[PATCH v2 7/7] initramfs: Add recipe for tee-ftpm hook

[baocheng_su@163.com]

From: Baocheng Su <baocheng.su@siemens.com>

This adds the tee-ftpm hook, that mainly load the kernel module tpm-ftpm-tee
during the initrd stage.

This makes the fTPM device avaible during the initrd stage so that the
encrypted partitions could be unlocked via keys stored in fTPM.

stm32mp15x platform is used to demo the building of this hook.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../images/stm32mp15x-initramfs.bb            |  1 +
 .../files/tee-ftpm.hook                       | 25 +++++++++++++++++
 .../files/tee-ftpm.script                     | 26 ++++++++++++++++++
 .../initramfs-tee-ftpm-hook_0.1.bb            | 27 +++++++++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb

diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
index 211c201..8ec6d7c 100644
--- a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
+++ b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
@@ -11,4 +11,5 @@ inherit initramfs
 
 INITRAMFS_INSTALL += " \
     initramfs-tee-supplicant-hook \
+    initramfs-tee-ftpm-hook \
     "
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
new file mode 100644
index 0000000..b7f7859
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
@@ -0,0 +1,25 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ="tee-supplicant"
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+# The tpm_ftpm_tee.ko does not exist in any stock debian kernels, it could be
+# provided by customized kernel.
+manual_add_modules tpm_ftpm_tee
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
new file mode 100644
index 0000000..8b089eb
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -0,0 +1,26 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ="tee-supplicant"
+prereqs()
+{
+	echo "$PREREQ"
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+FTPM_DEV=/dev/tpmrm0
+if ! test -c "${FTPM_DEV}"; then
+    panic "Can't discover the fTPM device ${FTPM_DEV}!"
+fi
\ No newline at end of file
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
new file mode 100644
index 0000000..12064c0
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
@@ -0,0 +1,27 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://tee-ftpm.hook \
+    file://tee-ftpm.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+
+do_install() {
+    install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
+    install -m 0755 "${WORKDIR}/tee-ftpm.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
+}
\ No newline at end of file
-- 
2.30.2