Message ID | 20240417110722.283283-2-mikko.rapeli@linaro.org |
---|---|
State | New |
Headers | show |
Series | [1/2] trusted-firmware-a: continue if TPM device is missing | expand |
Hi Mikko, On Wed, 17 Apr 2024 at 04:08, Mikko Rapeli via lists.yoctoproject.org <mikko.rapeli=linaro.org@lists.yoctoproject.org> wrote: > > Userspace like systemd boot manager would need to know > how to find TPM and fTPM devices for rootfs encryption. > Thus expose an fTPM TA enumeration also without tee-supplicant fTPM TA due to secure storage requirements needs a tee-supplicant to be up and running for a successful kernel driver probe. So CI failure is expected as you see in the other thread. So it's a chicken and egg situation for your rootfs encryption use-case. I suppose once the RPMB subsystem [1] makes its way into the mainline kernel then the dependency on tee-supplicant can be dropped. [1] https://lists.trustedfirmware.org/archives/list/op-tee@lists.trustedfirmware.org/thread/6A62HMDQST2O3T2UGGN6UPXZKLKLUNM4/ -Sumit > so that early boot managers can start tee-supplicant and > wait for the fTPM device before continuing with TPM2 > use cases. > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> > --- > .../optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch > index 7c61105b..175875c1 100644 > --- a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch > +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch > @@ -21,7 +21,7 @@ index 92c33c1..e83619d 100644 > #define TA_UUID TA_FTPM_UUID > > -#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE) > -+#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP) > ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM ) > #define TA_STACK_SIZE (64 * 1024) > #define TA_DATA_SIZE (32 * 1024) > > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#5555): https://lists.yoctoproject.org/g/meta-arm/message/5555 > Mute This Topic: https://lists.yoctoproject.org/mt/105574761/1777089 > Group Owner: meta-arm+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [sumit.garg@linaro.org] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi, On Mon, Apr 22, 2024 at 01:02:49AM -0700, Sumit Garg wrote: > Hi Mikko, > > On Wed, 17 Apr 2024 at 04:08, Mikko Rapeli via lists.yoctoproject.org > <mikko.rapeli=linaro.org@lists.yoctoproject.org> wrote: > > > > Userspace like systemd boot manager would need to know > > how to find TPM and fTPM devices for rootfs encryption. > > Thus expose an fTPM TA enumeration also without tee-supplicant > > fTPM TA due to secure storage requirements needs a tee-supplicant to > be up and running for a successful kernel driver probe. So CI failure > is expected as you see in the other thread. > > So it's a chicken and egg situation for your rootfs encryption > use-case. I suppose once the RPMB subsystem [1] makes its way into the > mainline kernel then the dependency on tee-supplicant can be dropped. > > [1] https://lists.trustedfirmware.org/archives/list/op-tee@lists.trustedfirmware.org/thread/6A62HMDQST2O3T2UGGN6UPXZKLKLUNM4/ Yes, optee and kernel RPMB support without tee-supplicant in userspace are the reason why I'm testing changes like this. I actually have both the optee and kernel changes applied in the setup I'm testing and am trying to upstream some of the changes. It can be that this fTPM enumeration change doesn't work without the optee and kernel RPMB changes. For testing purposes the tf-a change is very nice to have so that qemu boot with and without swtpm can be tested. I'll look into details of this fTPM enumeration related error. Cheers, -Mikko
diff --git a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch index 7c61105b..175875c1 100644 --- a/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch +++ b/meta-arm/recipes-security/optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch @@ -21,7 +21,7 @@ index 92c33c1..e83619d 100644 #define TA_UUID TA_FTPM_UUID -#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE) -+#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM_SUPP) ++#define TA_FLAGS (TA_FLAG_SINGLE_INSTANCE | TA_FLAG_INSTANCE_KEEP_ALIVE | TA_FLAG_DEVICE_ENUM ) #define TA_STACK_SIZE (64 * 1024) #define TA_DATA_SIZE (32 * 1024)
Userspace like systemd boot manager would need to know how to find TPM and fTPM devices for rootfs encryption. Thus expose an fTPM TA enumeration also without tee-supplicant so that early boot managers can start tee-supplicant and wait for the fTPM device before continuing with TPM2 use cases. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> --- .../optee-ftpm/optee-ftpm/0001-add-enum-to-ta-flags.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)