Re: [PATCH 11/13] kernel: Enable support for TPM hardware

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 11/13] kernel: Enable support for TPM hardware
Date: Tue, 21 Sep 2021 10:50:04 +0100	[thread overview]
Message-ID: <A0467466-AF14-4460-B74C-E564E358AE44@ipfire.org> (raw)
In-Reply-To: <a7964c1f-257a-bfcc-c406-5c1c902ef935@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 5644 bytes --]

Hello,

> On 18 Sep 2021, at 17:15, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> hello *,
> 
> just a small comment for the records: As discussed in the last monthly telephone
> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
> left to be locked down in IPFire thanks to enforced kernel module signing.

Does anyone have any hardware at grabs to verify that this works?

rngd —-list should list the TPM device as a potential source.

> So no user needs to worry about introducing TPM support coming with a lack of
> digital sovereignty - that is, if something like this even exits on today's hardware. :-)
> 
> Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>> ---
>>  config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>>  config/kernel/kernel.config.armv6l-ipfire  | 12 +++++++++++-
>>  config/kernel/kernel.config.i586-ipfire    | 16 +++++++++++++++-
>>  config/kernel/kernel.config.x86_64-ipfire  | 17 ++++++++++++++++-
>>  4 files changed, 56 insertions(+), 4 deletions(-)
>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>> index aa34b64db..49ee85970 100644
>> --- a/config/kernel/kernel.config.aarch64-ipfire
>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>>  CONFIG_RAW_DRIVER=y
>>  CONFIG_MAX_RAW_DEVS=8192
>>  CONFIG_DEVPORT=y
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_ATMEL=m
>> +CONFIG_TCG_INFINEON=m
>> +CONFIG_TCG_CRB=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>  # CONFIG_XILLYBUS is not set
>>  # end of Character devices
>>  @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>>  CONFIG_KEYS=y
>>  # CONFIG_KEYS_REQUEST_CACHE is not set
>>  # CONFIG_PERSISTENT_KEYRINGS is not set
>> +# CONFIG_TRUSTED_KEYS is not set
>>  # CONFIG_ENCRYPTED_KEYS is not set
>>  # CONFIG_KEY_DH_OPERATIONS is not set
>>  CONFIG_SECURITY_DMESG_RESTRICT=y
>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>> index 7b82e87df..b11a179e3 100644
>> --- a/config/kernel/kernel.config.armv6l-ipfire
>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>>  CONFIG_RAW_DRIVER=y
>>  CONFIG_MAX_RAW_DEVS=8192
>>  CONFIG_DEVPORT=y
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>  # CONFIG_XILLYBUS is not set
>>  # end of Character devices
>>  @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>>  CONFIG_KEYS=y
>>  # CONFIG_KEYS_REQUEST_CACHE is not set
>>  # CONFIG_PERSISTENT_KEYRINGS is not set
>> +# CONFIG_TRUSTED_KEYS is not set
>>  # CONFIG_ENCRYPTED_KEYS is not set
>>  # CONFIG_KEY_DH_OPERATIONS is not set
>>  CONFIG_SECURITY_DMESG_RESTRICT=y
>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>> index 90d4ac856..2d7158c96 100644
>> --- a/config/kernel/kernel.config.i586-ipfire
>> +++ b/config/kernel/kernel.config.i586-ipfire
>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>>  CONFIG_HPET=y
>>  # CONFIG_HPET_MMAP is not set
>>  CONFIG_HANGCHECK_TIMER=m
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_NSC=m
>> +CONFIG_TCG_ATMEL=m
>> +CONFIG_TCG_INFINEON=m
>> +CONFIG_TCG_XEN=m
>> +CONFIG_TCG_CRB=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>  # CONFIG_TELCLOCK is not set
>>  # CONFIG_XILLYBUS is not set
>>  # end of Character devices
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>> index fe93d731c..65014f41a 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>>  CONFIG_HPET=y
>>  # CONFIG_HPET_MMAP is not set
>>  CONFIG_HANGCHECK_TIMER=m
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_NSC=m
>> +CONFIG_TCG_ATMEL=m
>> +CONFIG_TCG_INFINEON=m
>> +CONFIG_TCG_XEN=m
>> +CONFIG_TCG_CRB=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>  # CONFIG_TELCLOCK is not set
>>  # CONFIG_XILLYBUS is not set
>>  # end of Character devices
>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>>  CONFIG_KEYS=y
>>  # CONFIG_KEYS_REQUEST_CACHE is not set
>>  # CONFIG_PERSISTENT_KEYRINGS is not set
>> +# CONFIG_TRUSTED_KEYS is not set
>>  # CONFIG_ENCRYPTED_KEYS is not set
>>  # CONFIG_KEY_DH_OPERATIONS is not set
>>  CONFIG_SECURITY_DMESG_RESTRICT=y

next prev parent reply	other threads:[~2021-09-21  9:50 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
2021-09-17 11:42 ` [PATCH 02/13] kernel: Disable suspending systems to RAM Michael Tremer
2021-09-18 16:09   ` Peter Müller
2021-09-17 11:42 ` [PATCH 03/13] kernel: Disable IRQ time accounting Michael Tremer
2021-09-18 16:10   ` Peter Müller
2021-09-17 11:42 ` [PATCH 04/13] kernel: Enable Pressure Stall Information Michael Tremer
2021-09-18 16:16   ` Peter Müller
2021-09-17 11:42 ` [PATCH 05/13] kernel: Disable SLUB debugging Michael Tremer
2021-09-18 16:27   ` Peter Müller
2021-09-21  9:42     ` Michael Tremer
2021-09-17 11:42 ` [PATCH 06/13] kernel: Disable any runtime testing Michael Tremer
2021-09-18 16:24   ` Peter Müller
2021-09-17 11:42 ` [PATCH 07/13] kernel: Disable OpenvSwitch Michael Tremer
2021-09-18 16:10   ` Peter Müller
2021-09-17 11:42 ` [PATCH 08/13] kernel: Disable network security hooks Michael Tremer
2021-09-18 16:23   ` Peter Müller
2021-09-17 11:42 ` [PATCH 09/13] kernel: Enable frontswap Michael Tremer
2021-09-18 16:20   ` Peter Müller
2021-09-17 11:42 ` [PATCH 10/13] kernel: Enable ExFAT on all architectures Michael Tremer
2021-09-18 16:10   ` Peter Müller
2021-09-20 13:48   ` Adolf Belka
2021-09-17 11:42 ` [PATCH 11/13] kernel: Enable support for TPM hardware Michael Tremer
2021-09-18 16:15   ` Peter Müller
2021-09-21  9:50     ` Michael Tremer [this message]
2021-09-21 11:40       ` Adolf Belka
2021-09-21 12:31         ` Adolf Belka
2021-10-01 17:25           ` Michael Tremer
2021-09-17 11:42 ` [PATCH 12/13] kernel: Zero-init all stack variables by default Michael Tremer
2021-09-18 16:11   ` Peter Müller
2021-09-21  9:50     ` Michael Tremer
2021-09-17 11:42 ` [PATCH 13/13] kernel: Enable all cgroups on all architectures Michael Tremer
2021-09-18 16:15   ` Peter Müller
2021-09-18 16:09 ` [PATCH 01/13] kernel: Change timer tick to 1000Hz Peter Müller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=A0467466-AF14-4460-B74C-E564E358AE44@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox