Update the HW_RANDOM_TPM check

Clip OS says that RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU should be disabled if HW_RANDOM_TPM is enabled. The Clip OS description: Do not credit entropy included in Linux’s entropy pool when generated by the CPU manufacturer’s HWRNG, the bootloader or the UEFI firmware. Fast and robust initialization of Linux’s CSPRNG is instead achieved thanks to the TPM’s HWRNG. At the same time KSPP recommends to enable RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU anyway: Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even malicious sources should not cause problems. In this situation, I think kconfig-hardened-check should check only HW_RANDOM_TPM (there is no contradiction about it) and leave the decision about RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU to the owner of the system.

Update the HW_RANDOM_TPM check
Clip OS says that RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU should be disabled if HW_RANDOM_TPM is enabled. The Clip OS description: Do not credit entropy included in Linux’s entropy pool when generated by the CPU manufacturer’s HWRNG, the bootloader or the UEFI firmware. Fast and robust initialization of Linux’s CSPRNG is instead achieved thanks to the TPM’s HWRNG. At the same time KSPP recommends to enable RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU anyway: Get as much entropy as possible from external sources. The Chacha mixer isn't vulnerable to injected entropy, so even malicious sources should not cause problems. In this situation, I think kconfig-hardened-check should check only HW_RANDOM_TPM (there is no contradiction about it) and leave the decision about RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU to the owner of the system.
0ac5fe30 · Alexander Popov · 1d2addd4 · 0ac5fe30
Commit 0ac5fe30 authored Oct 13, 2022 by Alexander Popov
Show whitespace changes
Inline Side-by-side

Showing with 1 additions and 6 deletions

__init__.py kconfig_hardened_check/__init__.py +1 -6

No files found.
--- a/kconfig_hardened_check/__init__.py
+++ b/kconfig_hardened_check/__init__.py
@@ -423,6 +423,7 @@ def add_kconfig_checks(l, arch):
    l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_DMA_STRICT', 'y')]
    l += [KconfigCheck('self_protection', 'kspp', 'IOMMU_DEFAULT_PASSTHROUGH', 'is not set')] # true if IOMMU_DEFAULT_DMA_STRICT is set
    l += [KconfigCheck('self_protection', 'kspp', 'ZERO_CALL_USED_REGS', 'y')]
+    l += [KconfigCheck('self_protection', 'kspp', 'HW_RANDOM_TPM', 'y')]
    randstruct_is_set = OR(KconfigCheck('self_protection', 'kspp', 'RANDSTRUCT_FULL', 'y'),
                           KconfigCheck('self_protection', 'kspp', 'GCC_PLUGIN_RANDSTRUCT', 'y'))
    l += [randstruct_is_set]
@@ -487,12 +488,6 @@ def add_kconfig_checks(l, arch):
    l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'),
             efi_not_set)]
    l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')]
-    hw_random_tpm_is_set = KconfigCheck('self_protection', 'clipos', 'HW_RANDOM_TPM', 'y')
-    l += [hw_random_tpm_is_set]
-    l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set'),
-              hw_random_tpm_is_set)]
-    l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set'),
-              hw_random_tpm_is_set)]
    l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDSTRUCT_PERFORMANCE', 'is not set'),
              KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
              randstruct_is_set)]