From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 11/13] kernel: Enable support for TPM hardware
Date: Fri, 01 Oct 2021 18:25:59 +0100 [thread overview]
Message-ID: <29283700-A17F-496E-88FA-33EE373B3D77@ipfire.org> (raw)
In-Reply-To: <e5be6ce6-7462-2abf-5b91-6f4d0f1166b8@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 9044 bytes --]
Hello,
I gave this a go on an IPFire Business Appliance:
[root(a)fw01 ~]# rngd -x 2 -x 0 -n 1 --test
Note, reference of entropy sources by index is deprecated, use entropy source short name instead
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Note, reference of entropy sources by index is deprecated, use entropy source short name instead
Disabling 0: Hardware RNG Device (hwrng)
Note, reference of entropy sources by index is deprecated, use entropy source short name instead
Enabling 1: TPM RNG Device (tpm)
Initializing available sources
[tpm ]: The TPM entropy source only supports TPM1.2 hardware and is deprecated. TPM2.0 and later hardware exports entropy via /dev/hwrng, which can be collected via the hwrng entropy source in rngd
[tpm ]: Initialization Failed
can't open any entropy sourceMaybe RNG device modules are not loaded
So if the kernel is exporting this correctly, the default configuration of rngd will use the TPM:
[root(a)fw01 ~]# rngd --list
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
4: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
2: Intel RDRAND Instruction RNG (rdrand)
Available entropy sources that failed initalization:
0: Hardware RNG Device (hwrng)
This one is running the production kernel, but as soon as the kernel makes /dev/hwrng available, we should be fine.
Best,
-Michael
> On 21 Sep 2021, at 13:31, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> Hi Michael,
>
> After a bit more searching around I don't think I have TPM capability on my systems.
>
> Regards,
>
> Adolf.
>
> On 21/09/2021 13:40, Adolf Belka wrote:
>> Hi Michael,
>>
>> On 21/09/2021 11:50, Michael Tremer wrote:
>>> Hello,
>>>
>>>> On 18 Sep 2021, at 17:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>
>>>> Hello Michael,
>>>> hello *,
>>>>
>>>> just a small comment for the records: As discussed in the last monthly telephone
>>>> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
>>>> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
>>>> left to be locked down in IPFire thanks to enforced kernel module signing.
>>> Does anyone have any hardware at grabs to verify that this works?
>>>
>>> rngd —-list should list the TPM device as a potential source.
>>
>> On my running system I got the following response to the command:-
>>
>> Entropy sources that are available but disabled
>> 1: TPM RNG Device (tpm)
>> 4: NIST Network Entropy Beacon (nist)
>> Available and enabled entropy sources:
>> 2: Intel RDRAND Instruction RNG (rdrand)
>> Available entropy sources that failed initalization:
>> 0: Hardware RNG Device (hwrng)
>>
>>
>> and on my VM testbed system I got the same message:-
>>
>> Entropy sources that are available but disabled
>> 1: TPM RNG Device (tpm)
>> 4: NIST Network Entropy Beacon (nist)
>> Available and enabled entropy sources:
>> 2: Intel RDRAND Instruction RNG (rdrand)
>> Available entropy sources that failed initalization:
>> 0: Hardware RNG Device (hwrng)
>>
>> I suspect that available but disabled means that I would need to turn it on in the bios. Is that a correct assumption?
>>
>> To test it I presume that I need to copy the changes into the kernel config for the architecture I am using and also need to reboot.
>>
>> Once I have the changers in place how do I tell if it is working?
>>
>> Regards,
>>
>> Adolf.
>>
>>>> So no user needs to worry about introducing TPM support coming with a lack of
>>>> digital sovereignty - that is, if something like this even exits on today's hardware. :-)
>>>>
>>>> Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>
>>>> Thanks, and best regards,
>>>> Peter Müller
>>>>
>>>>
>>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>> ---
>>>>> config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>>>>> config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++-
>>>>> config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++-
>>>>> config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++-
>>>>> 4 files changed, 56 insertions(+), 4 deletions(-)
>>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>>>> index aa34b64db..49ee85970 100644
>>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>>>>> CONFIG_RAW_DRIVER=y
>>>>> CONFIG_MAX_RAW_DEVS=8192
>>>>> CONFIG_DEVPORT=y
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_ATMEL=m
>>>>> +CONFIG_TCG_INFINEON=m
>>>>> +CONFIG_TCG_CRB=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>> # CONFIG_XILLYBUS is not set
>>>>> # end of Character devices
>>>>> @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>>>>> CONFIG_KEYS=y
>>>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>> # CONFIG_ENCRYPTED_KEYS is not set
>>>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>>>> CONFIG_SECURITY_DMESG_RESTRICT=y
>>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>>>> index 7b82e87df..b11a179e3 100644
>>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>>>>> CONFIG_RAW_DRIVER=y
>>>>> CONFIG_MAX_RAW_DEVS=8192
>>>>> CONFIG_DEVPORT=y
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>> # CONFIG_XILLYBUS is not set
>>>>> # end of Character devices
>>>>> @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>>>>> CONFIG_KEYS=y
>>>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>> # CONFIG_ENCRYPTED_KEYS is not set
>>>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>>>> CONFIG_SECURITY_DMESG_RESTRICT=y
>>>>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>>>>> index 90d4ac856..2d7158c96 100644
>>>>> --- a/config/kernel/kernel.config.i586-ipfire
>>>>> +++ b/config/kernel/kernel.config.i586-ipfire
>>>>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>>>>> CONFIG_HPET=y
>>>>> # CONFIG_HPET_MMAP is not set
>>>>> CONFIG_HANGCHECK_TIMER=m
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_NSC=m
>>>>> +CONFIG_TCG_ATMEL=m
>>>>> +CONFIG_TCG_INFINEON=m
>>>>> +CONFIG_TCG_XEN=m
>>>>> +CONFIG_TCG_CRB=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>> # CONFIG_TELCLOCK is not set
>>>>> # CONFIG_XILLYBUS is not set
>>>>> # end of Character devices
>>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>>>> index fe93d731c..65014f41a 100644
>>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>>>>> CONFIG_HPET=y
>>>>> # CONFIG_HPET_MMAP is not set
>>>>> CONFIG_HANGCHECK_TIMER=m
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_NSC=m
>>>>> +CONFIG_TCG_ATMEL=m
>>>>> +CONFIG_TCG_INFINEON=m
>>>>> +CONFIG_TCG_XEN=m
>>>>> +CONFIG_TCG_CRB=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>> # CONFIG_TELCLOCK is not set
>>>>> # CONFIG_XILLYBUS is not set
>>>>> # end of Character devices
>>>>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>>>>> CONFIG_KEYS=y
>>>>> # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>> # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>> # CONFIG_ENCRYPTED_KEYS is not set
>>>>> # CONFIG_KEY_DH_OPERATIONS is not set
>>>>> CONFIG_SECURITY_DMESG_RESTRICT=y
next prev parent reply other threads:[~2021-10-01 17:25 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
2021-09-17 11:42 ` [PATCH 02/13] kernel: Disable suspending systems to RAM Michael Tremer
2021-09-18 16:09 ` Peter Müller
2021-09-17 11:42 ` [PATCH 03/13] kernel: Disable IRQ time accounting Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-17 11:42 ` [PATCH 04/13] kernel: Enable Pressure Stall Information Michael Tremer
2021-09-18 16:16 ` Peter Müller
2021-09-17 11:42 ` [PATCH 05/13] kernel: Disable SLUB debugging Michael Tremer
2021-09-18 16:27 ` Peter Müller
2021-09-21 9:42 ` Michael Tremer
2021-09-17 11:42 ` [PATCH 06/13] kernel: Disable any runtime testing Michael Tremer
2021-09-18 16:24 ` Peter Müller
2021-09-17 11:42 ` [PATCH 07/13] kernel: Disable OpenvSwitch Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-17 11:42 ` [PATCH 08/13] kernel: Disable network security hooks Michael Tremer
2021-09-18 16:23 ` Peter Müller
2021-09-17 11:42 ` [PATCH 09/13] kernel: Enable frontswap Michael Tremer
2021-09-18 16:20 ` Peter Müller
2021-09-17 11:42 ` [PATCH 10/13] kernel: Enable ExFAT on all architectures Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-20 13:48 ` Adolf Belka
2021-09-17 11:42 ` [PATCH 11/13] kernel: Enable support for TPM hardware Michael Tremer
2021-09-18 16:15 ` Peter Müller
2021-09-21 9:50 ` Michael Tremer
2021-09-21 11:40 ` Adolf Belka
2021-09-21 12:31 ` Adolf Belka
2021-10-01 17:25 ` Michael Tremer [this message]
2021-09-17 11:42 ` [PATCH 12/13] kernel: Zero-init all stack variables by default Michael Tremer
2021-09-18 16:11 ` Peter Müller
2021-09-21 9:50 ` Michael Tremer
2021-09-17 11:42 ` [PATCH 13/13] kernel: Enable all cgroups on all architectures Michael Tremer
2021-09-18 16:15 ` Peter Müller
2021-09-18 16:09 ` [PATCH 01/13] kernel: Change timer tick to 1000Hz Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=29283700-A17F-496E-88FA-33EE373B3D77@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox