From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH 11/13] kernel: Enable support for TPM hardware Date: Tue, 21 Sep 2021 14:31:34 +0200 Message-ID: In-Reply-To: <8820a78d-4d3d-dfbd-8546-463b70771684@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1066965430633903203==" List-Id: --===============1066965430633903203== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, After a bit more searching around I don't think I have TPM capability on my s= ystems. Regards, Adolf. On 21/09/2021 13:40, Adolf Belka wrote: > Hi Michael, > > On 21/09/2021 11:50, Michael Tremer wrote: >> Hello, >> >>> On 18 Sep 2021, at 17:15, Peter M=C3=BCller = wrote: >>> >>> Hello Michael, >>> hello *, >>> >>> just a small comment for the records: As discussed in the last monthly te= lephone >>> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use = a TPM only >>> for HWRNG purposes. Nothing else will depend on it, as there is nothing r= elevant >>> left to be locked down in IPFire thanks to enforced kernel module signing. >> Does anyone have any hardware at grabs to verify that this works? >> >> rngd =E2=80=94-list should list the TPM device as a potential source. > > On my running system I got the following response to the command:- > > Entropy sources that are available but disabled > 1: TPM RNG Device (tpm) > 4: NIST Network Entropy Beacon (nist) > Available and enabled entropy sources: > 2: Intel RDRAND Instruction RNG (rdrand) > Available entropy sources that failed initalization: > 0: Hardware RNG Device (hwrng) > > > and on my VM testbed system I got the same message:- > > Entropy sources that are available but disabled > 1: TPM RNG Device (tpm) > 4: NIST Network Entropy Beacon (nist) > Available and enabled entropy sources: > 2: Intel RDRAND Instruction RNG (rdrand) > Available entropy sources that failed initalization: > 0: Hardware RNG Device (hwrng) > > I suspect that available but disabled means that I would need to turn it on= in the bios. Is that a correct assumption? > > To test it I presume that I need to copy the changes into the kernel config= for the architecture I am using and also need to reboot. > > Once I have the changers in place how do I tell if it is working? > > Regards, > > Adolf. > >>> So no user needs to worry about introducing TPM support coming with a lac= k of >>> digital sovereignty - that is, if something like this even exits on today= 's hardware. :-) >>> >>> Acked-by: Peter M=C3=BCller >>> >>> Thanks, and best regards, >>> Peter M=C3=BCller >>> >>> >>>> Signed-off-by: Michael Tremer >>>> --- >>>> =C2=A0 config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++- >>>> =C2=A0 config/kernel/kernel.config.armv6l-ipfire=C2=A0 | 12 +++++++++++- >>>> =C2=A0 config/kernel/kernel.config.i586-ipfire=C2=A0=C2=A0=C2=A0 | 16 ++= +++++++++++++- >>>> =C2=A0 config/kernel/kernel.config.x86_64-ipfire=C2=A0 | 17 ++++++++++++= ++++- >>>> =C2=A0 4 files changed, 56 insertions(+), 4 deletions(-) >>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/= kernel.config.aarch64-ipfire >>>> index aa34b64db..49ee85970 100644 >>>> --- a/config/kernel/kernel.config.aarch64-ipfire >>>> +++ b/config/kernel/kernel.config.aarch64-ipfire >>>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=3Dy >>>> =C2=A0 CONFIG_RAW_DRIVER=3Dy >>>> =C2=A0 CONFIG_MAX_RAW_DEVS=3D8192 >>>> =C2=A0 CONFIG_DEVPORT=3Dy >>>> -# CONFIG_TCG_TPM is not set >>>> +CONFIG_TCG_TPM=3Dm >>>> +CONFIG_HW_RANDOM_TPM=3Dy >>>> +CONFIG_TCG_TIS_CORE=3Dm >>>> +CONFIG_TCG_TIS=3Dm >>>> +CONFIG_TCG_TIS_I2C_ATMEL=3Dm >>>> +CONFIG_TCG_TIS_I2C_INFINEON=3Dm >>>> +CONFIG_TCG_TIS_I2C_NUVOTON=3Dm >>>> +CONFIG_TCG_ATMEL=3Dm >>>> +CONFIG_TCG_INFINEON=3Dm >>>> +CONFIG_TCG_CRB=3Dm >>>> +CONFIG_TCG_VTPM_PROXY=3Dm >>>> +CONFIG_TCG_TIS_ST33ZP24=3Dm >>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=3Dm >>>> =C2=A0 # CONFIG_XILLYBUS is not set >>>> =C2=A0 # end of Character devices >>>> =C2=A0 @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=3Dy >>>> =C2=A0 CONFIG_KEYS=3Dy >>>> =C2=A0 # CONFIG_KEYS_REQUEST_CACHE is not set >>>> =C2=A0 # CONFIG_PERSISTENT_KEYRINGS is not set >>>> +# CONFIG_TRUSTED_KEYS is not set >>>> =C2=A0 # CONFIG_ENCRYPTED_KEYS is not set >>>> =C2=A0 # CONFIG_KEY_DH_OPERATIONS is not set >>>> =C2=A0 CONFIG_SECURITY_DMESG_RESTRICT=3Dy >>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/k= ernel.config.armv6l-ipfire >>>> index 7b82e87df..b11a179e3 100644 >>>> --- a/config/kernel/kernel.config.armv6l-ipfire >>>> +++ b/config/kernel/kernel.config.armv6l-ipfire >>>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=3Dy >>>> =C2=A0 CONFIG_RAW_DRIVER=3Dy >>>> =C2=A0 CONFIG_MAX_RAW_DEVS=3D8192 >>>> =C2=A0 CONFIG_DEVPORT=3Dy >>>> -# CONFIG_TCG_TPM is not set >>>> +CONFIG_TCG_TPM=3Dm >>>> +CONFIG_HW_RANDOM_TPM=3Dy >>>> +CONFIG_TCG_TIS_CORE=3Dm >>>> +CONFIG_TCG_TIS=3Dm >>>> +CONFIG_TCG_TIS_I2C_ATMEL=3Dm >>>> +CONFIG_TCG_TIS_I2C_INFINEON=3Dm >>>> +CONFIG_TCG_TIS_I2C_NUVOTON=3Dm >>>> +CONFIG_TCG_VTPM_PROXY=3Dm >>>> +CONFIG_TCG_TIS_ST33ZP24=3Dm >>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=3Dm >>>> =C2=A0 # CONFIG_XILLYBUS is not set >>>> =C2=A0 # end of Character devices >>>> =C2=A0 @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=3Dy >>>> =C2=A0 CONFIG_KEYS=3Dy >>>> =C2=A0 # CONFIG_KEYS_REQUEST_CACHE is not set >>>> =C2=A0 # CONFIG_PERSISTENT_KEYRINGS is not set >>>> +# CONFIG_TRUSTED_KEYS is not set >>>> =C2=A0 # CONFIG_ENCRYPTED_KEYS is not set >>>> =C2=A0 # CONFIG_KEY_DH_OPERATIONS is not set >>>> =C2=A0 CONFIG_SECURITY_DMESG_RESTRICT=3Dy >>>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/ker= nel.config.i586-ipfire >>>> index 90d4ac856..2d7158c96 100644 >>>> --- a/config/kernel/kernel.config.i586-ipfire >>>> +++ b/config/kernel/kernel.config.i586-ipfire >>>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=3Dy >>>> =C2=A0 CONFIG_HPET=3Dy >>>> =C2=A0 # CONFIG_HPET_MMAP is not set >>>> =C2=A0 CONFIG_HANGCHECK_TIMER=3Dm >>>> -# CONFIG_TCG_TPM is not set >>>> +CONFIG_TCG_TPM=3Dm >>>> +CONFIG_HW_RANDOM_TPM=3Dy >>>> +CONFIG_TCG_TIS_CORE=3Dm >>>> +CONFIG_TCG_TIS=3Dm >>>> +CONFIG_TCG_TIS_I2C_ATMEL=3Dm >>>> +CONFIG_TCG_TIS_I2C_INFINEON=3Dm >>>> +CONFIG_TCG_TIS_I2C_NUVOTON=3Dm >>>> +CONFIG_TCG_NSC=3Dm >>>> +CONFIG_TCG_ATMEL=3Dm >>>> +CONFIG_TCG_INFINEON=3Dm >>>> +CONFIG_TCG_XEN=3Dm >>>> +CONFIG_TCG_CRB=3Dm >>>> +CONFIG_TCG_VTPM_PROXY=3Dm >>>> +CONFIG_TCG_TIS_ST33ZP24=3Dm >>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=3Dm >>>> =C2=A0 # CONFIG_TELCLOCK is not set >>>> =C2=A0 # CONFIG_XILLYBUS is not set >>>> =C2=A0 # end of Character devices >>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/k= ernel.config.x86_64-ipfire >>>> index fe93d731c..65014f41a 100644 >>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=3Dy >>>> =C2=A0 CONFIG_HPET=3Dy >>>> =C2=A0 # CONFIG_HPET_MMAP is not set >>>> =C2=A0 CONFIG_HANGCHECK_TIMER=3Dm >>>> -# CONFIG_TCG_TPM is not set >>>> +CONFIG_TCG_TPM=3Dm >>>> +CONFIG_HW_RANDOM_TPM=3Dy >>>> +CONFIG_TCG_TIS_CORE=3Dm >>>> +CONFIG_TCG_TIS=3Dm >>>> +CONFIG_TCG_TIS_I2C_ATMEL=3Dm >>>> +CONFIG_TCG_TIS_I2C_INFINEON=3Dm >>>> +CONFIG_TCG_TIS_I2C_NUVOTON=3Dm >>>> +CONFIG_TCG_NSC=3Dm >>>> +CONFIG_TCG_ATMEL=3Dm >>>> +CONFIG_TCG_INFINEON=3Dm >>>> +CONFIG_TCG_XEN=3Dm >>>> +CONFIG_TCG_CRB=3Dm >>>> +CONFIG_TCG_VTPM_PROXY=3Dm >>>> +CONFIG_TCG_TIS_ST33ZP24=3Dm >>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=3Dm >>>> =C2=A0 # CONFIG_TELCLOCK is not set >>>> =C2=A0 # CONFIG_XILLYBUS is not set >>>> =C2=A0 # end of Character devices >>>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=3Dy >>>> =C2=A0 CONFIG_KEYS=3Dy >>>> =C2=A0 # CONFIG_KEYS_REQUEST_CACHE is not set >>>> =C2=A0 # CONFIG_PERSISTENT_KEYRINGS is not set >>>> +# CONFIG_TRUSTED_KEYS is not set >>>> =C2=A0 # CONFIG_ENCRYPTED_KEYS is not set >>>> =C2=A0 # CONFIG_KEY_DH_OPERATIONS is not set >>>> =C2=A0 CONFIG_SECURITY_DMESG_RESTRICT=3Dy --===============1066965430633903203==--