To generate the boot_aggregate log in the IMA subsystem using TPM PCR values,
the TPM driver must be built as built-in and must be probed before
the IMA subsystem is initialized.
However, when the TPM device operates over the FF-A protocol using the CRB interface,
probing fails and returns -EPROBE_DEFER
if the tpm_crb_ffa device — an FF-A device that provides
the communication interface to the tpm_crb driver — has not yet been probed.
This issue occurs because both crb_acpi_driver_init() and
tpm_crb_ffa_driver_init() are registered with device_initcall.
As a result, crb_acpi_driver_init() may be invoked before
tpm_crb_ffa_driver_init(), which is responsible for probing the tpm_crb_ffa device.
When this happens, IMA fails to detect the TPM device and
logs the following message:
| ima: No TPM chip found, activating TPM-bypass!
Consequently, it cannot generate the boot_aggregate log with
the PCR values provided by the TPM.
To resolve this issue, the tpm_crb_ffa_init() function explicitly attempts to
probe the tpm_crb_ffa by register tpm_crb_ffa driver so that
when tpm_crb_ffa device is created before tpm_crb_ffa_init(),
probe the tpm_crb_ffa device in tpm_crb_ffa_init() to finish probe the
TPM device completely.
This ensures that the TPM device using CRB over FF-A
can be successfully probed, even if crb_acpi_driver_init() is called first.
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
---
drivers/char/tpm/tpm_crb_ffa.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/drivers/char/tpm/tpm_crb_ffa.c b/drivers/char/tpm/tpm_crb_ffa.c
index 4ead61f01299..462fcf610020 100644
--- a/drivers/char/tpm/tpm_crb_ffa.c
+++ b/drivers/char/tpm/tpm_crb_ffa.c
@@ -115,6 +115,7 @@ struct tpm_crb_ffa {
};
static struct tpm_crb_ffa *tpm_crb_ffa;
+static struct ffa_driver tpm_crb_ffa_driver;
static int tpm_crb_ffa_to_linux_errno(int errno)
{
@@ -168,13 +169,23 @@ static int tpm_crb_ffa_to_linux_errno(int errno)
*/
int tpm_crb_ffa_init(void)
{
+ int ret = 0;
+
+ if (!IS_MODULE(CONFIG_TCG_ARM_CRB_FFA)) {
+ ret = ffa_register(&tpm_crb_ffa_driver);
+ if (ret) {
+ tpm_crb_ffa = ERR_PTR(-ENODEV);
+ return ret;
+ }
+ }
+
if (!tpm_crb_ffa)
- return -ENOENT;
+ ret = -ENOENT;
if (IS_ERR_VALUE(tpm_crb_ffa))
- return -ENODEV;
+ ret = -ENODEV;
- return 0;
+ return ret;
}
EXPORT_SYMBOL_GPL(tpm_crb_ffa_init);
@@ -369,7 +380,9 @@ static struct ffa_driver tpm_crb_ffa_driver = {
.id_table = tpm_crb_ffa_device_id,
};
+#ifdef MODULE
module_ffa_driver(tpm_crb_ffa_driver);
+#endif
MODULE_AUTHOR("Arm");
MODULE_DESCRIPTION("TPM CRB FFA driver");
--
LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}
On Wed, Jun 18, 2025 at 11:23:02AM +0100, Yeoreum Yun wrote:
> To generate the boot_aggregate log in the IMA subsystem using TPM PCR values,
> the TPM driver must be built as built-in and must be probed before
> the IMA subsystem is initialized.
>
> However, when the TPM device operates over the FF-A protocol using the CRB interface,
> probing fails and returns -EPROBE_DEFER
> if the tpm_crb_ffa device — an FF-A device that provides
> the communication interface to the tpm_crb driver — has not yet been probed.
>
> This issue occurs because both crb_acpi_driver_init() and
> tpm_crb_ffa_driver_init() are registered with device_initcall.
> As a result, crb_acpi_driver_init() may be invoked before
> tpm_crb_ffa_driver_init(), which is responsible for probing the tpm_crb_ffa device.
>
> When this happens, IMA fails to detect the TPM device and
> logs the following message:
>
> | ima: No TPM chip found, activating TPM-bypass!
>
> Consequently, it cannot generate the boot_aggregate log with
> the PCR values provided by the TPM.
>
> To resolve this issue, the tpm_crb_ffa_init() function explicitly attempts to
> probe the tpm_crb_ffa by register tpm_crb_ffa driver so that
> when tpm_crb_ffa device is created before tpm_crb_ffa_init(),
> probe the tpm_crb_ffa device in tpm_crb_ffa_init() to finish probe the
> TPM device completely.
>
> This ensures that the TPM device using CRB over FF-A
> can be successfully probed, even if crb_acpi_driver_init() is called first.
>
> Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
> ---
> drivers/char/tpm/tpm_crb_ffa.c | 19 ++++++++++++++++---
> 1 file changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm_crb_ffa.c b/drivers/char/tpm/tpm_crb_ffa.c
> index 4ead61f01299..462fcf610020 100644
> --- a/drivers/char/tpm/tpm_crb_ffa.c
> +++ b/drivers/char/tpm/tpm_crb_ffa.c
> @@ -115,6 +115,7 @@ struct tpm_crb_ffa {
> };
>
> static struct tpm_crb_ffa *tpm_crb_ffa;
> +static struct ffa_driver tpm_crb_ffa_driver;
>
> static int tpm_crb_ffa_to_linux_errno(int errno)
> {
> @@ -168,13 +169,23 @@ static int tpm_crb_ffa_to_linux_errno(int errno)
> */
> int tpm_crb_ffa_init(void)
> {
> + int ret = 0;
> +
> + if (!IS_MODULE(CONFIG_TCG_ARM_CRB_FFA)) {
> + ret = ffa_register(&tpm_crb_ffa_driver);
> + if (ret) {
> + tpm_crb_ffa = ERR_PTR(-ENODEV);
> + return ret;
> + }
> + }
> +
> if (!tpm_crb_ffa)
> - return -ENOENT;
> + ret = -ENOENT;
>
> if (IS_ERR_VALUE(tpm_crb_ffa))
> - return -ENODEV;
> + ret = -ENODEV;
>
> - return 0;
> + return ret;
> }
> EXPORT_SYMBOL_GPL(tpm_crb_ffa_init);
>
> @@ -369,7 +380,9 @@ static struct ffa_driver tpm_crb_ffa_driver = {
> .id_table = tpm_crb_ffa_device_id,
> };
>
> +#ifdef MODULE
> module_ffa_driver(tpm_crb_ffa_driver);
> +#endif
>
> MODULE_AUTHOR("Arm");
> MODULE_DESCRIPTION("TPM CRB FFA driver");
> --
> LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}
>
NAK
BR, Jarkko
Hi Jarkkok,
> > --- a/drivers/char/tpm/tpm_crb_ffa.c
> > +++ b/drivers/char/tpm/tpm_crb_ffa.c
> > @@ -115,6 +115,7 @@ struct tpm_crb_ffa {
> > };
> >
> > static struct tpm_crb_ffa *tpm_crb_ffa;
> > +static struct ffa_driver tpm_crb_ffa_driver;
> >
> > static int tpm_crb_ffa_to_linux_errno(int errno)
> > {
> > @@ -168,13 +169,23 @@ static int tpm_crb_ffa_to_linux_errno(int errno)
> > */
> > int tpm_crb_ffa_init(void)
> > {
> > + int ret = 0;
> > +
> > + if (!IS_MODULE(CONFIG_TCG_ARM_CRB_FFA)) {
> > + ret = ffa_register(&tpm_crb_ffa_driver);
> > + if (ret) {
> > + tpm_crb_ffa = ERR_PTR(-ENODEV);
> > + return ret;
> > + }
> > + }
> > +
> > if (!tpm_crb_ffa)
> > - return -ENOENT;
> > + ret = -ENOENT;
> >
> > if (IS_ERR_VALUE(tpm_crb_ffa))
> > - return -ENODEV;
> > + ret = -ENODEV;
> >
> > - return 0;
> > + return ret;
> > }
> > EXPORT_SYMBOL_GPL(tpm_crb_ffa_init);
> >
> > @@ -369,7 +380,9 @@ static struct ffa_driver tpm_crb_ffa_driver = {
> > .id_table = tpm_crb_ffa_device_id,
> > };
> >
> > +#ifdef MODULE
> > module_ffa_driver(tpm_crb_ffa_driver);
> > +#endif
> >
> > MODULE_AUTHOR("Arm");
> > MODULE_DESCRIPTION("TPM CRB FFA driver");
> > --
> > LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}
> >
>
> NAK
If you NACK with your comment on the cover letter,
Would you check the my comments please?
Actually, this wouldn't be fixed with the Kconfig.
Thanks
--
Sincerely,
Yeoreum Yun
On Wed, Jun 25, 2025 at 11:37:44AM +0100, Yeoreum Yun wrote:
> Hi Jarkkok,
>
> > > --- a/drivers/char/tpm/tpm_crb_ffa.c
> > > +++ b/drivers/char/tpm/tpm_crb_ffa.c
> > > @@ -115,6 +115,7 @@ struct tpm_crb_ffa {
> > > };
> > >
> > > static struct tpm_crb_ffa *tpm_crb_ffa;
> > > +static struct ffa_driver tpm_crb_ffa_driver;
> > >
> > > static int tpm_crb_ffa_to_linux_errno(int errno)
> > > {
> > > @@ -168,13 +169,23 @@ static int tpm_crb_ffa_to_linux_errno(int errno)
> > > */
> > > int tpm_crb_ffa_init(void)
> > > {
> > > + int ret = 0;
> > > +
> > > + if (!IS_MODULE(CONFIG_TCG_ARM_CRB_FFA)) {
> > > + ret = ffa_register(&tpm_crb_ffa_driver);
> > > + if (ret) {
> > > + tpm_crb_ffa = ERR_PTR(-ENODEV);
> > > + return ret;
> > > + }
> > > + }
> > > +
> > > if (!tpm_crb_ffa)
> > > - return -ENOENT;
> > > + ret = -ENOENT;
> > >
> > > if (IS_ERR_VALUE(tpm_crb_ffa))
> > > - return -ENODEV;
> > > + ret = -ENODEV;
> > >
> > > - return 0;
> > > + return ret;
> > > }
> > > EXPORT_SYMBOL_GPL(tpm_crb_ffa_init);
> > >
> > > @@ -369,7 +380,9 @@ static struct ffa_driver tpm_crb_ffa_driver = {
> > > .id_table = tpm_crb_ffa_device_id,
> > > };
> > >
> > > +#ifdef MODULE
> > > module_ffa_driver(tpm_crb_ffa_driver);
> > > +#endif
> > >
> > > MODULE_AUTHOR("Arm");
> > > MODULE_DESCRIPTION("TPM CRB FFA driver");
> > > --
> > > LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}
> > >
> >
> > NAK
>
> If you NACK with your comment on the cover letter,
> Would you check the my comments please?
>
> Actually, this wouldn't be fixed with the Kconfig.
I got into the same page (see my response to your response at 0/2) :-)
Thanks for the patience.
>
> Thanks
>
> --
> Sincerely,
> Yeoreum Yun
BR, Jarkko
On Wed, 2025-06-18 at 11:23 +0100, Yeoreum Yun wrote:
> To generate the boot_aggregate log in the IMA subsystem using TPM PCR values,
> the TPM driver must be built as built-in and must be probed before
> the IMA subsystem is initialized.
>
> However, when the TPM device operates over the FF-A protocol using the CRB interface,
> probing fails and returns -EPROBE_DEFER
> if the tpm_crb_ffa device — an FF-A device that provides
> the communication interface to the tpm_crb driver — has not yet been probed.
>
> This issue occurs because both crb_acpi_driver_init() and
> tpm_crb_ffa_driver_init() are registered with device_initcall.
> As a result, crb_acpi_driver_init() may be invoked before
> tpm_crb_ffa_driver_init(), which is responsible for probing the tpm_crb_ffa device.
>
> When this happens, IMA fails to detect the TPM device and
> logs the following message:
>
> | ima: No TPM chip found, activating TPM-bypass!
>
> Consequently, it cannot generate the boot_aggregate log with
> the PCR values provided by the TPM.
>
> To resolve this issue, the tpm_crb_ffa_init() function explicitly attempts to
> probe the tpm_crb_ffa by register tpm_crb_ffa driver so that
> when tpm_crb_ffa device is created before tpm_crb_ffa_init(),
> probe the tpm_crb_ffa device in tpm_crb_ffa_init() to finish probe the
> TPM device completely.
>
> This ensures that the TPM device using CRB over FF-A
> can be successfully probed, even if crb_acpi_driver_init() is called first.
>
> Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
> ---
> drivers/char/tpm/tpm_crb_ffa.c | 19 ++++++++++++++++---
> 1 file changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/char/tpm/tpm_crb_ffa.c b/drivers/char/tpm/tpm_crb_ffa.c
> index 4ead61f01299..462fcf610020 100644
> --- a/drivers/char/tpm/tpm_crb_ffa.c
> +++ b/drivers/char/tpm/tpm_crb_ffa.c
> @@ -115,6 +115,7 @@ struct tpm_crb_ffa {
> };
>
> static struct tpm_crb_ffa *tpm_crb_ffa;
> +static struct ffa_driver tpm_crb_ffa_driver;
>
> static int tpm_crb_ffa_to_linux_errno(int errno)
> {
> @@ -168,13 +169,23 @@ static int tpm_crb_ffa_to_linux_errno(int errno)
> */
> int tpm_crb_ffa_init(void)
> {
> + int ret = 0;
> +
> + if (!IS_MODULE(CONFIG_TCG_ARM_CRB_FFA)) {
> + ret = ffa_register(&tpm_crb_ffa_driver);
> + if (ret) {
> + tpm_crb_ffa = ERR_PTR(-ENODEV);
> + return ret;
> + }
> + }
> +
> if (!tpm_crb_ffa)
> - return -ENOENT;
> + ret = -ENOENT;
>
> if (IS_ERR_VALUE(tpm_crb_ffa))
> - return -ENODEV;
> + ret = -ENODEV;
>
> - return 0;
> + return ret;
> }
> EXPORT_SYMBOL_GPL(tpm_crb_ffa_init);
>
> @@ -369,7 +380,9 @@ static struct ffa_driver tpm_crb_ffa_driver = {
> .id_table = tpm_crb_ffa_device_id,
> };
>
> +#ifdef MODULE
> module_ffa_driver(tpm_crb_ffa_driver);
> +#endif
>
> MODULE_AUTHOR("Arm");
> MODULE_DESCRIPTION("TPM CRB FFA driver");
LGTM. Using ifndef/ifdef MODULE is similar to how module_init() works for both
builtin and loadable kernel modules. Except module_init() is on the
device_initcall().
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
© 2016 - 2025 Red Hat, Inc.