| Message ID | 664ef5ea0fa832ff709718b249a93864f98714c6.camel@siemens.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [isar-cip-core,1/2] Add recipe for optee-client | expand |
On Wed, 2023-05-24 at 03:15 +0000, Su, Bao Cheng wrote: > Prepare for initramfs applications replying on TPM, such as clevis or ^^^^^^^^ I guess it should be relying --------| Felix > systemd-cryptsetup > > Signed-off-by: Baocheng Su <baocheng.su@siemens.com> > --- > .../initramfs-ms-ftpm-hook/files/ms-ftpm.hook | 36 ++++++++++++++++ > .../files/ms-ftpm.script | 43 > +++++++++++++++++++ > .../initramfs-ms-ftpm-hook_0.1.bb | 30 +++++++++++++ > 3 files changed, 109 insertions(+) > create mode 100644 recipes-initramfs/initramfs-ms-ftpm- > hook/files/ms-ftpm.hook > create mode 100644 recipes-initramfs/initramfs-ms-ftpm- > hook/files/ms-ftpm.script > create mode 100644 recipes-initramfs/initramfs-ms-ftpm- > hook/initramfs-ms-ftpm-hook_0.1.bb > > diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > ftpm.hook b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > ftpm.hook > new file mode 100644 > index 0000000..998ae62 > --- /dev/null > +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook > @@ -0,0 +1,36 @@ > +#!/bin/sh > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2023 > +# > +# Authors: > +# Su Bao Cheng <baocheng.su@siemens.com> > +# > +# SPDX-License-Identifier: MIT > +# > +PREREQ="" > +prereqs() > +{ > + echo "$PREREQ" > +} > +case $1 in > +prereqs) > + prereqs > + exit 0 > + ;; > +esac > + > +. /usr/share/initramfs-tools/hook-functions > + > +hook_error() { > + echo "(ERROR): $2" >&2 > + exit 1 > +} > + > +# Just in case these modules are not built-in > +manual_add_modules tee > +manual_add_modules optee > +manual_add_modules tpm_ftpm_tee Are these modules available in a stock Debian kernel as well? > + > +copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee- > supplicant not found" > diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > ftpm.script b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > ftpm.script > new file mode 100644 > index 0000000..c6ee2dd > --- /dev/null > +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script > @@ -0,0 +1,43 @@ > +#!/bin/sh > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2023 > +# > +# Authors: > +# Su Bao Cheng <baocheng.su@siemens.com> > +# > +# SPDX-License-Identifier: MIT > +# > +PREREQ="" > + > +prereqs() > +{ > + echo "$PREREQ" > +} > + > +case $1 in > +# get pre-requisites > +prereqs) > + prereqs > + exit 0 > + ;; > +esac > + > +FTPM_DEV=/dev/tpmrm0 > + > +. /scripts/functions > + > +/usr/sbin/tee-supplicant -d > + > +# The fTPM TA would take some time to be discovered as well as the > tee-supplicant > +# 10 seconds should be enough > +wait_sec=10 > +until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do > + wait_sec=$((wait_sec-1)) > + sleep 1 > +done > + > +if ! test -c "${FTPM_DEV}"; then > + panic "Can't discover the fTPM device ${FTPM_DEV}!" > +fi > diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms- > ftpm-hook_0.1.bb b/recipes-initramfs/initramfs-ms-ftpm- > hook/initramfs-ms-ftpm-hook_0.1.bb > new file mode 100644 > index 0000000..fece6ff > --- /dev/null > +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm- > hook_0.1 Where is this package actually used? I can't see that it is added to the initramfs recipe. Felix > .bb > @@ -0,0 +1,30 @@ > +# > +# CIP Core, generic profile > +# > +# Copyright (c) Siemens AG, 2023 > +# > +# Authors: > +# Su Bao Cheng <baocheng.su@siemens.com> > +# > +# SPDX-License-Identifier: MIT > +# > + > +inherit dpkg-raw > + > +SRC_URI += " \ > + file://ms-ftpm.hook \ > + file://ms-ftpm.script \ > + " > + > +DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant" > + > +do_install[cleandirs] += " \ > + ${D}/usr/share/initramfs-tools/hooks \ > + ${D}/usr/share/initramfs-tools/scripts/local-bottom" > + > +do_install() { > + install -m 0755 "${WORKDIR}/ms-ftpm.hook" \ > + "${D}/usr/share/initramfs-tools/hooks/ms-ftpm" > + install -m 0755 "${WORKDIR}/ms-ftpm.script" \ > + "${D}/usr/share/initramfs-tools/scripts/local-bottom/ms- > ftpm" > +} >
On Fri, 2023-05-26 at 14:42 +0800, MOESSBAUER, Felix (T CED INW-CN) wrote: > On Wed, 2023-05-24 at 03:15 +0000, Su, Bao Cheng wrote: > > Prepare for initramfs applications replying on TPM, such as clevis > > or > ^^^^^^^^ > I guess it should be relying --------| Yep, :) > > Felix > > > systemd-cryptsetup > > > > Signed-off-by: Baocheng Su <baocheng.su@siemens.com> > > --- > > .../initramfs-ms-ftpm-hook/files/ms-ftpm.hook | 36 > > ++++++++++++++++ > > .../files/ms-ftpm.script | 43 > > +++++++++++++++++++ > > .../initramfs-ms-ftpm-hook_0.1.bb | 30 +++++++++++++ > > 3 files changed, 109 insertions(+) > > create mode 100644 recipes-initramfs/initramfs-ms-ftpm- > > hook/files/ms-ftpm.hook > > create mode 100644 recipes-initramfs/initramfs-ms-ftpm- > > hook/files/ms-ftpm.script > > create mode 100644 recipes-initramfs/initramfs-ms-ftpm- > > hook/initramfs-ms-ftpm-hook_0.1.bb > > > > diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > > ftpm.hook b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > > ftpm.hook > > new file mode 100644 > > index 0000000..998ae62 > > --- /dev/null > > +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook > > @@ -0,0 +1,36 @@ > > +#!/bin/sh > > +# > > +# CIP Core, generic profile > > +# > > +# Copyright (c) Siemens AG, 2023 > > +# > > +# Authors: > > +# Su Bao Cheng <baocheng.su@siemens.com> > > +# > > +# SPDX-License-Identifier: MIT > > +# > > +PREREQ="" > > +prereqs() > > +{ > > + echo "$PREREQ" > > +} > > +case $1 in > > +prereqs) > > + prereqs > > + exit 0 > > + ;; > > +esac > > + > > +. /usr/share/initramfs-tools/hook-functions > > + > > +hook_error() { > > + echo "(ERROR): $2" >&2 > > + exit 1 > > +} > > + > > +# Just in case these modules are not built-in > > +manual_add_modules tee > > +manual_add_modules optee > > +manual_add_modules tpm_ftpm_tee > > Are these modules available in a stock Debian kernel as well? Are you referring to the official arm64 kernel of Debian? Haven't checked it yet. For amd64, however, I don't expect the optee & tpm_ftpm_tee in the stock debian kernel. AMD also provides a TEE, so tpm_ftpm_tee may be possible on amd64. > > > + > > +copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee- > > supplicant not found" > > diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > > ftpm.script b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > > ftpm.script > > new file mode 100644 > > index 0000000..c6ee2dd > > --- /dev/null > > +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script > > @@ -0,0 +1,43 @@ > > +#!/bin/sh > > +# > > +# CIP Core, generic profile > > +# > > +# Copyright (c) Siemens AG, 2023 > > +# > > +# Authors: > > +# Su Bao Cheng <baocheng.su@siemens.com> > > +# > > +# SPDX-License-Identifier: MIT > > +# > > +PREREQ="" > > + > > +prereqs() > > +{ > > + echo "$PREREQ" > > +} > > + > > +case $1 in > > +# get pre-requisites > > +prereqs) > > + prereqs > > + exit 0 > > + ;; > > +esac > > + > > +FTPM_DEV=/dev/tpmrm0 > > + > > +. /scripts/functions > > + > > +/usr/sbin/tee-supplicant -d > > + > > +# The fTPM TA would take some time to be discovered as well as the > > tee-supplicant > > +# 10 seconds should be enough > > +wait_sec=10 > > +until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do > > + wait_sec=$((wait_sec-1)) > > + sleep 1 > > +done > > + > > +if ! test -c "${FTPM_DEV}"; then > > + panic "Can't discover the fTPM device ${FTPM_DEV}!" > > +fi > > diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms- > > ftpm-hook_0.1.bb b/recipes-initramfs/initramfs-ms-ftpm- > > hook/initramfs-ms-ftpm-hook_0.1.bb > > new file mode 100644 > > index 0000000..fece6ff > > --- /dev/null > > +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm- > > hook_0.1 > > Where is this package actually used? I can't see that it is added to > the initramfs recipe. > It would be used in the downstream meta-iot2050, see https://github.com/siemens/meta-iot2050/pull/442. - Baocheng > Felix > > > .bb > > @@ -0,0 +1,30 @@ > > +# > > +# CIP Core, generic profile > > +# > > +# Copyright (c) Siemens AG, 2023 > > +# > > +# Authors: > > +# Su Bao Cheng <baocheng.su@siemens.com> > > +# > > +# SPDX-License-Identifier: MIT > > +# > > + > > +inherit dpkg-raw > > + > > +SRC_URI += " \ > > + file://ms-ftpm.hook \ > > + file://ms-ftpm.script \ > > + " > > + > > +DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant" > > + > > +do_install[cleandirs] += " \ > > + ${D}/usr/share/initramfs-tools/hooks \ > > + ${D}/usr/share/initramfs-tools/scripts/local-bottom" > > + > > +do_install() { > > + install -m 0755 "${WORKDIR}/ms-ftpm.hook" \ > > + "${D}/usr/share/initramfs-tools/hooks/ms-ftpm" > > + install -m 0755 "${WORKDIR}/ms-ftpm.script" \ > > + "${D}/usr/share/initramfs-tools/scripts/local-bottom/ms- > > ftpm" > > +} > > >
On Mon, 2023-05-29 at 16:03 +0800, Su, Bao Cheng (DI FA CTR IPC CN PRC4) wrote: > On Fri, 2023-05-26 at 14:42 +0800, MOESSBAUER, Felix (T CED INW-CN) > wrote: > > On Wed, 2023-05-24 at 03:15 +0000, Su, Bao Cheng wrote: > > > Prepare for initramfs applications replying on TPM, such as > > > clevis > > > or > > ^^^^^^^^ > > I guess it should be relying --------| > > Yep, :) > > > > > Felix > > > > > systemd-cryptsetup > > > > > > Signed-off-by: Baocheng Su <baocheng.su@siemens.com> > > > --- > > > .../initramfs-ms-ftpm-hook/files/ms-ftpm.hook | 36 > > > ++++++++++++++++ > > > .../files/ms-ftpm.script | 43 > > > +++++++++++++++++++ > > > .../initramfs-ms-ftpm-hook_0.1.bb | 30 +++++++++++++ > > > 3 files changed, 109 insertions(+) > > > create mode 100644 recipes-initramfs/initramfs-ms-ftpm- > > > hook/files/ms-ftpm.hook > > > create mode 100644 recipes-initramfs/initramfs-ms-ftpm- > > > hook/files/ms-ftpm.script > > > create mode 100644 recipes-initramfs/initramfs-ms-ftpm- > > > hook/initramfs-ms-ftpm-hook_0.1.bb > > > > > > diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > > > ftpm.hook b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > > > ftpm.hook > > > new file mode 100644 > > > index 0000000..998ae62 > > > --- /dev/null > > > +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook > > > @@ -0,0 +1,36 @@ > > > +#!/bin/sh > > > +# > > > +# CIP Core, generic profile > > > +# > > > +# Copyright (c) Siemens AG, 2023 > > > +# > > > +# Authors: > > > +# Su Bao Cheng <baocheng.su@siemens.com> > > > +# > > > +# SPDX-License-Identifier: MIT > > > +# > > > +PREREQ="" > > > +prereqs() > > > +{ > > > + echo "$PREREQ" > > > +} > > > +case $1 in > > > +prereqs) > > > + prereqs > > > + exit 0 > > > + ;; > > > +esac > > > + > > > +. /usr/share/initramfs-tools/hook-functions > > > + > > > +hook_error() { > > > + echo "(ERROR): $2" >&2 > > > + exit 1 > > > +} > > > + > > > +# Just in case these modules are not built-in > > > +manual_add_modules tee > > > +manual_add_modules optee > > > +manual_add_modules tpm_ftpm_tee > > > > Are these modules available in a stock Debian kernel as well? > > Are you referring to the official arm64 kernel of Debian? Haven't > checked it yet. For amd64, however, I don't expect the optee & > tpm_ftpm_tee in the stock debian kernel. Yes, I was referring to the stock debian kernels for arm64. If not, that should not be a problem here, but we should at least document it. I hope the CIP kernel provides these modules. > > AMD also provides a TEE, so tpm_ftpm_tee may be possible on amd64. > > > > > > + > > > +copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee- > > > supplicant not found" > > > diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > > > ftpm.script b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > > > ftpm.script > > > new file mode 100644 > > > index 0000000..c6ee2dd > > > --- /dev/null > > > +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- > > > ftpm.script > > > @@ -0,0 +1,43 @@ > > > +#!/bin/sh > > > +# > > > +# CIP Core, generic profile > > > +# > > > +# Copyright (c) Siemens AG, 2023 > > > +# > > > +# Authors: > > > +# Su Bao Cheng <baocheng.su@siemens.com> > > > +# > > > +# SPDX-License-Identifier: MIT > > > +# > > > +PREREQ="" > > > + > > > +prereqs() > > > +{ > > > + echo "$PREREQ" > > > +} > > > + > > > +case $1 in > > > +# get pre-requisites > > > +prereqs) > > > + prereqs > > > + exit 0 > > > + ;; > > > +esac > > > + > > > +FTPM_DEV=/dev/tpmrm0 > > > + > > > +. /scripts/functions > > > + > > > +/usr/sbin/tee-supplicant -d > > > + > > > +# The fTPM TA would take some time to be discovered as well as > > > the > > > tee-supplicant > > > +# 10 seconds should be enough > > > +wait_sec=10 > > > +until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do > > > + wait_sec=$((wait_sec-1)) > > > + sleep 1 > > > +done > > > + > > > +if ! test -c "${FTPM_DEV}"; then > > > + panic "Can't discover the fTPM device ${FTPM_DEV}!" > > > +fi > > > diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs- > > > ms- > > > ftpm-hook_0.1.bb b/recipes-initramfs/initramfs-ms-ftpm- > > > hook/initramfs-ms-ftpm-hook_0.1.bb > > > new file mode 100644 > > > index 0000000..fece6ff > > > --- /dev/null > > > +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm- > > > hook_0.1 > > > > Where is this package actually used? I can't see that it is added > > to > > the initramfs recipe. > > > > It would be used in the downstream meta-iot2050, see > https://github.com/siemens/meta-iot2050/pull/442. This is unfortunately not sufficient. We need a user in cip-core as well to make sure the package does not break over time. Felix > > - Baocheng > > > Felix > > > > > .bb > > > @@ -0,0 +1,30 @@ > > > +# > > > +# CIP Core, generic profile > > > +# > > > +# Copyright (c) Siemens AG, 2023 > > > +# > > > +# Authors: > > > +# Su Bao Cheng <baocheng.su@siemens.com> > > > +# > > > +# SPDX-License-Identifier: MIT > > > +# > > > + > > > +inherit dpkg-raw > > > + > > > +SRC_URI += " \ > > > + file://ms-ftpm.hook \ > > > + file://ms-ftpm.script \ > > > + " > > > + > > > +DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant" > > > + > > > +do_install[cleandirs] += " \ > > > + ${D}/usr/share/initramfs-tools/hooks \ > > > + ${D}/usr/share/initramfs-tools/scripts/local-bottom" > > > + > > > +do_install() { > > > + install -m 0755 "${WORKDIR}/ms-ftpm.hook" \ > > > + "${D}/usr/share/initramfs-tools/hooks/ms-ftpm" > > > + install -m 0755 "${WORKDIR}/ms-ftpm.script" \ > > > + "${D}/usr/share/initramfs-tools/scripts/local-bottom/ms- > > > ftpm" > > > +} > > > > > >
On 29.05.23 11:29, MOESSBAUER, Felix (T CED INW-CN) wrote: > On Mon, 2023-05-29 at 16:03 +0800, Su, Bao Cheng (DI FA CTR IPC CN > PRC4) wrote: >> On Fri, 2023-05-26 at 14:42 +0800, MOESSBAUER, Felix (T CED INW-CN) >> wrote: >>> On Wed, 2023-05-24 at 03:15 +0000, Su, Bao Cheng wrote: >>>> Prepare for initramfs applications replying on TPM, such as >>>> clevis >>>> or >>> ^^^^^^^^ >>> I guess it should be relying --------| >> >> Yep, :) >> >>> >>> Felix >>> >>>> systemd-cryptsetup >>>> >>>> Signed-off-by: Baocheng Su <baocheng.su@siemens.com> >>>> --- >>>> .../initramfs-ms-ftpm-hook/files/ms-ftpm.hook | 36 >>>> ++++++++++++++++ >>>> .../files/ms-ftpm.script | 43 >>>> +++++++++++++++++++ >>>> .../initramfs-ms-ftpm-hook_0.1.bb | 30 +++++++++++++ >>>> 3 files changed, 109 insertions(+) >>>> create mode 100644 recipes-initramfs/initramfs-ms-ftpm- >>>> hook/files/ms-ftpm.hook >>>> create mode 100644 recipes-initramfs/initramfs-ms-ftpm- >>>> hook/files/ms-ftpm.script >>>> create mode 100644 recipes-initramfs/initramfs-ms-ftpm- >>>> hook/initramfs-ms-ftpm-hook_0.1.bb >>>> >>>> diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- >>>> ftpm.hook b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- >>>> ftpm.hook >>>> new file mode 100644 >>>> index 0000000..998ae62 >>>> --- /dev/null >>>> +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook >>>> @@ -0,0 +1,36 @@ >>>> +#!/bin/sh >>>> +# >>>> +# CIP Core, generic profile >>>> +# >>>> +# Copyright (c) Siemens AG, 2023 >>>> +# >>>> +# Authors: >>>> +# Su Bao Cheng <baocheng.su@siemens.com> >>>> +# >>>> +# SPDX-License-Identifier: MIT >>>> +# >>>> +PREREQ="" >>>> +prereqs() >>>> +{ >>>> + echo "$PREREQ" >>>> +} >>>> +case $1 in >>>> +prereqs) >>>> + prereqs >>>> + exit 0 >>>> + ;; >>>> +esac >>>> + >>>> +. /usr/share/initramfs-tools/hook-functions >>>> + >>>> +hook_error() { >>>> + echo "(ERROR): $2" >&2 >>>> + exit 1 >>>> +} >>>> + >>>> +# Just in case these modules are not built-in >>>> +manual_add_modules tee >>>> +manual_add_modules optee >>>> +manual_add_modules tpm_ftpm_tee >>> >>> Are these modules available in a stock Debian kernel as well? >> >> Are you referring to the official arm64 kernel of Debian? Haven't >> checked it yet. For amd64, however, I don't expect the optee & >> tpm_ftpm_tee in the stock debian kernel. > > Yes, I was referring to the stock debian kernels for arm64. > If not, that should not be a problem here, but we should at least > document it. I hope the CIP kernel provides these modules. > >> >> AMD also provides a TEE, so tpm_ftpm_tee may be possible on amd64. >> >>> >>>> + >>>> +copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee- >>>> supplicant not found" >>>> diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- >>>> ftpm.script b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- >>>> ftpm.script >>>> new file mode 100644 >>>> index 0000000..c6ee2dd >>>> --- /dev/null >>>> +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms- >>>> ftpm.script >>>> @@ -0,0 +1,43 @@ >>>> +#!/bin/sh >>>> +# >>>> +# CIP Core, generic profile >>>> +# >>>> +# Copyright (c) Siemens AG, 2023 >>>> +# >>>> +# Authors: >>>> +# Su Bao Cheng <baocheng.su@siemens.com> >>>> +# >>>> +# SPDX-License-Identifier: MIT >>>> +# >>>> +PREREQ="" >>>> + >>>> +prereqs() >>>> +{ >>>> + echo "$PREREQ" >>>> +} >>>> + >>>> +case $1 in >>>> +# get pre-requisites >>>> +prereqs) >>>> + prereqs >>>> + exit 0 >>>> + ;; >>>> +esac >>>> + >>>> +FTPM_DEV=/dev/tpmrm0 >>>> + >>>> +. /scripts/functions >>>> + >>>> +/usr/sbin/tee-supplicant -d >>>> + >>>> +# The fTPM TA would take some time to be discovered as well as >>>> the >>>> tee-supplicant >>>> +# 10 seconds should be enough >>>> +wait_sec=10 >>>> +until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do >>>> + wait_sec=$((wait_sec-1)) >>>> + sleep 1 >>>> +done >>>> + >>>> +if ! test -c "${FTPM_DEV}"; then >>>> + panic "Can't discover the fTPM device ${FTPM_DEV}!" >>>> +fi >>>> diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs- >>>> ms- >>>> ftpm-hook_0.1.bb b/recipes-initramfs/initramfs-ms-ftpm- >>>> hook/initramfs-ms-ftpm-hook_0.1.bb >>>> new file mode 100644 >>>> index 0000000..fece6ff >>>> --- /dev/null >>>> +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm- >>>> hook_0.1 >>> >>> Where is this package actually used? I can't see that it is added >>> to >>> the initramfs recipe. >>> >> >> It would be used in the downstream meta-iot2050, see >> https://github.com/siemens/meta-iot2050/pull/442. > > This is unfortunately not sufficient. We need a user in cip-core as > well to make sure the package does not break over time. You are invited to either add qemu support for RPMB or suggest a physical reference target that is both upstream supported and comes with eMMC/RPMB ;). Right now we have none of them unfortunately. Therefore, we already merged edk2-standalonemm-rpmb without in-tree user. Jan
diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook new file mode 100644 index 0000000..998ae62 --- /dev/null +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook @@ -0,0 +1,36 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng <baocheng.su@siemens.com> +# +# SPDX-License-Identifier: MIT +# +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +hook_error() { + echo "(ERROR): $2" >&2 + exit 1 +} + +# Just in case these modules are not built-in +manual_add_modules tee +manual_add_modules optee +manual_add_modules tpm_ftpm_tee + +copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee-supplicant not found" diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script new file mode 100644 index 0000000..c6ee2dd --- /dev/null +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script @@ -0,0 +1,43 @@ +#!/bin/sh +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng <baocheng.su@siemens.com> +# +# SPDX-License-Identifier: MIT +# +PREREQ="" + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +# get pre-requisites +prereqs) + prereqs + exit 0 + ;; +esac + +FTPM_DEV=/dev/tpmrm0 + +. /scripts/functions + +/usr/sbin/tee-supplicant -d + +# The fTPM TA would take some time to be discovered as well as the tee-supplicant +# 10 seconds should be enough +wait_sec=10 +until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do + wait_sec=$((wait_sec-1)) + sleep 1 +done + +if ! test -c "${FTPM_DEV}"; then + panic "Can't discover the fTPM device ${FTPM_DEV}!" +fi diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb new file mode 100644 index 0000000..fece6ff --- /dev/null +++ b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb @@ -0,0 +1,30 @@ +# +# CIP Core, generic profile +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng <baocheng.su@siemens.com> +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +SRC_URI += " \ + file://ms-ftpm.hook \ + file://ms-ftpm.script \ + " + +DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant" + +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/initramfs-tools/scripts/local-bottom" + +do_install() { + install -m 0755 "${WORKDIR}/ms-ftpm.hook" \ + "${D}/usr/share/initramfs-tools/hooks/ms-ftpm" + install -m 0755 "${WORKDIR}/ms-ftpm.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-bottom/ms-ftpm" +}
Prepare for initramfs applications replying on TPM, such as clevis or systemd-cryptsetup Signed-off-by: Baocheng Su <baocheng.su@siemens.com> --- .../initramfs-ms-ftpm-hook/files/ms-ftpm.hook | 36 ++++++++++++++++ .../files/ms-ftpm.script | 43 +++++++++++++++++++ .../initramfs-ms-ftpm-hook_0.1.bb | 30 +++++++++++++ 3 files changed, 109 insertions(+) create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb