From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 11/13] kernel: Enable support for TPM hardware
Date: Fri, 01 Oct 2021 18:25:59 +0100
Message-ID: <29283700-A17F-496E-88FA-33EE373B3D77@ipfire.org>
In-Reply-To: <e5be6ce6-7462-2abf-5b91-6f4d0f1166b8@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3147253766976813636=="
List-Id: <development.lists.ipfire.org>

--===============3147253766976813636==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

I gave this a go on an IPFire Business Appliance:

[root(a)fw01 ~]# rngd -x 2 -x 0 -n 1 --test
Note, reference of entropy sources by index is deprecated, use entropy source=
 short name instead
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Note, reference of entropy sources by index is deprecated, use entropy source=
 short name instead
Disabling 0: Hardware RNG Device (hwrng)
Note, reference of entropy sources by index is deprecated, use entropy source=
 short name instead
Enabling 1: TPM RNG Device (tpm)
Initializing available sources
[tpm   ]: The TPM entropy source only supports TPM1.2 hardware and is depreca=
ted.  TPM2.0 and later hardware exports entropy via /dev/hwrng, which can be =
collected via the hwrng entropy source in rngd
[tpm   ]: Initialization Failed
can't open any entropy sourceMaybe RNG device modules are not loaded

So if the kernel is exporting this correctly, the default configuration of rn=
gd will use the TPM:

[root(a)fw01 ~]# rngd --list
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
4: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
2: Intel RDRAND Instruction RNG (rdrand)
Available entropy sources that failed initalization:
0: Hardware RNG Device (hwrng)

This one is running the production kernel, but as soon as the kernel makes /d=
ev/hwrng available, we should be fine.

Best,
-Michael

> On 21 Sep 2021, at 13:31, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>=20
> Hi Michael,
>=20
> After a bit more searching around I don't think I have TPM capability on my=
 systems.
>=20
> Regards,
>=20
> Adolf.
>=20
> On 21/09/2021 13:40, Adolf Belka wrote:
>> Hi Michael,
>>=20
>> On 21/09/2021 11:50, Michael Tremer wrote:
>>> Hello,
>>>=20
>>>> On 18 Sep 2021, at 17:15, Peter M=C3=BCller <peter.mueller(a)ipfire.org>=
 wrote:
>>>>=20
>>>> Hello Michael,
>>>> hello *,
>>>>=20
>>>> just a small comment for the records: As discussed in the last monthly t=
elephone
>>>> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use=
 a TPM only
>>>> for HWRNG purposes. Nothing else will depend on it, as there is nothing =
relevant
>>>> left to be locked down in IPFire thanks to enforced kernel module signin=
g.
>>> Does anyone have any hardware at grabs to verify that this works?
>>>=20
>>> rngd =E2=80=94-list should list the TPM device as a potential source.
>>=20
>> On my running system I got the following response to the command:-
>>=20
>> Entropy sources that are available but disabled
>> 1: TPM RNG Device (tpm)
>> 4: NIST Network Entropy Beacon (nist)
>> Available and enabled entropy sources:
>> 2: Intel RDRAND Instruction RNG (rdrand)
>> Available entropy sources that failed initalization:
>> 0: Hardware RNG Device (hwrng)
>>=20
>>=20
>> and on my VM testbed system I got the same message:-
>>=20
>> Entropy sources that are available but disabled
>> 1: TPM RNG Device (tpm)
>> 4: NIST Network Entropy Beacon (nist)
>> Available and enabled entropy sources:
>> 2: Intel RDRAND Instruction RNG (rdrand)
>> Available entropy sources that failed initalization:
>> 0: Hardware RNG Device (hwrng)
>>=20
>> I suspect that available but disabled means that I would need to turn it o=
n in the bios. Is that a correct assumption?
>>=20
>> To test it I presume that I need to copy the changes into the kernel confi=
g for the architecture I am using and also need to reboot.
>>=20
>> Once I have the changers in place how do I tell if it is working?
>>=20
>> Regards,
>>=20
>> Adolf.
>>=20
>>>> So no user needs to worry about introducing TPM support coming with a la=
ck of
>>>> digital sovereignty - that is, if something like this even exits on toda=
y's hardware. :-)
>>>>=20
>>>> Acked-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>>>=20
>>>> Thanks, and best regards,
>>>> Peter M=C3=BCller
>>>>=20
>>>>=20
>>>>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>>> ---
>>>>>   config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>>>>>   config/kernel/kernel.config.armv6l-ipfire  | 12 +++++++++++-
>>>>>   config/kernel/kernel.config.i586-ipfire    | 16 +++++++++++++++-
>>>>>   config/kernel/kernel.config.x86_64-ipfire  | 17 ++++++++++++++++-
>>>>>   4 files changed, 56 insertions(+), 4 deletions(-)
>>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel=
/kernel.config.aarch64-ipfire
>>>>> index aa34b64db..49ee85970 100644
>>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=3Dy
>>>>>   CONFIG_RAW_DRIVER=3Dy
>>>>>   CONFIG_MAX_RAW_DEVS=3D8192
>>>>>   CONFIG_DEVPORT=3Dy
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=3Dm
>>>>> +CONFIG_HW_RANDOM_TPM=3Dy
>>>>> +CONFIG_TCG_TIS_CORE=3Dm
>>>>> +CONFIG_TCG_TIS=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=3Dm
>>>>> +CONFIG_TCG_ATMEL=3Dm
>>>>> +CONFIG_TCG_INFINEON=3Dm
>>>>> +CONFIG_TCG_CRB=3Dm
>>>>> +CONFIG_TCG_VTPM_PROXY=3Dm
>>>>> +CONFIG_TCG_TIS_ST33ZP24=3Dm
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=3Dm
>>>>>   # CONFIG_XILLYBUS is not set
>>>>>   # end of Character devices
>>>>>   @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=3Dy
>>>>>   CONFIG_KEYS=3Dy
>>>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>>>   CONFIG_SECURITY_DMESG_RESTRICT=3Dy
>>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/=
kernel.config.armv6l-ipfire
>>>>> index 7b82e87df..b11a179e3 100644
>>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=3Dy
>>>>>   CONFIG_RAW_DRIVER=3Dy
>>>>>   CONFIG_MAX_RAW_DEVS=3D8192
>>>>>   CONFIG_DEVPORT=3Dy
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=3Dm
>>>>> +CONFIG_HW_RANDOM_TPM=3Dy
>>>>> +CONFIG_TCG_TIS_CORE=3Dm
>>>>> +CONFIG_TCG_TIS=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=3Dm
>>>>> +CONFIG_TCG_VTPM_PROXY=3Dm
>>>>> +CONFIG_TCG_TIS_ST33ZP24=3Dm
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=3Dm
>>>>>   # CONFIG_XILLYBUS is not set
>>>>>   # end of Character devices
>>>>>   @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=3Dy
>>>>>   CONFIG_KEYS=3Dy
>>>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>>>   CONFIG_SECURITY_DMESG_RESTRICT=3Dy
>>>>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/ke=
rnel.config.i586-ipfire
>>>>> index 90d4ac856..2d7158c96 100644
>>>>> --- a/config/kernel/kernel.config.i586-ipfire
>>>>> +++ b/config/kernel/kernel.config.i586-ipfire
>>>>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=3Dy
>>>>>   CONFIG_HPET=3Dy
>>>>>   # CONFIG_HPET_MMAP is not set
>>>>>   CONFIG_HANGCHECK_TIMER=3Dm
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=3Dm
>>>>> +CONFIG_HW_RANDOM_TPM=3Dy
>>>>> +CONFIG_TCG_TIS_CORE=3Dm
>>>>> +CONFIG_TCG_TIS=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=3Dm
>>>>> +CONFIG_TCG_NSC=3Dm
>>>>> +CONFIG_TCG_ATMEL=3Dm
>>>>> +CONFIG_TCG_INFINEON=3Dm
>>>>> +CONFIG_TCG_XEN=3Dm
>>>>> +CONFIG_TCG_CRB=3Dm
>>>>> +CONFIG_TCG_VTPM_PROXY=3Dm
>>>>> +CONFIG_TCG_TIS_ST33ZP24=3Dm
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=3Dm
>>>>>   # CONFIG_TELCLOCK is not set
>>>>>   # CONFIG_XILLYBUS is not set
>>>>>   # end of Character devices
>>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/=
kernel.config.x86_64-ipfire
>>>>> index fe93d731c..65014f41a 100644
>>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=3Dy
>>>>>   CONFIG_HPET=3Dy
>>>>>   # CONFIG_HPET_MMAP is not set
>>>>>   CONFIG_HANGCHECK_TIMER=3Dm
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=3Dm
>>>>> +CONFIG_HW_RANDOM_TPM=3Dy
>>>>> +CONFIG_TCG_TIS_CORE=3Dm
>>>>> +CONFIG_TCG_TIS=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=3Dm
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=3Dm
>>>>> +CONFIG_TCG_NSC=3Dm
>>>>> +CONFIG_TCG_ATMEL=3Dm
>>>>> +CONFIG_TCG_INFINEON=3Dm
>>>>> +CONFIG_TCG_XEN=3Dm
>>>>> +CONFIG_TCG_CRB=3Dm
>>>>> +CONFIG_TCG_VTPM_PROXY=3Dm
>>>>> +CONFIG_TCG_TIS_ST33ZP24=3Dm
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=3Dm
>>>>>   # CONFIG_TELCLOCK is not set
>>>>>   # CONFIG_XILLYBUS is not set
>>>>>   # end of Character devices
>>>>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=3Dy
>>>>>   CONFIG_KEYS=3Dy
>>>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>>>   CONFIG_SECURITY_DMESG_RESTRICT=3Dy


--===============3147253766976813636==--