Hello, > On 18 Sep 2021, at 17:15, Peter Müller wrote: > > Hello Michael, > hello *, > > just a small comment for the records: As discussed in the last monthly telephone > conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only > for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant > left to be locked down in IPFire thanks to enforced kernel module signing. Does anyone have any hardware at grabs to verify that this works? rngd —-list should list the TPM device as a potential source. > So no user needs to worry about introducing TPM support coming with a lack of > digital sovereignty - that is, if something like this even exits on today's hardware. :-) > > Acked-by: Peter Müller > > Thanks, and best regards, > Peter Müller > > >> Signed-off-by: Michael Tremer >> --- >> config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++- >> config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++- >> config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++- >> config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++- >> 4 files changed, 56 insertions(+), 4 deletions(-) >> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire >> index aa34b64db..49ee85970 100644 >> --- a/config/kernel/kernel.config.aarch64-ipfire >> +++ b/config/kernel/kernel.config.aarch64-ipfire >> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y >> CONFIG_RAW_DRIVER=y >> CONFIG_MAX_RAW_DEVS=8192 >> CONFIG_DEVPORT=y >> -# CONFIG_TCG_TPM is not set >> +CONFIG_TCG_TPM=m >> +CONFIG_HW_RANDOM_TPM=y >> +CONFIG_TCG_TIS_CORE=m >> +CONFIG_TCG_TIS=m >> +CONFIG_TCG_TIS_I2C_ATMEL=m >> +CONFIG_TCG_TIS_I2C_INFINEON=m >> +CONFIG_TCG_TIS_I2C_NUVOTON=m >> +CONFIG_TCG_ATMEL=m >> +CONFIG_TCG_INFINEON=m >> +CONFIG_TCG_CRB=m >> +CONFIG_TCG_VTPM_PROXY=m >> +CONFIG_TCG_TIS_ST33ZP24=m >> +CONFIG_TCG_TIS_ST33ZP24_I2C=m >> # CONFIG_XILLYBUS is not set >> # end of Character devices >> @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y >> CONFIG_KEYS=y >> # CONFIG_KEYS_REQUEST_CACHE is not set >> # CONFIG_PERSISTENT_KEYRINGS is not set >> +# CONFIG_TRUSTED_KEYS is not set >> # CONFIG_ENCRYPTED_KEYS is not set >> # CONFIG_KEY_DH_OPERATIONS is not set >> CONFIG_SECURITY_DMESG_RESTRICT=y >> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire >> index 7b82e87df..b11a179e3 100644 >> --- a/config/kernel/kernel.config.armv6l-ipfire >> +++ b/config/kernel/kernel.config.armv6l-ipfire >> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y >> CONFIG_RAW_DRIVER=y >> CONFIG_MAX_RAW_DEVS=8192 >> CONFIG_DEVPORT=y >> -# CONFIG_TCG_TPM is not set >> +CONFIG_TCG_TPM=m >> +CONFIG_HW_RANDOM_TPM=y >> +CONFIG_TCG_TIS_CORE=m >> +CONFIG_TCG_TIS=m >> +CONFIG_TCG_TIS_I2C_ATMEL=m >> +CONFIG_TCG_TIS_I2C_INFINEON=m >> +CONFIG_TCG_TIS_I2C_NUVOTON=m >> +CONFIG_TCG_VTPM_PROXY=m >> +CONFIG_TCG_TIS_ST33ZP24=m >> +CONFIG_TCG_TIS_ST33ZP24_I2C=m >> # CONFIG_XILLYBUS is not set >> # end of Character devices >> @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y >> CONFIG_KEYS=y >> # CONFIG_KEYS_REQUEST_CACHE is not set >> # CONFIG_PERSISTENT_KEYRINGS is not set >> +# CONFIG_TRUSTED_KEYS is not set >> # CONFIG_ENCRYPTED_KEYS is not set >> # CONFIG_KEY_DH_OPERATIONS is not set >> CONFIG_SECURITY_DMESG_RESTRICT=y >> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire >> index 90d4ac856..2d7158c96 100644 >> --- a/config/kernel/kernel.config.i586-ipfire >> +++ b/config/kernel/kernel.config.i586-ipfire >> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y >> CONFIG_HPET=y >> # CONFIG_HPET_MMAP is not set >> CONFIG_HANGCHECK_TIMER=m >> -# CONFIG_TCG_TPM is not set >> +CONFIG_TCG_TPM=m >> +CONFIG_HW_RANDOM_TPM=y >> +CONFIG_TCG_TIS_CORE=m >> +CONFIG_TCG_TIS=m >> +CONFIG_TCG_TIS_I2C_ATMEL=m >> +CONFIG_TCG_TIS_I2C_INFINEON=m >> +CONFIG_TCG_TIS_I2C_NUVOTON=m >> +CONFIG_TCG_NSC=m >> +CONFIG_TCG_ATMEL=m >> +CONFIG_TCG_INFINEON=m >> +CONFIG_TCG_XEN=m >> +CONFIG_TCG_CRB=m >> +CONFIG_TCG_VTPM_PROXY=m >> +CONFIG_TCG_TIS_ST33ZP24=m >> +CONFIG_TCG_TIS_ST33ZP24_I2C=m >> # CONFIG_TELCLOCK is not set >> # CONFIG_XILLYBUS is not set >> # end of Character devices >> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >> index fe93d731c..65014f41a 100644 >> --- a/config/kernel/kernel.config.x86_64-ipfire >> +++ b/config/kernel/kernel.config.x86_64-ipfire >> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y >> CONFIG_HPET=y >> # CONFIG_HPET_MMAP is not set >> CONFIG_HANGCHECK_TIMER=m >> -# CONFIG_TCG_TPM is not set >> +CONFIG_TCG_TPM=m >> +CONFIG_HW_RANDOM_TPM=y >> +CONFIG_TCG_TIS_CORE=m >> +CONFIG_TCG_TIS=m >> +CONFIG_TCG_TIS_I2C_ATMEL=m >> +CONFIG_TCG_TIS_I2C_INFINEON=m >> +CONFIG_TCG_TIS_I2C_NUVOTON=m >> +CONFIG_TCG_NSC=m >> +CONFIG_TCG_ATMEL=m >> +CONFIG_TCG_INFINEON=m >> +CONFIG_TCG_XEN=m >> +CONFIG_TCG_CRB=m >> +CONFIG_TCG_VTPM_PROXY=m >> +CONFIG_TCG_TIS_ST33ZP24=m >> +CONFIG_TCG_TIS_ST33ZP24_I2C=m >> # CONFIG_TELCLOCK is not set >> # CONFIG_XILLYBUS is not set >> # end of Character devices >> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y >> CONFIG_KEYS=y >> # CONFIG_KEYS_REQUEST_CACHE is not set >> # CONFIG_PERSISTENT_KEYRINGS is not set >> +# CONFIG_TRUSTED_KEYS is not set >> # CONFIG_ENCRYPTED_KEYS is not set >> # CONFIG_KEY_DH_OPERATIONS is not set >> CONFIG_SECURITY_DMESG_RESTRICT=y