreum Yun wrote:
quoted
To ensure the TPM device operating over the FF-A protocol with
the CRB interface is probed before IMA initialization,
the following conditions must be met:

   1. The corresponding ffa_device must be registered,
      which is done via ffa_init().

   2. The tpm_crb_driver must successfully probe this device via
      tpm_crb_ffa_init().

   3. The tpm_crb driver using CRB over FF-A can then
      be probed successfully. (See crb_acpi_add() and
      tpm_crb_ffa_init() for reference.)

Unfortunately, ffa_init(), tpm_crb_ffa_init(), and crb_acpi_driver_init() are
all registered with device_initcall, which means crb_acpi_driver_init() may
be invoked before ffa_init() and tpm_crb_ffa_init() are completed.
I get the ffa_init() part i.e, moving it earlier. However for
tpm_crb_ffa_init() and crb_acpi_driver_init(), modules.dep
takes care that they are loaded in order.
For IMA you will need the driver as built-in but that should
be handled via kernel config, not via code changes.
In the case of "module" built, it's true.
However what I tell here is when "tpm_crb" and "tpm_crb_ffa" is built
as "built-in" in this case, it couldn't make a "dependency" between
the same initcall level: here is the case of this.

0000000000000888 l       .initcall6.init>-------0000000000000000 crb_acpi_driver_init
000000000000088c l       .initcall6.init>-------0000000000000000 tpm_crb_ffa_driver_init

in this case, wihtout code change, the crb_acpi_driver_init()
is failed since tpm_crb_ffa_driver_init() is called later.

and this couldn't be solved with kconfig --
ARM_FFA_TRANSPORT=y && CONFIG_TCG_CRB=y && CONFIG_TCG_CRB_FFA=y.

The Patch #2 is to proing the tpm_crb_ffa as part of
crb_acpi_driver_init() when TPM uses method ARM-FFA.

If there's another suggestion, let me know please.
Hmm.. I actually got what you mean now. I was looking this from
wrong angle. I think we can pick these patches!

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
quoted
Thanks

--
Sincerely,
Yeoreum Yun
BR, Jarkko
Applied.
If you are applying 1/2 too, feel free to add

Reviewed-by: Sudeep Holla <redacted>

I was initially thinking of taking it separately as there is no strict
build dependency. But I am fine if you can take them together.

-- 
Regards,
Sudeep
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help