From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 11/13] kernel: Enable support for TPM hardware
Date: Sat, 18 Sep 2021 16:15:01 +0000 [thread overview]
Message-ID: <a7964c1f-257a-bfcc-c406-5c1c902ef935@ipfire.org> (raw)
In-Reply-To: <20210917114229.10704-11-michael.tremer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 5314 bytes --]
Hello Michael,
hello *,
just a small comment for the records: As discussed in the last monthly telephone
conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
left to be locked down in IPFire thanks to enforced kernel module signing.
So no user needs to worry about introducing TPM support coming with a lack of
digital sovereignty - that is, if something like this even exits on today's hardware. :-)
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
Thanks, and best regards,
Peter Müller
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
> config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
> config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++-
> config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++-
> config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++-
> 4 files changed, 56 insertions(+), 4 deletions(-)
>
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index aa34b64db..49ee85970 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
> CONFIG_RAW_DRIVER=y
> CONFIG_MAX_RAW_DEVS=8192
> CONFIG_DEVPORT=y
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_ATMEL=m
> +CONFIG_TCG_INFINEON=m
> +CONFIG_TCG_CRB=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
> # CONFIG_XILLYBUS is not set
> # end of Character devices
>
> @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
> CONFIG_KEYS=y
> # CONFIG_KEYS_REQUEST_CACHE is not set
> # CONFIG_PERSISTENT_KEYRINGS is not set
> +# CONFIG_TRUSTED_KEYS is not set
> # CONFIG_ENCRYPTED_KEYS is not set
> # CONFIG_KEY_DH_OPERATIONS is not set
> CONFIG_SECURITY_DMESG_RESTRICT=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 7b82e87df..b11a179e3 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
> CONFIG_RAW_DRIVER=y
> CONFIG_MAX_RAW_DEVS=8192
> CONFIG_DEVPORT=y
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
> # CONFIG_XILLYBUS is not set
> # end of Character devices
>
> @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
> CONFIG_KEYS=y
> # CONFIG_KEYS_REQUEST_CACHE is not set
> # CONFIG_PERSISTENT_KEYRINGS is not set
> +# CONFIG_TRUSTED_KEYS is not set
> # CONFIG_ENCRYPTED_KEYS is not set
> # CONFIG_KEY_DH_OPERATIONS is not set
> CONFIG_SECURITY_DMESG_RESTRICT=y
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index 90d4ac856..2d7158c96 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
> CONFIG_HPET=y
> # CONFIG_HPET_MMAP is not set
> CONFIG_HANGCHECK_TIMER=m
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_NSC=m
> +CONFIG_TCG_ATMEL=m
> +CONFIG_TCG_INFINEON=m
> +CONFIG_TCG_XEN=m
> +CONFIG_TCG_CRB=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
> # CONFIG_TELCLOCK is not set
> # CONFIG_XILLYBUS is not set
> # end of Character devices
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index fe93d731c..65014f41a 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
> CONFIG_HPET=y
> # CONFIG_HPET_MMAP is not set
> CONFIG_HANGCHECK_TIMER=m
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_NSC=m
> +CONFIG_TCG_ATMEL=m
> +CONFIG_TCG_INFINEON=m
> +CONFIG_TCG_XEN=m
> +CONFIG_TCG_CRB=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
> # CONFIG_TELCLOCK is not set
> # CONFIG_XILLYBUS is not set
> # end of Character devices
> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
> CONFIG_KEYS=y
> # CONFIG_KEYS_REQUEST_CACHE is not set
> # CONFIG_PERSISTENT_KEYRINGS is not set
> +# CONFIG_TRUSTED_KEYS is not set
> # CONFIG_ENCRYPTED_KEYS is not set
> # CONFIG_KEY_DH_OPERATIONS is not set
> CONFIG_SECURITY_DMESG_RESTRICT=y
>
next prev parent reply other threads:[~2021-09-18 16:15 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-17 11:42 [PATCH 01/13] kernel: Change timer tick to 1000Hz Michael Tremer
2021-09-17 11:42 ` [PATCH 02/13] kernel: Disable suspending systems to RAM Michael Tremer
2021-09-18 16:09 ` Peter Müller
2021-09-17 11:42 ` [PATCH 03/13] kernel: Disable IRQ time accounting Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-17 11:42 ` [PATCH 04/13] kernel: Enable Pressure Stall Information Michael Tremer
2021-09-18 16:16 ` Peter Müller
2021-09-17 11:42 ` [PATCH 05/13] kernel: Disable SLUB debugging Michael Tremer
2021-09-18 16:27 ` Peter Müller
2021-09-21 9:42 ` Michael Tremer
2021-09-17 11:42 ` [PATCH 06/13] kernel: Disable any runtime testing Michael Tremer
2021-09-18 16:24 ` Peter Müller
2021-09-17 11:42 ` [PATCH 07/13] kernel: Disable OpenvSwitch Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-17 11:42 ` [PATCH 08/13] kernel: Disable network security hooks Michael Tremer
2021-09-18 16:23 ` Peter Müller
2021-09-17 11:42 ` [PATCH 09/13] kernel: Enable frontswap Michael Tremer
2021-09-18 16:20 ` Peter Müller
2021-09-17 11:42 ` [PATCH 10/13] kernel: Enable ExFAT on all architectures Michael Tremer
2021-09-18 16:10 ` Peter Müller
2021-09-20 13:48 ` Adolf Belka
2021-09-17 11:42 ` [PATCH 11/13] kernel: Enable support for TPM hardware Michael Tremer
2021-09-18 16:15 ` Peter Müller [this message]
2021-09-21 9:50 ` Michael Tremer
2021-09-21 11:40 ` Adolf Belka
2021-09-21 12:31 ` Adolf Belka
2021-10-01 17:25 ` Michael Tremer
2021-09-17 11:42 ` [PATCH 12/13] kernel: Zero-init all stack variables by default Michael Tremer
2021-09-18 16:11 ` Peter Müller
2021-09-21 9:50 ` Michael Tremer
2021-09-17 11:42 ` [PATCH 13/13] kernel: Enable all cgroups on all architectures Michael Tremer
2021-09-18 16:15 ` Peter Müller
2021-09-18 16:09 ` [PATCH 01/13] kernel: Change timer tick to 1000Hz Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a7964c1f-257a-bfcc-c406-5c1c902ef935@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox