From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7247222195536003072 X-Received: by 2002:a05:6870:8181:b0:1aa:3563:7676 with SMTP id k1-20020a056870818100b001aa35637676mr4910234oae.4.1687375419564; Wed, 21 Jun 2023 12:23:39 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6870:73cf:b0:1ad:11bf:5da6 with SMTP id a15-20020a05687073cf00b001ad11bf5da6ls1222615oan.2.-pod-prod-07-us; Wed, 21 Jun 2023 12:23:39 -0700 (PDT) X-Received: by 2002:a05:6870:5b04:b0:1a9:a855:6535 with SMTP id ds4-20020a0568705b0400b001a9a8556535mr3502768oab.2.1687375419232; Wed, 21 Jun 2023 12:23:39 -0700 (PDT) Received: by 2002:a05:6808:2393:b0:3a0:3fa0:458a with SMTP id 5614622812f47-3a03fa0489cmsb6e; Wed, 21 Jun 2023 12:22:42 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6TYbybf7MSebIxRXIrrb2ac/3h5d2FGST9hpZdMUTHnjDQ1LBqpk+kaVBX2jvun7I3XJoT X-Received: by 2002:a5e:880b:0:b0:774:7a6d:8760 with SMTP id l11-20020a5e880b000000b007747a6d8760mr7819827ioj.17.1687375362197; Wed, 21 Jun 2023 12:22:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687375362; cv=none; d=google.com; s=arc-20160816; b=zpNO/n557+e/huBICghfvZ/ln2X0uHfrdBPzxQuOPUDPyvE7eNWQESDJmGx6CAYcY8 6ZNsgsB9uzLJ1xtDYm31hsEt8fEQNzpdKtbE8D/YIVoJ1DhfceWOcW+jWqy+JA3ceKht q1RCy5PXGTbVk1SSFoRxXEJ0MG3C7o0ZpkvpH2IaXRmo9t5ApPJkeVbY23gBl6iLU3tz DExcD0DLcmM/x3hiY+65XK5vX8McsnYH8F1/Iu1pqnPFX8gVg8a7SikfTH9pHhbJHRIb wf1vqlQQH6nOQoIlGRJD+ZDQv+opC7//cHdLAn8WgHUvfTFHWtbSKeV8hT1aI2Jm/LV+ hDQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=0iRAaCVtyuFUiKyonjPNImWwy3VhuwiMHLKP0nUDKBQ=; b=ZXcSwV6Znebf5hGa4YL87eUFixhFPgjh5Vt6OrLz6Sb0KgOZ1hWYipWsSDWOtGRZPK xy7aVGnzVSFk7kP4uMKe4E/AAYwKkv+CKFbbOj9MGsQz0SMX//u2uKKRq31ihH6w7o3X AfqaUzV2h69Z/wGuvumm7hzpdPxglbJgWIhowncdcOg2fJDP4MzFLdIYG4MNMWMEBp9M 2i+ffB0VSkSI4V/p/SxsgRKLWHMYCRGTNR2gVYgo/YNyRLhmnP/3X+qdgjV331FFuCW6 1LXQ0HbNidfzG9mtMfzFHCOro96Qnz+PYWGsDKfGZKN/qevC5POpMQyNKrYO1SovADP6 +Ktg== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=RyRR3t9x; spf=pass (google.com: domain of baocheng_su@163.com designates 220.181.12.217 as permitted sender) smtp.mailfrom=baocheng_su@163.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from m12.mail.163.com (m12.mail.163.com. [220.181.12.217]) by gmr-mx.google.com with ESMTP id bw9-20020a056602398900b007748ad04e82si387508iob.0.2023.06.21.12.22.41 for ; Wed, 21 Jun 2023 12:22:42 -0700 (PDT) Received-SPF: pass (google.com: domain of baocheng_su@163.com designates 220.181.12.217 as permitted sender) client-ip=220.181.12.217; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=RyRR3t9x; spf=pass (google.com: domain of baocheng_su@163.com designates 220.181.12.217 as permitted sender) smtp.mailfrom=baocheng_su@163.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=0iRAa CVtyuFUiKyonjPNImWwy3VhuwiMHLKP0nUDKBQ=; b=RyRR3t9xtT8IacErsv7dN ADfRX+wPvnt2ytlDIjpxGwLk2Qi/qlid9BfwCr/R+phspgiiy7pfv7bH4XxdAlik UAOl2swpxD9ts2ChHMacG3AET9nEXKophaZ3qEnMD7/1q4pOaaJJtyUepN6Nf3k5 nupfQqXCC2OsxJJOk7ojOI= Received: from debian-sie.lan (unknown [182.148.93.108]) by zwqz-smtp-mta-g2-4 (Coremail) with SMTP id _____wCXC+XvTZNkxagjAg--.40412S8; Thu, 22 Jun 2023 03:22:37 +0800 (CST) From: baocheng_su@163.com To: isar-users@googlegroups.com, jan.kiszka@siemens.com, felix.moessbauer@siemens.com Cc: christian.storm@siemens.com, quirin.gylstorff@siemens.com, baocheng.su@siemens.com, baocheng_su@163.com Subject: [PATCH v2 6/7] initramfs: Add recipe for tee-supplicant hook Date: Thu, 22 Jun 2023 03:22:16 +0800 Message-Id: <20230621192217.2045717-7-baocheng_su@163.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230621192217.2045717-1-baocheng_su@163.com> References: <20230621192217.2045717-1-baocheng_su@163.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:_____wCXC+XvTZNkxagjAg--.40412S8 X-Coremail-Antispam: 1Uf129KBjvJXoWxKw1kAr45Xr17WFWftry5urg_yoW7CFyrpr ZIkFZxGrs7ZF4IkwnFkw1UKF43K34fA3Z5Zr1Iqr4UGr1fGF9rGr42krsxGFWqq3y8Jan5 XFsFvw43WF45AFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07UYfOwUUUUU= X-Originating-IP: [182.148.93.108] X-CM-SenderInfo: pedrux5hqjs2rx6rljoofrz/1tbisB6VJ2NfwY45rQAAs7 X-TUID: 1yd+aCEzOF88 From: Baocheng Su This adds the tee-supplicant hook so that the tee supplicant daemon is started at the initrd stage. The tee-supplicant daemon is used to provide service to trust applications running in optee, for example to provide RPMB access service for StMM or fTPM TAs. By running tee-supplicant at initrd stage, disk encryption based on fTPM is possible. stm32mp15x is used to demo the building of this hook, so add a new ci target for the initramfs image of stm32mp15x. Signed-off-by: Baocheng Su --- .../images/stm32mp15x-initramfs.bb | 14 ++++++++ .../files/tee-supplicant.hook | 33 +++++++++++++++++++ .../files/tee-supplicant.script | 33 +++++++++++++++++++ .../initramfs-tee-supplicant-hook_0.1.bb | 27 +++++++++++++++ testsuite/citest.py | 1 + 5 files changed, 108 insertions(+) create mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb new file mode 100644 index 0000000..211c201 --- /dev/null +++ b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb @@ -0,0 +1,14 @@ +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# + +inherit initramfs + +INITRAMFS_INSTALL += " \ + initramfs-tee-supplicant-hook \ + " diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook new file mode 100644 index 0000000..0af277b --- /dev/null +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook @@ -0,0 +1,33 @@ +#!/bin/sh +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +hook_error() { + echo "(ERROR): $2" >&2 + exit 1 +} + +# For stock debian bookworm arm64 kernel, these two .ko exist, but not built-in. +manual_add_modules tee +manual_add_modules optee + +copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee-supplicant not found" +copy_exec /usr/bin/pgrep || hook_error "/usr/bin/pgrep not found" diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script new file mode 100644 index 0000000..bb6dcc1 --- /dev/null +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script @@ -0,0 +1,33 @@ +#!/bin/sh +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +/usr/sbin/tee-supplicant -d + +# The tee-supplicant would take some time to be discovered, 10 seconds should be +# enough +wait_sec=10 +until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do + wait_sec=$((wait_sec-1)) + sleep 1 +done + +/usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!" diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb new file mode 100644 index 0000000..3768b8e --- /dev/null +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb @@ -0,0 +1,27 @@ +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +SRC_URI += " \ + file://tee-supplicant.hook \ + file://tee-supplicant.script \ + " + +DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps" + +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/initramfs-tools/scripts/local-bottom" + +do_install() { + install -m 0755 "${WORKDIR}/tee-supplicant.hook" \ + "${D}/usr/share/initramfs-tools/hooks/tee-supplicant" + install -m 0755 "${WORKDIR}/tee-supplicant.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant" +} diff --git a/testsuite/citest.py b/testsuite/citest.py index 17a9024..1aa2928 100755 --- a/testsuite/citest.py +++ b/testsuite/citest.py @@ -214,6 +214,7 @@ class NoCrossTest(CIBaseTest): 'mc:bananapi-bullseye:isar-image-base', 'mc:nanopi-neo-bullseye:isar-image-base', 'mc:stm32mp15x-bullseye:isar-image-base', + 'mc:stm32mp15x-bullseye:stm32mp15x-initramfs', 'mc:qemuamd64-focal:isar-image-ci' ] -- 2.30.2