Hi Michael, On 21/09/2021 11:50, Michael Tremer wrote: > Hello, > >> On 18 Sep 2021, at 17:15, Peter Müller wrote: >> >> Hello Michael, >> hello *, >> >> just a small comment for the records: As discussed in the last monthly telephone >> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only >> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant >> left to be locked down in IPFire thanks to enforced kernel module signing. > Does anyone have any hardware at grabs to verify that this works? > > rngd —-list should list the TPM device as a potential source. On my running system I got the following response to the command:- Entropy sources that are available but disabled 1: TPM RNG Device (tpm) 4: NIST Network Entropy Beacon (nist) Available and enabled entropy sources: 2: Intel RDRAND Instruction RNG (rdrand) Available entropy sources that failed initalization: 0: Hardware RNG Device (hwrng) and on my VM testbed system I got the same message:- Entropy sources that are available but disabled 1: TPM RNG Device (tpm) 4: NIST Network Entropy Beacon (nist) Available and enabled entropy sources: 2: Intel RDRAND Instruction RNG (rdrand) Available entropy sources that failed initalization: 0: Hardware RNG Device (hwrng) I suspect that available but disabled means that I would need to turn it on in the bios. Is that a correct assumption? To test it I presume that I need to copy the changes into the kernel config for the architecture I am using and also need to reboot. Once I have the changers in place how do I tell if it is working? Regards, Adolf. >> So no user needs to worry about introducing TPM support coming with a lack of >> digital sovereignty - that is, if something like this even exits on today's hardware. :-) >> >> Acked-by: Peter Müller >> >> Thanks, and best regards, >> Peter Müller >> >> >>> Signed-off-by: Michael Tremer >>> --- >>> config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++- >>> config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++- >>> config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++- >>> config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++- >>> 4 files changed, 56 insertions(+), 4 deletions(-) >>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire >>> index aa34b64db..49ee85970 100644 >>> --- a/config/kernel/kernel.config.aarch64-ipfire >>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y >>> CONFIG_RAW_DRIVER=y >>> CONFIG_MAX_RAW_DEVS=8192 >>> CONFIG_DEVPORT=y >>> -# CONFIG_TCG_TPM is not set >>> +CONFIG_TCG_TPM=m >>> +CONFIG_HW_RANDOM_TPM=y >>> +CONFIG_TCG_TIS_CORE=m >>> +CONFIG_TCG_TIS=m >>> +CONFIG_TCG_TIS_I2C_ATMEL=m >>> +CONFIG_TCG_TIS_I2C_INFINEON=m >>> +CONFIG_TCG_TIS_I2C_NUVOTON=m >>> +CONFIG_TCG_ATMEL=m >>> +CONFIG_TCG_INFINEON=m >>> +CONFIG_TCG_CRB=m >>> +CONFIG_TCG_VTPM_PROXY=m >>> +CONFIG_TCG_TIS_ST33ZP24=m >>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m >>> # CONFIG_XILLYBUS is not set >>> # end of Character devices >>> @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y >>> CONFIG_KEYS=y >>> # CONFIG_KEYS_REQUEST_CACHE is not set >>> # CONFIG_PERSISTENT_KEYRINGS is not set >>> +# CONFIG_TRUSTED_KEYS is not set >>> # CONFIG_ENCRYPTED_KEYS is not set >>> # CONFIG_KEY_DH_OPERATIONS is not set >>> CONFIG_SECURITY_DMESG_RESTRICT=y >>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire >>> index 7b82e87df..b11a179e3 100644 >>> --- a/config/kernel/kernel.config.armv6l-ipfire >>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y >>> CONFIG_RAW_DRIVER=y >>> CONFIG_MAX_RAW_DEVS=8192 >>> CONFIG_DEVPORT=y >>> -# CONFIG_TCG_TPM is not set >>> +CONFIG_TCG_TPM=m >>> +CONFIG_HW_RANDOM_TPM=y >>> +CONFIG_TCG_TIS_CORE=m >>> +CONFIG_TCG_TIS=m >>> +CONFIG_TCG_TIS_I2C_ATMEL=m >>> +CONFIG_TCG_TIS_I2C_INFINEON=m >>> +CONFIG_TCG_TIS_I2C_NUVOTON=m >>> +CONFIG_TCG_VTPM_PROXY=m >>> +CONFIG_TCG_TIS_ST33ZP24=m >>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m >>> # CONFIG_XILLYBUS is not set >>> # end of Character devices >>> @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y >>> CONFIG_KEYS=y >>> # CONFIG_KEYS_REQUEST_CACHE is not set >>> # CONFIG_PERSISTENT_KEYRINGS is not set >>> +# CONFIG_TRUSTED_KEYS is not set >>> # CONFIG_ENCRYPTED_KEYS is not set >>> # CONFIG_KEY_DH_OPERATIONS is not set >>> CONFIG_SECURITY_DMESG_RESTRICT=y >>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire >>> index 90d4ac856..2d7158c96 100644 >>> --- a/config/kernel/kernel.config.i586-ipfire >>> +++ b/config/kernel/kernel.config.i586-ipfire >>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y >>> CONFIG_HPET=y >>> # CONFIG_HPET_MMAP is not set >>> CONFIG_HANGCHECK_TIMER=m >>> -# CONFIG_TCG_TPM is not set >>> +CONFIG_TCG_TPM=m >>> +CONFIG_HW_RANDOM_TPM=y >>> +CONFIG_TCG_TIS_CORE=m >>> +CONFIG_TCG_TIS=m >>> +CONFIG_TCG_TIS_I2C_ATMEL=m >>> +CONFIG_TCG_TIS_I2C_INFINEON=m >>> +CONFIG_TCG_TIS_I2C_NUVOTON=m >>> +CONFIG_TCG_NSC=m >>> +CONFIG_TCG_ATMEL=m >>> +CONFIG_TCG_INFINEON=m >>> +CONFIG_TCG_XEN=m >>> +CONFIG_TCG_CRB=m >>> +CONFIG_TCG_VTPM_PROXY=m >>> +CONFIG_TCG_TIS_ST33ZP24=m >>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m >>> # CONFIG_TELCLOCK is not set >>> # CONFIG_XILLYBUS is not set >>> # end of Character devices >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>> index fe93d731c..65014f41a 100644 >>> --- a/config/kernel/kernel.config.x86_64-ipfire >>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y >>> CONFIG_HPET=y >>> # CONFIG_HPET_MMAP is not set >>> CONFIG_HANGCHECK_TIMER=m >>> -# CONFIG_TCG_TPM is not set >>> +CONFIG_TCG_TPM=m >>> +CONFIG_HW_RANDOM_TPM=y >>> +CONFIG_TCG_TIS_CORE=m >>> +CONFIG_TCG_TIS=m >>> +CONFIG_TCG_TIS_I2C_ATMEL=m >>> +CONFIG_TCG_TIS_I2C_INFINEON=m >>> +CONFIG_TCG_TIS_I2C_NUVOTON=m >>> +CONFIG_TCG_NSC=m >>> +CONFIG_TCG_ATMEL=m >>> +CONFIG_TCG_INFINEON=m >>> +CONFIG_TCG_XEN=m >>> +CONFIG_TCG_CRB=m >>> +CONFIG_TCG_VTPM_PROXY=m >>> +CONFIG_TCG_TIS_ST33ZP24=m >>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m >>> # CONFIG_TELCLOCK is not set >>> # CONFIG_XILLYBUS is not set >>> # end of Character devices >>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y >>> CONFIG_KEYS=y >>> # CONFIG_KEYS_REQUEST_CACHE is not set >>> # CONFIG_PERSISTENT_KEYRINGS is not set >>> +# CONFIG_TRUSTED_KEYS is not set >>> # CONFIG_ENCRYPTED_KEYS is not set >>> # CONFIG_KEY_DH_OPERATIONS is not set >>> CONFIG_SECURITY_DMESG_RESTRICT=y