Source: linux
Severity: normal
Working with a Debian user in Matrix channel #Debian where they report
that the TPM hardware random number generator that was available in
v5.10* series is missing from v6.1* series for the amd64 kernel.
After examining the Kconfig options and the Debian configs I found that
due to commit 6e679322d7d "Re-enable IMA" that possibly inadvertently
it disabled HW_RANDOM_TPM.
The reason being that we have:
config HW_RANDOM_TPM
bool "TPM HW Random Number Generator support"
depends on TCG_TPM && HW_RANDOM && !(TCG_TPM=y && HW_RANDOM=m)
And when IMA=y that does:
config IMA
bool "Integrity Measurement Architecture(IMA)"
...
select TCG_TPM if HAS_IOMEM
And `select` will force the target to the same value as this option.
TCG_TPM is tri-state (n,y,m) but IMA is boolean (n,y) so this select
forces TCG_TPM=y.
so !(TCG_TPM=y && HW_RANDOM=m) is true and therefore HW_RANDOM_TPM is
not set.
$ grep -rnE 'CONFIG_(IMA|TCG_TPM|HW_RANDOM)=' debian/config
/boot/config-6.1.0-11-amd64
debian/config/config:457:CONFIG_HW_RANDOM=m
debian/config/config:7752:CONFIG_IMA=y
debian/config/arm64/config:172:CONFIG_TCG_TPM=m
debian/config/kernelarch-x86/config:332:CONFIG_TCG_TPM=m
debian/config/config.cloud:149:CONFIG_TCG_TPM=m
/boot/config-6.1.0-11-amd64:4324:CONFIG_HW_RANDOM=m
/boot/config-6.1.0-11-amd64:4352:CONFIG_TCG_TPM=y
/boot/config-6.1.0-11-amd64:9774:CONFIG_IMA=y
-- System Information:
Debian Release: 12.1
Architecture: amd64 (x86_64)
Foreign Architectures: i386
