Enable fTPM for IMA

[cinghioGithub]

Hello everyone, I'm currently working on enabling the fTPM in order to correctly use IMA on a Xilinx mpu soc zcu104. I'm using the op-tee version 4.3.0. The fTPM TA seems to start correctly:

I/TC: OP-TEE version: 4.3.0-dev (gcc version 13.3.0 (GCC)) #1 Fri Jul 12 08:42:35 UTC 2024 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
I/TC: Primary CPU initializing
D/TC:0 0 call_preinitcalls:21 level 2 mobj_mapped_shm_init()
D/TC:0 0 mobj_mapped_shm_init:467 Shared memory address range: 60600000, 62600000
D/TC:0 0 call_initcalls:40 level 1 teecore_init_pub_ram()
D/TC:0 0 call_initcalls:40 level 3 check_ta_store()
D/TC:0 0 check_ta_store:449 TA store: "early TA"
D/TC:0 0 check_ta_store:449 TA store: "Secure Storage TA"
D/TC:0 0 check_ta_store:449 TA store: "REE"
D/TC:0 0 call_initcalls:40 level 3 early_ta_init()
D/TC:0 0 early_ta_init:56 Early TA bc50d971-d4c9-42c4-82cb-343fb7f37896 size 208446 (compressed, uncompressed 445256)
D/TC:0 0 call_initcalls:40 level 3 verify_pseudo_tas_conformance()
D/TC:0 0 call_initcalls:40 level 3 tee_cryp_init()
D/TC:0 0 call_initcalls:40 level 4 tee_fs_init_key_manager()
D/TC:0 0 call_initcalls:40 level 6 init_multi_core_panic_handler()
D/TC:0 0 call_initcalls:40 level 6 mobj_init()
D/TC:0 0 call_initcalls:40 level 6 default_mobj_init()
D/TC:0 0 call_initcalls:40 level 7 gic_set_primary_done()
I/TC: Primary CPU switching to normal world boot
INFO:    BL31: Preparing for EL3 exit to normal world
INFO:    Entry point address = 0x8000000
INFO:    SPSR = 0x3c9

I have also added the specific node in the device-tree for the fTPM as specified in the documentation:

tpm@0 {
	compatible = "microsoft,ftpm";
	linux,sml-base = <0x0 0xC0000000>;
	linux,sml-size = <0x10000>;
};

When booting the platform the ftpm driver probe is correctly started, but it fails with a panic in the TA:

D/TC:? 0 tee_ta_init_pseudo_ta_session:303 Lookup pseudo TA bc50d971-d4c9-42c4-82cb-343fb7f37896
D/TC:? 0 ldelf_load_ldelf:110 ldelf load address 0x80007000
D/LD:  ldelf:142 Loading TS bc50d971-d4c9-42c4-82cb-343fb7f37896
D/TC:? 0 ldelf_syscall_open_bin:163 Lookup user TA ELF bc50d971-d4c9-42c4-82cb-343fb7f37896 (early TA)
D/TC:? 0 ldelf_syscall_open_bin:167 res=0
D/LD:  ldelf:176 ELF (bc50d971-d4c9-42c4-82cb-343fb7f37896) at 0x80066000
I/TC: WARNING (insecure configuration): Failed to get monotonic counter for REE FS, using 0
E/TC:? 0 get_rpc_alloc_res:644 RPC allocation failed. Non-secure world result: ret=0xffff000c ret_origin=0x2
E/TC:? 0 
E/TC:? 0 TA panicked with code 0xffff0007
E/LD:  Status of TA bc50d971-d4c9-42c4-82cb-343fb7f37896
E/LD:   arch: aarch64
E/LD:  region  0: va 0x80005000 pa 0x60201000 size 0x002000 flags rw-s (ldelf)
E/LD:  region  1: va 0x80007000 pa 0x60203000 size 0x008000 flags r-xs (ldelf)
E/LD:  region  2: va 0x8000f000 pa 0x6020b000 size 0x001000 flags rw-s (ldelf)
E/LD:  region  3: va 0x80010000 pa 0x6020c000 size 0x004000 flags rw-s (ldelf)
E/LD:  region  4: va 0x80014000 pa 0x60210000 size 0x001000 flags r--s
E/LD:  region  5: va 0x80015000 pa 0x60298000 size 0x011000 flags rw-s (stack)
E/LD:  region  6: va 0x80066000 pa 0x60211000 size 0x068000 flags r-xs [0]
E/LD:  region  7: va 0x800ce000 pa 0x60279000 size 0x01f000 flags rw-s [0]
E/LD:   [0] bc50d971-d4c9-42c4-82cb-343fb7f37896 @ 0x80066000
E/LD:  Call stack:
E/LD:   0x80067830
E/LD:   0x800aa028
E/LD:   0x8009f0dc
D/TC:? 0 user_ta_enter:195 tee_user_ta_enter: TA panicked with code 0xffff0007
D/TC:? 0 release_ta_ctx:670 Releasing panicked TA ctx
D/TC:? 0 tee_ta_close_session:460 csess 0x600d5c70 id 1
D/TC:? 0 tee_ta_close_session:479 Destroy session
D/TC:? 0 destroy_context:318 Destroy TA ctx (0x600d5c10)
E/TC:? 0 tee_ta_open_session:745 Failed for TA bc50d971-d4c9-42c4-82cb-343fb7f37896. Return error 0xffff3024
[   11.894308] ftpm-tee tpm@0: ftpm_tee_probe: tee_client_open_session failed, err=ffff3024
[   11.896806] ftpm-tee: probe of tpm@0 failed with error -22

Looking at the previous issue #5347, it was mentioned that it could be an error caused by the tee-supplicant not yer running.

For the discussion in this issue and the issue #5766, it seems to me, if I have understood correctly, that the device probe can be done only if the tee-supplicant, which makes it impossible to have an instantiated tpm device at IMA initialization time.

Is my understanding correct? Is it possible to probe the ftpm before IMA initialization?

Thank you very much in advance.

[jenswi-linaro]

You need to embed the fTPM as an early TA so it's available earlier. EARLY_TA_PATHS should point to bc50d971-d4c9-42c4-82cb-343fb7f37896.stripped.elf.
See an example at:
https://github.com/OP-TEE/build/blob/84ef4c3e54e253650e1d63858dd613eeae693a2b/common.mk#L575-L615

[cinghioGithub]

Hi @jenswi-linaro, thanks for your response. I already built the fTPM as an early TA, and it seems it is loaded correctly during boot:

D/TC:0 0 call_initcalls:40 level 3 early_ta_init()
D/TC:0 0 early_ta_init:56 Early TA bc50d971-d4c9-42c4-82cb-343fb7f37896 size 208446 (compressed, uncompressed 445256)

This is what I see when booting up the platform. In addition when the driver tries to probe it seems that the session with the TA is opened correctly, but then the TA got a panic and for this reason the probe fails.
Am I missing something?

Thank you again for you time.

[LeeTroy]

I'm having the same issue.

Linux IMA detects the tpm chip at kernel init stage, but the optee-ftpm device comes available after tee-supplicant service running, which is already in user space (systemd service).

https://github.com/torvalds/linux/blob/dd83757f6e686a2188997cb58b5975f744bb7786/security/integrity/ima/ima_init.c#L118-L124

[github-actions]

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.