From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 22 Jul 2024 15:31:34 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qt1-f187.google.com (mail-qt1-f187.google.com [209.85.160.187]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 46MDVXJs020953 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 22 Jul 2024 15:31:34 +0200 Received: by mail-qt1-f187.google.com with SMTP id d75a77b69052e-447e7239ea5sf54996801cf.0 for ; Mon, 22 Jul 2024 06:31:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1721655088; x=1722259888; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=NfPHOPTJ2TUGDvnOfK64VDUMe6iRXnwOiYAQCHb77CE=; b=Ll++YmigZ8EIUvinP5I/YCD5bUkYvAAEcEWZtmuBXN9vfEx9lI/qQ8NYmJP+ONt7pa 3i51UEyzod4L7APsjhb3fShHcmFCG+ueOe/D5pshRDhrZjotMWRkfsjzRN5PBKkbKhTb VTPDPuHfGSJfONAaiVSHNQSIr6h85Uq0oZpsJl6wO0A4viuB8X3sUpMp4BPOij7ZKl5Y KFCLKYqS3Z7J20xgfKpSTbGp/JBQBiNdFBH6tc7d8AwXnAlxQq9iL9l9BtZpvCtH2AOV 0z3EvhNnZnXVBNfc3oE58BT2+sAsY8zK5w7veI5Y9nBIm4VXBnLjxw4BLp620RDn4nes b03Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721655088; x=1722259888; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=NfPHOPTJ2TUGDvnOfK64VDUMe6iRXnwOiYAQCHb77CE=; b=ZlAZR0/raG7LVDQ+GHZPBh6QCNVJM4VDs0UwgyH9u55KU1TXgRya+ly3zo1jlcamfj g+9ltb7xkVC8q+tbMUE6NajiYyplpyWmFKFy1koH7KDSLmav57uJwZ+00S5GkOjLnG6L VywGhiC0HIEMntM5WHVi57p7pc23CQOAOKndoUDrjnwXH+9aMt51KWuEyvWS4rCIhzkx dXaK0G0DAk0c39+U/NDza2jEo9b38tUKmXr6YEWHtAlqsrW6n99d1CzOos2fiwCre8lC Tj9k9MXU7kV794Mls5IbzeAMRiAmAv/JAKT+VrppTfH1TuMcFSh8miMZejDtvaxdssr/ rmmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721655088; x=1722259888; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-sender:mime-version:subject:references:in-reply-to :message-id:to:from:date:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=NfPHOPTJ2TUGDvnOfK64VDUMe6iRXnwOiYAQCHb77CE=; b=JG5Q6/Hnerm74nRFjjbchEw2yiNoMxqvfyvmQDVZXAiY3Ji+9FcEPdQ/sEcbKUocL8 p0T9RV8Umz6UhClAJbcLtOg8usGFPuk8vq56pniBBhh3IG8KmJAl3Pq0UUJxnm1ZfRvq owJkJK07k95XzCULNspQKbfs48MYe6YhmpnCfsggXrWMKvn6Tl2zisce1DhFrLAVIBt2 6XokLZOS9Z6Uu2sUJFNcEQxC6u8H4ESj7EAlA072vNXW+vdDTnCH/GvTK5ZlM01FDXoS 0Q4S7AZojRB8TG16DttgaEyLTh0uRVSiOwBGjCiGby4yG7pqxfI5OV99ZCvsu/3qK024 4UNA== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCWghySYdwoV05JGMR6hpcGnFl8W+mwo1Q4SlbP8x1qRUzZkqtyeziFG2Mvx5p5JU0FMO5c8xxzZKF4BMO4ty8kA/u0= X-Gm-Message-State: AOJu0Yx8hsR4ESs0zXC9cbWgEUleI3npLPoJC0rf3QrgvHOO6I5pZhas 0b9HwBXGo8rHAW9HqdY4+CpvekIE5aj+5iBM1dvCNgVJFztbIoEF X-Google-Smtp-Source: AGHT+IGQL7rZZTcguzctJnEA8Dx93XDBLVh1n9AUICnZqc0sVJp2F3B6QlxhfL6XRm/sB9g6vlmMiQ== X-Received: by 2002:a05:622a:15c3:b0:444:d0da:4a7 with SMTP id d75a77b69052e-44fa52828efmr118187271cf.19.1721655087374; Mon, 22 Jul 2024 06:31:27 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:ac8:5d4f:0:b0:447:f206:4e7c with SMTP id d75a77b69052e-44f8f412630ls75173141cf.2.-pod-prod-07-us; Mon, 22 Jul 2024 06:31:26 -0700 (PDT) X-Received: by 2002:a05:620a:290d:b0:79e:fb88:9884 with SMTP id af79cd13be357-7a1a13ae63cmr30061285a.13.1721655086247; Mon, 22 Jul 2024 06:31:26 -0700 (PDT) Date: Mon, 22 Jul 2024 06:31:25 -0700 (PDT) From: Rakesh Kumar To: isar-users Message-Id: <1520ebfe-5e48-4866-b4be-c9090a17e1fcn@googlegroups.com> In-Reply-To: <5a0e3e458a2e951d09b435c96e05bb0cd0f4c5e1.camel@ilbers.de> References: <20240710053335.2163596-1-kumar.rakesh@siemens.com> <5a0e3e458a2e951d09b435c96e05bb0cd0f4c5e1.camel@ilbers.de> Subject: Re: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_719216_1364534239.1721655085165" X-Original-Sender: rakesh.shine007@gmail.com Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: dFdnFCFtLU1y ------=_Part_719216_1364534239.1721655085165 Content-Type: multipart/alternative; boundary="----=_Part_719217_870133985.1721655085165" ------=_Part_719217_870133985.1721655085165 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sure Uladzimir, I will take care of that going forward. thanks!=20 Regards, Rakesh On Monday, July 22, 2024 at 2:22:35=E2=80=AFPM UTC+5:30 Uladzimir Bely wrot= e: > On Mon, 2024-07-22 at 05:43 +0000, 'Kumar, Rakesh' via isar-users > wrote: > > Hi all, > >=20 > > Any updates on this patch. > >=20 > > If this patch needs any correction/improvement then please give your > > inputs on this. > >=20 > > We are going to check the patch in CI and merge as usually. A delay in > testing is due, among other things, to the lack of "v2" suffix in new > patch version. So, in e-mail hierarchy it still looks like first > version of the patch under discussion. Please further use "v2", "v3... > when sending new versions of the patches. > > > > Regards, > > Rakesh > >=20 > > -----Original Message----- > > From: Kiszka, Jan (T CED) =20 > > Sent: 10 July 2024 16:51 > > To: Kumar, Rakesh (DI CTO FDS CES LX PBU 1) > > ; isar-...@googlegroups.com; Gylstorff, > > Quirin (T CED OES-DE) > > Cc: Hombourger, Cedric (DI CTO FDS CES LX) > > > > Subject: Re: [PATCH] initramfs: move fTPM and tee-supplicant > > initialization to local-top stage > >=20 > > On 10.07.24 07:33, Rakesh Kumar wrote: > > > To ensure proper initialization of the fTPM and tee-supplicant=20 > > > services before the root filesystem is mounted, we are relocating=20 > > > their initialization to the local-top section of initramfs. This=20 > > > change ensures that the encrypted filesystems are properly > > > initialized=20 > > > and ready for use before the root filesystem is mounted at local- > > > bottom stage. > >=20 > > Close but not fully correct: The rootfs is mounted AFTER the top > > stage and BEFORE bottom. > >=20 > > >=20 > > > Reason for local-top: > > >=20 > > > * Early Initialization: The local-top scripts run before the root > > > filesystem is mounted. > > > This timing is essential for encrypted root filesystems since the > > > decryption process must be > > > completed before the filesystem can be accessed. > > >=20 > > > * Dependency Handling: The encryption setup requires initializing > > > dependencies such as > > > fTPM (firmware Trusted Platform Module) devices. Performing these > > > tasks early in the boot process > > > ensures that all necessary components are in place before the > > > root filesystem is mounted. > >=20 > > This will still need some isar-cip-core patch in order to add a > > PREREQ on fTPM if a concrete target using fTPM for disk encryption. > > But Quirin just had another idea, leaving the stage to him now. :) > >=20 > > Jan > >=20 > > >=20 > > > Signed-off-by: Rakesh Kumar > > > --- > > > .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb | 4 > > > ++-- > > > .../initramfs-tee-supplicant-hook_0.1.bb | 4 > > > ++-- > > > 2 files changed, 4 insertions(+), 4 deletions(-) > > >=20 > > > diff --git=20 > > > a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee- > > > ftpm-ho > > > ok_0.1.bb=20 > > > b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee- > > > ftpm-ho > > > ok_0.1.bb > > > index db38e618..82fec1bb 100644 > > > ---=20 > > > a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee- > > > ftpm-ho > > > ok_0.1.bb > > > +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee- > > > ftp > > > +++ m-hook_0.1.bb > > > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools" > > > =20 > > > do_install[cleandirs] +=3D " \ > > > ${D}/usr/share/initramfs-tools/hooks \ > > > - ${D}/usr/share/initramfs-tools/scripts/local-bottom" > > > + ${D}/usr/share/initramfs-tools/scripts/local-top" > > > =20 > > > do_install() { > > > install -m 0755 "${WORKDIR}/tee-ftpm.hook" \ > > > "${D}/usr/share/initramfs-tools/hooks/tee-ftpm" > > > install -m 0755 "${WORKDIR}/tee-ftpm.script" \ > > > - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee- > > > ftpm" > > > + "${D}/usr/share/initramfs-tools/scripts/local-top/tee- > > > ftpm" > > > } > > > diff --git=20 > > > a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs- > > > tee-s > > > upplicant-hook_0.1.bb=20 > > > b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs- > > > tee-s > > > upplicant-hook_0.1.bb > > > index 3768b8e0..a7a19bee 100644 > > > ---=20 > > > a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs- > > > tee-s > > > upplicant-hook_0.1.bb > > > +++ b/meta/recipes-initramfs/initramfs-tee-supplicant- > > > hook/initramfs-t > > > +++ ee-supplicant-hook_0.1.bb > > > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools, tee- > > > supplicant, procps" > > > =20 > > > do_install[cleandirs] +=3D " \ > > > ${D}/usr/share/initramfs-tools/hooks \ > > > - ${D}/usr/share/initramfs-tools/scripts/local-bottom" > > > + ${D}/usr/share/initramfs-tools/scripts/local-top" > > > =20 > > > do_install() { > > > install -m 0755 "${WORKDIR}/tee-supplicant.hook" \ > > > "${D}/usr/share/initramfs-tools/hooks/tee-supplicant" > > > install -m 0755 "${WORKDIR}/tee-supplicant.script" \ > > > - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee- > > > supplicant" > > > + "${D}/usr/share/initramfs-tools/scripts/local-top/tee- > > > supplicant" > > > } > >=20 > > -- > > Siemens AG, Technology > > Linux Expert Center > >=20 > > --=20 > Best regards, > Uladzimir. > > > > --=20 You received this message because you are subscribed to the Google Groups "= isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= isar-users/1520ebfe-5e48-4866-b4be-c9090a17e1fcn%40googlegroups.com. ------=_Part_719217_870133985.1721655085165 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sure Uladzimir,=C2=A0I will take care of that=20 going forward. thanks!=C2=A0


Regards,
= Rakesh

On Monday, July 22, 2024 at 2:22:35=E2=80=AFPM UTC+5:30 Ula= dzimir Bely wrote:
On Mon, 2024-07-22 at 05:43 +0000, 'Kumar, Rakesh' via isar-u= sers
wrote:
> Hi all,
>=20
> Any updates on this patch.
>=20
> If this patch needs any correction/improvement then please give yo= ur
> inputs on this.
>=20

We are going to check the patch in CI and merge as usually. A delay in
testing is due, among other things, to the lack of "v2" suffi= x in new
patch version. So, in e-mail hierarchy it still looks like first
version of the patch under discussion. Please further use "v2"= ;, "v3...
when sending new versions of the patches.


> Regards,
> Rakesh
>=20
> -----Original Message-----
> From: Kiszka, Jan (T CED) <jan.k...@siemens.com>=20
> Sent: 10 July 2024 16:51
> To: Kumar, Rakesh (DI CTO FDS CES LX PBU 1)
> <kumar....@siemens.c= om>; isar-...@googlegroup= s.com; Gylstorff,
> Quirin (T CED OES-DE) <quirin.g...@siemens.com>
> Cc: Hombourger, Cedric (DI CTO FDS CES LX)
> <cedric.h...@siemens= .com>
> Subject: Re: [PATCH] initramfs: move fTPM and tee-supplicant
> initialization to local-top stage
>=20
> On 10.07.24 07:33, Rakesh Kumar wrote:
> > To ensure proper initialization of the fTPM and tee-supplican= t=20
> > services before the root filesystem is mounted, we are reloca= ting=20
> > their initialization to the local-top section of initramfs. T= his=20
> > change ensures that the encrypted filesystems are properly
> > initialized=20
> > and ready for use before the root filesystem is mounted at lo= cal-
> > bottom stage.
>=20
> Close but not fully correct: The rootfs is mounted AFTER the top
> stage and BEFORE bottom.
>=20
> >=20
> > Reason for local-top:
> >=20
> > * Early Initialization: The local-top scripts run before the = root
> > filesystem is mounted.
> > =C2=A0 This timing is essential for encrypted root filesystem= s since the
> > decryption process must be
> > =C2=A0 completed before the filesystem can be accessed.
> >=20
> > * Dependency Handling: The encryption setup requires initiali= zing
> > dependencies such as
> > =C2=A0 fTPM (firmware Trusted Platform Module) devices. Perfo= rming these
> > tasks early in the boot process
> > =C2=A0 ensures that all necessary components are in place bef= ore the
> > root filesystem is mounted.
>=20
> This will still need some isar-cip-core patch in order to add a
> PREREQ on fTPM if a concrete target using fTPM for disk encryption= .
> But Quirin just had another idea, leaving the stage to him now. :)
>=20
> Jan
>=20
> >=20
> > Signed-off-by: Rakesh Kumar <kumar....@siemens.com>
> > ---
> > =C2=A0.../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb=C2=A0=C2=A0=C2= =A0 | 4
> > ++--
> > =C2=A0.../initramfs-tee-supplicant-hook_0.1.bb=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 4
> > ++--
> > =C2=A02 files changed, 4 insertions(+), 4 deletions(-)
> >=20
> > diff --git=20
> > a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-te= e-
> > ftpm-ho
> > ok_0.1.bb=20
> > b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-te= e-
> > ftpm-ho
> > ok_0.1.bb
> > index db38e618..82fec1bb 100644
> > ---=20
> > a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-te= e-
> > ftpm-ho
> > ok_0.1.bb
> > +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramf= s-tee-
> > ftp
> > +++ m-hook_0.1.bb
> > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools&= quot;
> > =C2=A0
> > =C2=A0do_install[cleandirs] +=3D " \
> > =C2=A0=C2=A0=C2=A0=C2=A0 ${D}/usr/share/initramfs-tools/hooks= \
> > -=C2=A0=C2=A0=C2=A0 ${D}/usr/share/initramfs-tools/scripts/lo= cal-bottom"
> > +=C2=A0=C2=A0=C2=A0 ${D}/usr/share/initramfs-tools/scripts/lo= cal-top"
> > =C2=A0
> > =C2=A0do_install() {
> > =C2=A0=C2=A0=C2=A0=C2=A0 install -m 0755 "${WORKDIR}/tee= -ftpm.hook" \
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "${D}/u= sr/share/initramfs-tools/hooks/tee-ftpm"
> > =C2=A0=C2=A0=C2=A0=C2=A0 install -m 0755 "${WORKDIR}/tee= -ftpm.script" \
> > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "${D}/usr/sh= are/initramfs-tools/scripts/local-bottom/tee-
> > ftpm"
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "${D}/usr/sh= are/initramfs-tools/scripts/local-top/tee-
> > ftpm"
> > =C2=A0}
> > diff --git=20
> > a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initra= mfs-
> > tee-s
> > upplicant-hook_0.1.bb=20
> > b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initra= mfs-
> > tee-s
> > upplicant-hook_0.1.bb
> > index 3768b8e0..a7a19bee 100644
> > ---=20
> > a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initra= mfs-
> > tee-s
> > upplicant-hook_0.1.bb
> > +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-
> > hook/initramfs-t
> > +++ ee-supplicant-h= ook_0.1.bb
> > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools,= tee-
> > supplicant, procps"
> > =C2=A0
> > =C2=A0do_install[cleandirs] +=3D " \
> > =C2=A0=C2=A0=C2=A0=C2=A0 ${D}/usr/share/initramfs-tools/hooks= \
> > -=C2=A0=C2=A0=C2=A0 ${D}/usr/share/initramfs-tools/scripts/lo= cal-bottom"
> > +=C2=A0=C2=A0=C2=A0 ${D}/usr/share/initramfs-tools/scripts/lo= cal-top"
> > =C2=A0
> > =C2=A0do_install() {
> > =C2=A0=C2=A0=C2=A0=C2=A0 install -m 0755 "${WORKDIR}/tee= -supplicant.hook" \
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "${D}/u= sr/share/initramfs-tools/hooks/tee-supplicant"
> > =C2=A0=C2=A0=C2=A0=C2=A0 install -m 0755 "${WORKDIR}/tee= -supplicant.script" \
> > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "${D}/usr/sh= are/initramfs-tools/scripts/local-bottom/tee-
> > supplicant"
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "${D}/usr/sh= are/initramfs-tools/scripts/local-top/tee-
> > supplicant"
> > =C2=A0}
>=20
> --
> Siemens AG, Technology
> Linux Expert Center
>=20

--=20
Best regards,
Uladzimir.



--
You received this message because you are subscribed to the Google Groups &= quot;isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-use= rs+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg= id/isar-users/1520ebfe-5e48-4866-b4be-c9090a17e1fcn%40googlegroups.com.=
------=_Part_719217_870133985.1721655085165-- ------=_Part_719216_1364534239.1721655085165--