From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7252203608347770880 X-Received: by 2002:a2e:b1d3:0:b0:2b6:9ebc:daf8 with SMTP id e19-20020a2eb1d3000000b002b69ebcdaf8mr10430446lja.31.1688535255852; Tue, 04 Jul 2023 22:34:15 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:651c:19ab:b0:2b4:6b6d:67be with SMTP id bx43-20020a05651c19ab00b002b46b6d67bels418055ljb.1.-pod-prod-09-eu; Tue, 04 Jul 2023 22:34:14 -0700 (PDT) X-Google-Smtp-Source: APBJJlEycwTUrKTycG0hgHaOPCja97NIfsUjuNBDiD//fMpLBGEuIz+wDyvfP738BHNQ+pWTQYtp X-Received: by 2002:a05:651c:1055:b0:2b6:db9b:aadc with SMTP id x21-20020a05651c105500b002b6db9baadcmr9147814ljm.32.1688535254199; Tue, 04 Jul 2023 22:34:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688535254; cv=none; d=google.com; s=arc-20160816; b=CueqjmHJPVcSVwxz2a7uLlHK+a+jxXqX2SBHMpsloTFXZ29wDaHWp710dCvPNjNNPY hdzGenpt2DvC2dqcQ6mKHO+d7/2Q9l+vVto/fCLm7B+Js8Uqm+tpypknYeLfBEmbu690 YNQPlmBtr553rMv4iMbUOn2yWtiG2xpVf3HfwpqlQxC378u0iZBqzeyCbwvfGOY/CEpg QWT+e+Zabr2fG5UbT/YpMbGwGA9BevtuSlX3HQOR8wecFY9BzETO4ZCv+6F3Em+3zR0s 1jhYGh3QkFQs5E3tIr/23ivG8N0wrM66TPPiNSQahQgbKPxxhRn4CaWzEhap7CzeZCeC W1rQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=H5pJNyBsuN/EWEgJJDUjQUkjgvcsoe3avIMld5cTLeE=; fh=zeq4V+FUVVI2f9Ivx965+McAJkxSDosb/5yCI9B0DjU=; b=Ocz7NMGB/A9GNqOihvEhAVPjRrbISPaFH2Wv5hEpoWiEIjE34AMsTwSgmUnaMO7Z+d a/SZVnTZ9mHGoyecZRwsyQb0lkhTJj712QVoRBYid/ITamTPJNmQ6l+YmXu8h+diOAA5 8Q/RQ0eIspMi4HJ13jBpXBTLYOyXbd0sma0LOFEGnmqku8thnVvftOQo6NxvpZeR8HNi JDaTWewXwAxld9StspryIRVegLrDQPtLUXiQTLmU5utlVQ7TdVntGJMLjTMvKbIDqPtG MzjJYKZCYGk6cn+nux3IRn9NSt2Hy3ER5rITPXBuK7/mC0Haozbz4h75yEkzTUIV+EJ3 2iwA== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=S06AnEBn; spf=pass (google.com: domain of fm-909155-20230705053413f9c76b9765119d613b-3ifxft@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-909155-20230705053413f9c76b9765119d613b-3ifxfT@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Return-Path: Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net. [185.136.64.225]) by gmr-mx.google.com with ESMTPS id a12-20020a2eb16c000000b002b6cdd8e7b6si812235ljm.6.2023.07.04.22.34.14 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 04 Jul 2023 22:34:14 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-909155-20230705053413f9c76b9765119d613b-3ifxft@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) client-ip=185.136.64.225; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=S06AnEBn; spf=pass (google.com: domain of fm-909155-20230705053413f9c76b9765119d613b-3ifxft@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-909155-20230705053413f9c76b9765119d613b-3ifxfT@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20230705053413f9c76b9765119d613b for ; Wed, 05 Jul 2023 07:34:13 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=baocheng.su@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=H5pJNyBsuN/EWEgJJDUjQUkjgvcsoe3avIMld5cTLeE=; b=S06AnEBnvixHVtsrDTJ4ARfKnV8WMVdUA5ijuhLZzp5X3j9yN2fHagOdVaaSykSbWRhQOx g5BUUOjTI1mWeHrgJZY+0N+V5MRd7Q4U6ASdIKgedy1dR0ma2H7giEdZPJYJintfHA+7lZ73 T6t9N/Uh4we/pku+lOYs8KdP7vYiQ=; From: baocheng.su@siemens.com To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, christian.storm@siemens.com, quirin.gylstorff@siemens.com, baocheng_su@163.com, henning.schild@siemens.com, baocheng.su@siemens.com Subject: [PATCH v3 6/7] initramfs: Add recipe for tee-supplicant hook Date: Wed, 5 Jul 2023 13:33:39 +0800 Message-Id: <20230705053340.1158024-7-baocheng.su@siemens.com> In-Reply-To: <20230705053340.1158024-1-baocheng.su@siemens.com> References: <20230705053340.1158024-1-baocheng.su@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-909155:519-21489:flowmailer X-TUID: WEnffnA+EQyq From: Baocheng Su This adds the tee-supplicant hook so that the tee supplicant daemon is started at the initrd stage. The tee-supplicant daemon is used to provide service to trust applications running in optee, for example to provide RPMB access service for StMM or fTPM TAs. By running tee-supplicant at initrd stage, disk encryption based on fTPM is possible. stm32mp15x is used to demo the building of this hook, so add a new ci target for the initramfs image of stm32mp15x. Signed-off-by: Baocheng Su --- .../images/stm32mp15x-initramfs.bb | 14 ++++++++ .../files/tee-supplicant.hook | 33 +++++++++++++++++++ .../files/tee-supplicant.script | 33 +++++++++++++++++++ .../initramfs-tee-supplicant-hook_0.1.bb | 27 +++++++++++++++ testsuite/citest.py | 1 + 5 files changed, 108 insertions(+) create mode 100644 meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script create mode 100644 meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb new file mode 100644 index 0000000..211c201 --- /dev/null +++ b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb @@ -0,0 +1,14 @@ +# +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# + +inherit initramfs + +INITRAMFS_INSTALL += " \ + initramfs-tee-supplicant-hook \ + " diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook new file mode 100644 index 0000000..0af277b --- /dev/null +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.hook @@ -0,0 +1,33 @@ +#!/bin/sh +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +hook_error() { + echo "(ERROR): $2" >&2 + exit 1 +} + +# For stock debian bookworm arm64 kernel, these two .ko exist, but not built-in. +manual_add_modules tee +manual_add_modules optee + +copy_exec /usr/sbin/tee-supplicant || hook_error "/usr/sbin/tee-supplicant not found" +copy_exec /usr/bin/pgrep || hook_error "/usr/bin/pgrep not found" diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script new file mode 100644 index 0000000..bb6dcc1 --- /dev/null +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/files/tee-supplicant.script @@ -0,0 +1,33 @@ +#!/bin/sh +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +/usr/sbin/tee-supplicant -d + +# The tee-supplicant would take some time to be discovered, 10 seconds should be +# enough +wait_sec=10 +until test $wait_sec -eq 0 || test -c "${FTPM_DEV}" ; do + wait_sec=$((wait_sec-1)) + sleep 1 +done + +/usr/bin/pgrep tee-supplicant > /dev/null || panic "Can't start the tee-supplicant daemon!" diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb new file mode 100644 index 0000000..3768b8e --- /dev/null +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb @@ -0,0 +1,27 @@ +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +SRC_URI += " \ + file://tee-supplicant.hook \ + file://tee-supplicant.script \ + " + +DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps" + +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/initramfs-tools/scripts/local-bottom" + +do_install() { + install -m 0755 "${WORKDIR}/tee-supplicant.hook" \ + "${D}/usr/share/initramfs-tools/hooks/tee-supplicant" + install -m 0755 "${WORKDIR}/tee-supplicant.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant" +} diff --git a/testsuite/citest.py b/testsuite/citest.py index 17a9024..1aa2928 100755 --- a/testsuite/citest.py +++ b/testsuite/citest.py @@ -214,6 +214,7 @@ class NoCrossTest(CIBaseTest): 'mc:bananapi-bullseye:isar-image-base', 'mc:nanopi-neo-bullseye:isar-image-base', 'mc:stm32mp15x-bullseye:isar-image-base', + 'mc:stm32mp15x-bullseye:stm32mp15x-initramfs', 'mc:qemuamd64-focal:isar-image-ci' ] -- 2.39.2