[isar-cip-core,v2,2/2] initramfs: Add recipe for optee based ftpm hook

Commit Message

Su Baocheng June 6, 2023, 3:55 a.m. UTC

From: Baocheng Su <baocheng.su@siemens.com>

Prepare for initramfs applications relying on TPM, such as clevis or
systemd-cryptsetup

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../initramfs-ms-ftpm-hook/files/ms-ftpm.hook | 38 ++++++++++++++++
 .../files/ms-ftpm.script                      | 43 +++++++++++++++++++
 .../initramfs-ms-ftpm-hook_0.1.bb             | 30 +++++++++++++
 3 files changed, 111 insertions(+)
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb

Patch

diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook
new file mode 100644
index 0000000..6db4ef9
--- /dev/null
+++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook
@@ -0,0 +1,38 @@ 
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ=""
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+hook_error() {
+    echo "(ERROR): $2" >&2
+    exit 1
+}
+
+# Just in case these modules are not built-in. For stock debian arm64 kernel,
+# the tee.ko and the optee.ko exist since bookworm; the tpm_ftpm_tee.ko does not
+# exist in any stock debian kernels, it could be provided by customized kernel.
+manual_add_modules tee
+manual_add_modules optee
+manual_add_modules tpm_ftpm_tee
+
+copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee-supplicant not found"
diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script
new file mode 100644
index 0000000..c6ee2dd
--- /dev/null
+++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script
@@ -0,0 +1,43 @@ 
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ=""
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+FTPM_DEV=/dev/tpmrm0
+
+. /scripts/functions
+
+/usr/sbin/tee-supplicant -d
+
+# The fTPM TA would take some time to be discovered as well as the tee-supplicant
+# 10 seconds should be enough
+wait_sec=10
+until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
+	wait_sec=$((wait_sec-1))
+	sleep 1
+done
+
+if ! test -c "${FTPM_DEV}"; then
+    panic "Can't discover the fTPM device ${FTPM_DEV}!"
+fi
diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb
new file mode 100644
index 0000000..fece6ff
--- /dev/null
+++ b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb
@@ -0,0 +1,30 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://ms-ftpm.hook \
+    file://ms-ftpm.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+
+do_install() {
+    install -m 0755 "${WORKDIR}/ms-ftpm.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/ms-ftpm"
+    install -m 0755 "${WORKDIR}/ms-ftpm.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/ms-ftpm"
+}