From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7247222195536003072
X-Received: by 2002:a05:6870:8702:b0:1a3:6277:8eba with SMTP id k2-20020a056870870200b001a362778ebamr14115774oam.9.1687375419543;
        Wed, 21 Jun 2023 12:23:39 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:6870:9688:b0:19f:9b81:342f with SMTP id
 o8-20020a056870968800b0019f9b81342fls7129oaq.0.-pod-prod-02-us; Wed, 21 Jun
 2023 12:23:39 -0700 (PDT)
X-Received: by 2002:a9d:6ac7:0:b0:6b5:9092:f2e1 with SMTP id m7-20020a9d6ac7000000b006b59092f2e1mr1471347otq.5.1687375419232;
        Wed, 21 Jun 2023 12:23:39 -0700 (PDT)
Received: by 2002:a05:6808:138f:b0:39d:f026:da7f with SMTP id 5614622812f47-39ee049e5f5msb6e;
        Wed, 21 Jun 2023 12:22:44 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ45ElW+DOFt8jhD6pCvGLj7CwPsR3d+Ozy6wvVEmtr0Rn/PTk5aMPpSDa+Pgg7hLiuV/U2p
X-Received: by 2002:a05:6a20:6a0a:b0:122:4f38:795d with SMTP id p10-20020a056a206a0a00b001224f38795dmr7068406pzk.47.1687375363657;
        Wed, 21 Jun 2023 12:22:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687375363; cv=none;
        d=google.com; s=arc-20160816;
        b=ZNnDIBmHUWdOvCPXyyFChMrdQsQ49jyRspgPbBLuRC4lDFzCUOhDXEUiSp7uE9DIEf
         qjZnv4JnPTonEUuhvM4CcEL4ZlhaOEbBGq0g86VjTTcnZfpzHL4s5O8GTfmcWdfm9ICy
         cBcLWJVHLUKyvslZ/bxvwaVXPEvjwjmECojufcpuGSIqKREsq2LiBKlFPjZpA3M9HDSJ
         +ThsKZ7MJg4LuA2CKLkjZXPofUnDNuXSTBDSNtdrdbyKjpwt6mvB/isHDrP9heg0CqMb
         HdMuQanpCBsIpw36ECCIE+tNlkFNzk+kZWPI7cGIYrDfV5zBzNyF2wzb3eII3uIoQ7to
         e6Bg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=R3Q6ESfImS50XQgmxUDl98HtbR35n7NPqr/c8tqdGL4=;
        b=nfrU6S88U0VTCUoRjLuWn9uUey2Pv8ZQEUH78N7M5BKbBhEwGa701owBkSnpN7J3Ua
         I7ZilO5iH9ibrJdZ6Vanf3oeg4Tc4WT9xVUf4OpODctPw4DyloCJk/4GXx02z7rJeN/3
         hAhTrh5zagrvXK9Rox7XbLa3uiNZ8kDu+GhTvvSfpGvVVWVc4H4t89+zf/6xNRI0SVcZ
         6Tgeu32zYYeKJtCC9qAkoXeK3CPV98URXFJRuwnlfo3dWlf6AT8UxvPd937nbUC+WYL6
         iW4fkFIYqA/IaoEY4TG7qkyOXZIEtOxxdd3+EOOg7Mi9BTpQsEI9j7WO/DiEmQBX+0HG
         4mNw==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b=JrqTlZ48;
       spf=pass (google.com: domain of baocheng_su@163.com designates 220.181.12.199 as permitted sender) smtp.mailfrom=baocheng_su@163.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Return-Path: <baocheng_su@163.com>
Received: from m12.mail.163.com (m12.mail.163.com. [220.181.12.199])
        by gmr-mx.google.com with ESMTP id ij17-20020a170902ab5100b001b3ecf4c1c4si478103plb.10.2023.06.21.12.22.43
        for <isar-users@googlegroups.com>;
        Wed, 21 Jun 2023 12:22:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of baocheng_su@163.com designates 220.181.12.199 as permitted sender) client-ip=220.181.12.199;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b=JrqTlZ48;
       spf=pass (google.com: domain of baocheng_su@163.com designates 220.181.12.199 as permitted sender) smtp.mailfrom=baocheng_su@163.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
	s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=R3Q6E
	SfImS50XQgmxUDl98HtbR35n7NPqr/c8tqdGL4=; b=JrqTlZ48QVpJKCVHQI/6M
	vRR/hXdI10HnIyd8E13epQKPwQ3v+47PGViuVQhWiaEPZR9kOBqTBdHD2rh8rAfx
	0s01WPfVUQIie1KGaP1kZd8abIyVYQhMmQ+B+Mz/Qr4ywtfgCfKr1nuSr/6itV2t
	jue5Ex3I2DEuxpJlXV0yN4=
Received: from debian-sie.lan (unknown [182.148.93.108])
	by zwqz-smtp-mta-g2-4 (Coremail) with SMTP id _____wCXC+XvTZNkxagjAg--.40412S9;
	Thu, 22 Jun 2023 03:22:38 +0800 (CST)
From: baocheng_su@163.com
To: isar-users@googlegroups.com,
	jan.kiszka@siemens.com,
	felix.moessbauer@siemens.com
Cc: christian.storm@siemens.com,
	quirin.gylstorff@siemens.com,
	baocheng.su@siemens.com,
	baocheng_su@163.com
Subject: [PATCH v2 7/7] initramfs: Add recipe for tee-ftpm hook
Date: Thu, 22 Jun 2023 03:22:17 +0800
Message-Id: <20230621192217.2045717-8-baocheng_su@163.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20230621192217.2045717-1-baocheng_su@163.com>
References: <20230621192217.2045717-1-baocheng_su@163.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID:_____wCXC+XvTZNkxagjAg--.40412S9
X-Coremail-Antispam: 1Uf129KBjvJXoWxZFy5WFW8KrWkur4UWw17ZFb_yoWrWw4rpF
	s3CFy3WFs7Za1xJ3sIkw4jyrW3Jwn3Aan8W3ZFqr48G34rGr4Dtr4xtry2grWkWw4UK3WF
	qF4q9a4a9F4jvFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07UY388UUUUU=
X-Originating-IP: [182.148.93.108]
X-CM-SenderInfo: pedrux5hqjs2rx6rljoofrz/1tbiLB6VJ1spiEKokgABsD
X-TUID: +ndyIUghvpgq

From: Baocheng Su <baocheng.su@siemens.com>

This adds the tee-ftpm hook, that mainly load the kernel module tpm-ftpm-tee
during the initrd stage.

This makes the fTPM device avaible during the initrd stage so that the
encrypted partitions could be unlocked via keys stored in fTPM.

stm32mp15x platform is used to demo the building of this hook.

Signed-off-by: Baocheng Su <baocheng.su@siemens.com>
---
 .../images/stm32mp15x-initramfs.bb            |  1 +
 .../files/tee-ftpm.hook                       | 25 +++++++++++++++++
 .../files/tee-ftpm.script                     | 26 ++++++++++++++++++
 .../initramfs-tee-ftpm-hook_0.1.bb            | 27 +++++++++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
 create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb

diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
index 211c201..8ec6d7c 100644
--- a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
+++ b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb
@@ -11,4 +11,5 @@ inherit initramfs
 
 INITRAMFS_INSTALL += " \
     initramfs-tee-supplicant-hook \
+    initramfs-tee-ftpm-hook \
     "
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
new file mode 100644
index 0000000..b7f7859
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook
@@ -0,0 +1,25 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ="tee-supplicant"
+prereqs()
+{
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+# The tpm_ftpm_tee.ko does not exist in any stock debian kernels, it could be
+# provided by customized kernel.
+manual_add_modules tpm_ftpm_tee
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
new file mode 100644
index 0000000..8b089eb
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script
@@ -0,0 +1,26 @@
+#!/bin/sh
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+PREREQ="tee-supplicant"
+prereqs()
+{
+	echo "$PREREQ"
+}
+case $1 in
+prereqs)
+	prereqs
+	exit 0
+	;;
+esac
+
+. /scripts/functions
+
+FTPM_DEV=/dev/tpmrm0
+if ! test -c "${FTPM_DEV}"; then
+    panic "Can't discover the fTPM device ${FTPM_DEV}!"
+fi
\ No newline at end of file
diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
new file mode 100644
index 0000000..12064c0
--- /dev/null
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
@@ -0,0 +1,27 @@
+# Copyright (c) Siemens AG, 2023
+#
+# Authors:
+#  Su Bao Cheng <baocheng.su@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+SRC_URI += " \
+    file://tee-ftpm.hook \
+    file://tee-ftpm.script \
+    "
+
+DEBIAN_DEPENDS = "initramfs-tools"
+
+do_install[cleandirs] += " \
+    ${D}/usr/share/initramfs-tools/hooks \
+    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+
+do_install() {
+    install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
+        "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
+    install -m 0755 "${WORKDIR}/tee-ftpm.script" \
+        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
+}
\ No newline at end of file
-- 
2.30.2