Hello,
I gave this a go on an IPFire Business Appliance:
[root@fw01 ~]# rngd -x 2 -x 0 -n 1 --test Note, reference of entropy sources by index is deprecated, use entropy source short name instead Disabling 2: Intel RDRAND Instruction RNG (rdrand) Note, reference of entropy sources by index is deprecated, use entropy source short name instead Disabling 0: Hardware RNG Device (hwrng) Note, reference of entropy sources by index is deprecated, use entropy source short name instead Enabling 1: TPM RNG Device (tpm) Initializing available sources [tpm ]: The TPM entropy source only supports TPM1.2 hardware and is deprecated. TPM2.0 and later hardware exports entropy via /dev/hwrng, which can be collected via the hwrng entropy source in rngd [tpm ]: Initialization Failed can't open any entropy sourceMaybe RNG device modules are not loaded
So if the kernel is exporting this correctly, the default configuration of rngd will use the TPM:
[root@fw01 ~]# rngd --list Entropy sources that are available but disabled 1: TPM RNG Device (tpm) 4: NIST Network Entropy Beacon (nist) Available and enabled entropy sources: 2: Intel RDRAND Instruction RNG (rdrand) Available entropy sources that failed initalization: 0: Hardware RNG Device (hwrng)
This one is running the production kernel, but as soon as the kernel makes /dev/hwrng available, we should be fine.
Best, -Michael
On 21 Sep 2021, at 13:31, Adolf Belka adolf.belka@ipfire.org wrote:
Hi Michael,
After a bit more searching around I don't think I have TPM capability on my systems.
Regards,
Adolf.
On 21/09/2021 13:40, Adolf Belka wrote:
Hi Michael,
On 21/09/2021 11:50, Michael Tremer wrote:
Hello,
On 18 Sep 2021, at 17:15, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael, hello *,
just a small comment for the records: As discussed in the last monthly telephone conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant left to be locked down in IPFire thanks to enforced kernel module signing.
Does anyone have any hardware at grabs to verify that this works?
rngd —-list should list the TPM device as a potential source.
On my running system I got the following response to the command:-
Entropy sources that are available but disabled 1: TPM RNG Device (tpm) 4: NIST Network Entropy Beacon (nist) Available and enabled entropy sources: 2: Intel RDRAND Instruction RNG (rdrand) Available entropy sources that failed initalization: 0: Hardware RNG Device (hwrng)
and on my VM testbed system I got the same message:-
Entropy sources that are available but disabled 1: TPM RNG Device (tpm) 4: NIST Network Entropy Beacon (nist) Available and enabled entropy sources: 2: Intel RDRAND Instruction RNG (rdrand) Available entropy sources that failed initalization: 0: Hardware RNG Device (hwrng)
I suspect that available but disabled means that I would need to turn it on in the bios. Is that a correct assumption?
To test it I presume that I need to copy the changes into the kernel config for the architecture I am using and also need to reboot.
Once I have the changers in place how do I tell if it is working?
Regards,
Adolf.
So no user needs to worry about introducing TPM support coming with a lack of digital sovereignty - that is, if something like this even exits on today's hardware. :-)
Acked-by: Peter Müller peter.mueller@ipfire.org
Thanks, and best regards, Peter Müller
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++- config/kernel/kernel.config.armv6l-ipfire | 12 +++++++++++- config/kernel/kernel.config.i586-ipfire | 16 +++++++++++++++- config/kernel/kernel.config.x86_64-ipfire | 17 ++++++++++++++++- 4 files changed, 56 insertions(+), 4 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index aa34b64db..49ee85970 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y CONFIG_RAW_DRIVER=y CONFIG_MAX_RAW_DEVS=8192 CONFIG_DEVPORT=y -# CONFIG_TCG_TPM is not set +CONFIG_TCG_TPM=m +CONFIG_HW_RANDOM_TPM=y +CONFIG_TCG_TIS_CORE=m +CONFIG_TCG_TIS=m +CONFIG_TCG_TIS_I2C_ATMEL=m +CONFIG_TCG_TIS_I2C_INFINEON=m +CONFIG_TCG_TIS_I2C_NUVOTON=m +CONFIG_TCG_ATMEL=m +CONFIG_TCG_INFINEON=m +CONFIG_TCG_CRB=m +CONFIG_TCG_VTPM_PROXY=m +CONFIG_TCG_TIS_ST33ZP24=m +CONFIG_TCG_TIS_ST33ZP24_I2C=m # CONFIG_XILLYBUS is not set # end of Character devices @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y CONFIG_KEYS=y # CONFIG_KEYS_REQUEST_CACHE is not set # CONFIG_PERSISTENT_KEYRINGS is not set +# CONFIG_TRUSTED_KEYS is not set # CONFIG_ENCRYPTED_KEYS is not set # CONFIG_KEY_DH_OPERATIONS is not set CONFIG_SECURITY_DMESG_RESTRICT=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 7b82e87df..b11a179e3 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y CONFIG_RAW_DRIVER=y CONFIG_MAX_RAW_DEVS=8192 CONFIG_DEVPORT=y -# CONFIG_TCG_TPM is not set +CONFIG_TCG_TPM=m +CONFIG_HW_RANDOM_TPM=y +CONFIG_TCG_TIS_CORE=m +CONFIG_TCG_TIS=m +CONFIG_TCG_TIS_I2C_ATMEL=m +CONFIG_TCG_TIS_I2C_INFINEON=m +CONFIG_TCG_TIS_I2C_NUVOTON=m +CONFIG_TCG_VTPM_PROXY=m +CONFIG_TCG_TIS_ST33ZP24=m +CONFIG_TCG_TIS_ST33ZP24_I2C=m # CONFIG_XILLYBUS is not set # end of Character devices @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y CONFIG_KEYS=y # CONFIG_KEYS_REQUEST_CACHE is not set # CONFIG_PERSISTENT_KEYRINGS is not set +# CONFIG_TRUSTED_KEYS is not set # CONFIG_ENCRYPTED_KEYS is not set # CONFIG_KEY_DH_OPERATIONS is not set CONFIG_SECURITY_DMESG_RESTRICT=y diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire index 90d4ac856..2d7158c96 100644 --- a/config/kernel/kernel.config.i586-ipfire +++ b/config/kernel/kernel.config.i586-ipfire @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y CONFIG_HPET=y # CONFIG_HPET_MMAP is not set CONFIG_HANGCHECK_TIMER=m -# CONFIG_TCG_TPM is not set +CONFIG_TCG_TPM=m +CONFIG_HW_RANDOM_TPM=y +CONFIG_TCG_TIS_CORE=m +CONFIG_TCG_TIS=m +CONFIG_TCG_TIS_I2C_ATMEL=m +CONFIG_TCG_TIS_I2C_INFINEON=m +CONFIG_TCG_TIS_I2C_NUVOTON=m +CONFIG_TCG_NSC=m +CONFIG_TCG_ATMEL=m +CONFIG_TCG_INFINEON=m +CONFIG_TCG_XEN=m +CONFIG_TCG_CRB=m +CONFIG_TCG_VTPM_PROXY=m +CONFIG_TCG_TIS_ST33ZP24=m +CONFIG_TCG_TIS_ST33ZP24_I2C=m # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set # end of Character devices diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index fe93d731c..65014f41a 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y CONFIG_HPET=y # CONFIG_HPET_MMAP is not set CONFIG_HANGCHECK_TIMER=m -# CONFIG_TCG_TPM is not set +CONFIG_TCG_TPM=m +CONFIG_HW_RANDOM_TPM=y +CONFIG_TCG_TIS_CORE=m +CONFIG_TCG_TIS=m +CONFIG_TCG_TIS_I2C_ATMEL=m +CONFIG_TCG_TIS_I2C_INFINEON=m +CONFIG_TCG_TIS_I2C_NUVOTON=m +CONFIG_TCG_NSC=m +CONFIG_TCG_ATMEL=m +CONFIG_TCG_INFINEON=m +CONFIG_TCG_XEN=m +CONFIG_TCG_CRB=m +CONFIG_TCG_VTPM_PROXY=m +CONFIG_TCG_TIS_ST33ZP24=m +CONFIG_TCG_TIS_ST33ZP24_I2C=m # CONFIG_TELCLOCK is not set # CONFIG_XILLYBUS is not set # end of Character devices @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y CONFIG_KEYS=y # CONFIG_KEYS_REQUEST_CACHE is not set # CONFIG_PERSISTENT_KEYRINGS is not set +# CONFIG_TRUSTED_KEYS is not set # CONFIG_ENCRYPTED_KEYS is not set # CONFIG_KEY_DH_OPERATIONS is not set CONFIG_SECURITY_DMESG_RESTRICT=y