From patchwork Wed May 24 03:15:03 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Su, Bao Cheng" <baocheng.su@siemens.com>
X-Patchwork-Id: 13253246
Return-Path: <baocheng.su@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 88095C7EE29
	for <webhook@archiver.kernel.org>; Wed, 24 May 2023 03:15:22 +0000 (UTC)
Received: from EUR02-DB5-obe.outbound.protection.outlook.com
 (EUR02-DB5-obe.outbound.protection.outlook.com [40.107.249.72])
 by mx.groups.io with SMTP id smtpd.web10.878.1684898114781704966
 for <cip-dev@lists.cip-project.org>;
 Tue, 23 May 2023 20:15:15 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@siemens.com header.s=selector2 header.b=BHAiE0RE;
 spf=pass (domain: siemens.com, ip: 40.107.249.72,
 mailfrom: baocheng.su@siemens.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=X/1Zxp6Rz2xais/2LAd7utMZU0reV4C7AC+AkL6XWI3Kud18pog4LCoRTxGh3iV8VuPpbIqsDkKp9+LcCZu0u9u8kDaer5W548C68GvT4AHawHffcBhtrUkIVoj/B6HeBqxHYBQwJGoIjj6GN3feoPlYVdygbmxZWgRuLCJZFB5gdvQ5JpwmU6nHW7mRKrgWgH7sqlbjeASSiW2+0nRdNPx1yE9ztj+cZxKOYtTxz0gK6mnIDTvOGapBMO7hfrAedY4uO+bj0zRvnlsAwIsJDr+kwIcZOAjG15dGnCyFTupwgagqzKiP4msO2/YN/zICCm56PGaAsPdNtIocQ0PKYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=2hXGTeQleQ0jerme4o12VhnUtd3ncJ3hf8LA8jrzCDA=;
 b=U+jCQZ0tEUlJcpEWpQGaPwXPXRiOdvYGImdHacnxzIvtfzjQBn2Ym+hqS2Xtu54Iru4uMTnYmzloCGUx4BdsvyUdq+4v6tGE+3lEExgIQ6xPZ9dhRfAPnswVjypcFnCRHkpzgFt7g7GopnVKYF2xvHrxUHO0H+z+dS9L7DjxcGbrgQgbfaTYwUxl3vqPMOU9YchcjVCF2+nj0sKHN/1UJ96qOdpLOKiYOLYvf1HM21fX54hLSj+Wig//jRrmrtCXcL66sr3Qe/q+bX3xU+E1bSY8KwC6kN6s7OP5EE9BvJS8cPgAuBIJhMeXdAVkfexky+dDBN4Sso+DhLzQyLe6Vw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 194.138.21.76) smtp.rcpttodomain=lists.cip-project.org
 smtp.mailfrom=siemens.com; dmarc=pass (p=reject sp=reject pct=100)
 action=none header.from=siemens.com; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=2hXGTeQleQ0jerme4o12VhnUtd3ncJ3hf8LA8jrzCDA=;
 b=BHAiE0REjz7IliArMsJYBla6ykxFvNQvRhSKKShdhdYUm2vnVVWtYissjnCb1rEqxYn9XxyoiVt5qoXa2b6ImXS+hO/ya8bBZA5jdFp+s4599DqtsHN78SF3IWSocV7f5Bt/cSfwhnXQOkNvji4vHWz10nkeq9sQpJK1lYKr8RWOT9xsIX+OMaiLHD2pkMH9n0cjhFUq1ZthgCHRq91xFr9VgwxalbtqlQdikS4b8lNlO5Cmfo2PeWkSLH4165Ri0SvniwL/VMOUPute6YjDuG0jrB0dOU6EdaZfCmYl73KjJjL/jDgMd/C+xuJuJeuDhP/i+Aucmog6s6a8qACSMg==
Received: from GV3P280CA0098.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:8::30) by
 DU0PR10MB5850.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3be::22) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6411.28; Wed, 24 May 2023 03:15:12 +0000
Received: from HE1EUR01FT052.eop-EUR01.prod.protection.outlook.com
 (2603:10a6:150:8:cafe::76) by GV3P280CA0098.outlook.office365.com
 (2603:10a6:150:8::30) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6433.15 via Frontend
 Transport; Wed, 24 May 2023 03:15:12 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.76)
 smtp.mailfrom=siemens.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=siemens.com;
Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates
 194.138.21.76 as permitted sender) receiver=protection.outlook.com;
 client-ip=194.138.21.76; helo=hybrid.siemens.com; pr=C
Received: from hybrid.siemens.com (194.138.21.76) by
 HE1EUR01FT052.mail.protection.outlook.com (10.152.1.94) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6433.15 via Frontend Transport; Wed, 24 May 2023 03:15:11 +0000
Received: from CNPEK01M09MSX.ad011.siemens.net (139.24.237.227) by
 DEMCHDC8VSA.ad011.siemens.net (194.138.21.76) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1118.25; Wed, 24 May 2023 05:15:09 +0200
Received: from CNPEK01M06MSX.ad011.siemens.net (139.24.237.223) by
 CNPEK01M09MSX.ad011.siemens.net (139.24.237.227) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2507.23; Wed, 24 May 2023 11:15:03 +0800
Received: from CNPEK01M06MSX.ad011.siemens.net ([139.24.237.223]) by
 CNPEK01M06MSX.ad011.siemens.net ([139.24.237.223]) with mapi id
 15.01.2507.023; Wed, 24 May 2023 11:15:03 +0800
From: "Su, Bao Cheng" <baocheng.su@siemens.com>
To: "cip-dev@lists.cip-project.org" <cip-dev@lists.cip-project.org>
CC: "Storm, Christian" <christian.storm@siemens.com>, "Gylstorff, Quirin"
	<quirin.gylstorff@siemens.com>, "Kiszka, Jan" <jan.kiszka@siemens.com>, "Su,
 Bao Cheng" <baocheng.su@siemens.com>
Subject: [isar-cip-core][PATCH 2/2] initramfs: Add recipe for optee based ftpm
 hook
Thread-Topic: [isar-cip-core][PATCH 2/2] initramfs: Add recipe for optee based
 ftpm hook
Thread-Index: AQHZje3u8Yf4/syLuk+pJerpd+u8nQ==
Date: Wed, 24 May 2023 03:15:03 +0000
Message-ID: <664ef5ea0fa832ff709718b249a93864f98714c6.camel@siemens.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Evolution 3.38.3-1+deb11u2 
x-originating-ip: [140.231.151.229]
Content-ID: <A4A03FBB86540F429B0BE27496A12438@siemens.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: HE1EUR01FT052:EE_|DU0PR10MB5850:EE_
X-MS-Office365-Filtering-Correlation-Id: 52b5f103-ca0e-4241-3f2a-08db5c051636
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	86jJKqK74LzSdk72Y99b/oGepwJqYCT3XFB57jdmwpW/rj0FOmgU7KjlLICNUuq4nMfrwfAzSfzC11kr9MFNFLbp1asebguQB06pF1gdsBp8GKmyLlQCWvvQ3MVB6+w4MXGl6H0pQ84sNBttpOBh4ao23UQG43xIuTDeo3fkDC9PKUh1kN/R8AoBVKsD79GZ5kEBiKggD2udDloqjf9UjCbrX3wlB2NDs2X5K+K1I82Z0fo404LbYxzV3FV6S0Yuts0c5jjDOLSEDBCXLk/tXA51mYSFBKE+xGHmAHxSAhRxnfjY4zxh96z4lkrQxE0NHWIAkplgjfyfH83slZlVu3JARSAWgpqwAukxeSAYZA205gmPhWJKytyNY2WzwVbBh0QSGApuX6X909+k3SAfozfheigGEsqns3TTf9tgLugvHLVekvGqv3j0abtmy97QdMee/Wi+JQtTwbj6tf7b9gB+aXo9fuyl9XIvOgQyNfvtzIQteAbesiOXPL+w/1MsIx1xD4uAvvZhvJXL6WlHqsIbcuAXeVgJhnC6lCOAN2qDITCNfnDqw1KY85GwQQWv5kSggRC6ZPwqhXp2vSgQb64arXJ+HStcYU1SqNQ2Gph2JBdhcbwWotvZrOKNo5wTy1o05IMdRhq9cAnBuYOIKoQrVND4TY4N7aQR4Ya4vVVyoM8Fw2zjuZn2uEsLDz0iKnLRZ4dnb4QG8spTNEzQKZk0CTOYRT2R4CQpUqUhyDAsQAPejzK30tnXUP5DYX9Js5XDWcrvggz8VSqzyqRsSA==
X-Forefront-Antispam-Report: 
	CIP:194.138.21.76;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:hybrid.siemens.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(396003)(136003)(376002)(346002)(39860400002)(451199021)(40470700004)(36840700001)(46966006)(54906003)(41300700001)(82310400005)(316002)(70586007)(4326008)(6916009)(70206006)(8676002)(8936002)(5660300002)(478600001)(86362001)(107886003)(356005)(81166007)(82960400001)(82740400003)(40460700003)(26005)(186003)(40480700001)(2906002)(956004)(2616005)(36756003)(36860700001)(336012)(47076005)(36900700001);DIR:OUT;SFP:1101;
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 May 2023 03:15:11.9309
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 52b5f103-ca0e-4241-3f2a-08db5c051636
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;Ip=[194.138.21.76];Helo=[hybrid.siemens.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	HE1EUR01FT052.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR10MB5850
List-Id: <cip-dev.lists.cip-project.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <cip-dev@lists.cip-project.org>; Wed, 24 May 2023 03:15:22 -0000
X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11625

Prepare for initramfs applications replying on TPM, such as clevis or
systemd-cryptsetup

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../initramfs-ms-ftpm-hook/files/ms-ftpm.hook | 36 ++++++++++++++++
 .../files/ms-ftpm.script                      | 43 +++++++++++++++++++
 .../initramfs-ms-ftpm-hook_0.1.bb             | 30 +++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script
 create mode 100644 recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb

diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook
new file mode 100644
index 0000000..998ae62
--- /dev/null
+++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.hook
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ=""
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+hook_error() {
+    echo "(ERROR): $2" >&2
+    exit 1
+}
+
+# Just in case these modules are not built-in
+manual_add_modules tee
+manual_add_modules optee
+manual_add_modules tpm_ftpm_tee
+
+copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee-supplicant not found"
diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script
new file mode 100644
index 0000000..c6ee2dd
--- /dev/null
+++ b/recipes-initramfs/initramfs-ms-ftpm-hook/files/ms-ftpm.script
@@ -0,0 +1,43 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ=""
+
+prereqs()
+{
+	echo "$PREREQ"
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+FTPM_DEV=/dev/tpmrm0
+
+. /scripts/functions
+
+/usr/sbin/tee-supplicant -d
+
+# The fTPM TA would take some time to be discovered as well as the tee-supplicant
+# 10 seconds should be enough
+wait_sec=10
+until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do
+	wait_sec=$((wait_sec-1))
+	sleep 1
+done
+
+if ! test -c "${FTPM_DEV}"; then
+    panic "Can't discover the fTPM device ${FTPM_DEV}!"
+fi
diff --git a/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb
new file mode 100644
index 0000000..fece6ff
--- /dev/null
+++ b/recipes-initramfs/initramfs-ms-ftpm-hook/initramfs-ms-ftpm-hook_0.1.bb
@@ -0,0 +1,30 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://ms-ftpm.hook \
+    file://ms-ftpm.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+
+do_install() {
+    install -m 0755 "${WORKDIR}/ms-ftpm.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/ms-ftpm"
+    install -m 0755 "${WORKDIR}/ms-ftpm.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/ms-ftpm"
+}