From 0ac5fe3024e03e5cc6706fb7269a507bdc489f4f Mon Sep 17 00:00:00 2001 From: Alexander Popov Date: Thu, 13 Oct 2022 18:07:14 +0300 Subject: [PATCH] Update the HW_RANDOM_TPM check MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Clip OS says that RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU should be disabled if HW_RANDOM_TPM is enabled. The Clip OS description: Do not credit entropy included in Linux’s entropy pool when generated by the CPU manufacturer’s HWRNG, the bootloader or the UEFI firmware. Fast and robust initialization of Linux’s CSPRNG is instead achieved thanks to the TPM’s HWRNG. At the same time KSPP recommends to enable RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU anyway: Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even malicious sources should not cause problems. In this situation, I think kconfig-hardened-check should check only HW_RANDOM_TPM (there is no contradiction about it) and leave the decision about RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU to the owner of the system. --- kconfig_hardened_check/__init__.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/kconfig_hardened_check/__init__.py b/kconfig_hardened_check/__init__.py index 044ab38..1ed83d5 100644 --- a/kconfig_hardened_check/__init__.py +++ b/kconfig_hardened_check/__init__.py @@ -423,6 +423,7 @@ def add_kconfig_checks(l, arch): l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')] l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')] + l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')] randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'), KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y')) l += [randstruct_is_set] @@ -487,12 +488,6 @@ def add_kconfig_checks(l, arch): l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'), efi_not_set)] l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')] - hw_random_tpm_is_set = KconfigCheck('self_protection', 'clipos', 'HW_RANDOM_TPM', 'y') - l += [hw_random_tpm_is_set] - l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set'), - hw_random_tpm_is_set)] - l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set'), - hw_random_tpm_is_set)] l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDSTRUCT_PERFORMANCE', 'is not set'), KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'), randstruct_is_set)] -- 2.31.1