From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7252203608347770880 X-Received: by 2002:a05:6512:b8a:b0:4f8:5696:6bbc with SMTP id b10-20020a0565120b8a00b004f856966bbcmr13711205lfv.29.1688535259017; Tue, 04 Jul 2023 22:34:19 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6512:544:b0:4f0:9517:7df6 with SMTP id h4-20020a056512054400b004f095177df6ls1084876lfl.0.-pod-prod-06-eu; Tue, 04 Jul 2023 22:34:17 -0700 (PDT) X-Google-Smtp-Source: APBJJlHiH7lb+loz+omI6ZYuS+47n3V3kHGEpJY+8rVTBn2+BEtoBcOv75OeKeV9iPlalhjzH52K X-Received: by 2002:a05:651c:106:b0:2b6:fe3c:c3c1 with SMTP id a6-20020a05651c010600b002b6fe3cc3c1mr705251ljb.4.1688535257443; Tue, 04 Jul 2023 22:34:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688535257; cv=none; d=google.com; s=arc-20160816; b=BjlhWduHgqeR573IGyNyK1tEHvzfIQSXIrWUdr4ZzXxLVeMIENg5XUC97wYS7b6150 dAneTx6P25NaVw+AU/3/sKH0nY5A+yoZM0TrFkVhVeQsdqMiGaREQLTpksD4gBkAX0q8 2b8WY7VmVhBRQDyq4oSIlBbU8M9KlCjAUXo8PLupG06u1g0hfSBizaufuD9shT+6/Mi+ IxZ0Wh/qDLczYiPTzi0esMiJsjXdrnEBs8w8KwHijgA8etdtjorVWqrgykq/I5YRUBzM JvUg5oodEFWRGSj7+Q0MlxpvYKnCnAE2UjSMakRbwP6izj6l53VWs+yUA+V/U5NU5cX6 fQdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=Z3Drd2pGsKkFjWPg37niHBY0Wn8nh3A1seFv2xwuiao=; fh=zeq4V+FUVVI2f9Ivx965+McAJkxSDosb/5yCI9B0DjU=; b=NQnAL971C/gFE3hO5tOynNgH4osDjLs3Zcd5tXno9+TTtKQ/bEfmFHlpWeAjnHSh6K 3ajr/GNHCskXUiYLQk5Xa/1YJNm0ZVb7ocOibw1j+ph3QitwghoNgJ/deIAnv/+zGjBI bQJVq6IxOh5dPNcokrYjji/XR6JEcpLIv36hJwx+2pHbdp3oncAMyCuqI00euyB2tbEf eM5v2fyXwq229kqWKiak5xBHNieN+QCVkOnM/FJ/UiylM8HmaOIJDpZN0JsJcdJUcdH7 svaO0k3EB5Q5JFYd4oWjg+vroUmT3vBO5POqJ0uEh3+WjF1UdpdWTL3AZIHc+FJ0IuEL ADdg== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=GIuL7U5X; spf=pass (google.com: domain of fm-909155-20230705053416addc9883501e878416-amctji@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-909155-20230705053416addc9883501e878416-amCTjI@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Return-Path: Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net. [185.136.64.226]) by gmr-mx.google.com with ESMTPS id h5-20020a2e3a05000000b002a8b2891ba7si815599lja.1.2023.07.04.22.34.17 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 04 Jul 2023 22:34:17 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-909155-20230705053416addc9883501e878416-amctji@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) client-ip=185.136.64.226; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=GIuL7U5X; spf=pass (google.com: domain of fm-909155-20230705053416addc9883501e878416-amctji@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-909155-20230705053416addc9883501e878416-amCTjI@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20230705053416addc9883501e878416 for ; Wed, 05 Jul 2023 07:34:16 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=baocheng.su@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=Z3Drd2pGsKkFjWPg37niHBY0Wn8nh3A1seFv2xwuiao=; b=GIuL7U5XOD5COKqq+x714Q/dzvaDV8HoU1rPN2ZXgLgoLlrzs3Ri5mDuO1RiKiaeZbovGG x1N/5R4bd/hcMtA73L4bQqVJQSn/1JBS4EowugdPDvE395JIQxKu9odRdCQ2pWe3/xfnUAA3 hXyVqTbVyM9U+GxXiFG/yXI/wYNgg=; From: baocheng.su@siemens.com To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, christian.storm@siemens.com, quirin.gylstorff@siemens.com, baocheng_su@163.com, henning.schild@siemens.com, baocheng.su@siemens.com Subject: [PATCH v3 7/7] initramfs: Add recipe for tee-ftpm hook Date: Wed, 5 Jul 2023 13:33:40 +0800 Message-Id: <20230705053340.1158024-8-baocheng.su@siemens.com> In-Reply-To: <20230705053340.1158024-1-baocheng.su@siemens.com> References: <20230705053340.1158024-1-baocheng.su@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-909155:519-21489:flowmailer X-TUID: Sau2y883csy2 From: Baocheng Su This adds the tee-ftpm hook, that mainly load the kernel module tpm-ftpm-tee during the initrd stage. This makes the fTPM device avaible during the initrd stage so that the encrypted partitions could be unlocked via keys stored in fTPM. stm32mp15x platform is used to demo the building of this hook. Signed-off-by: Baocheng Su --- .../images/stm32mp15x-initramfs.bb | 1 + .../files/tee-ftpm.hook | 25 +++++++++++++++++ .../files/tee-ftpm.script | 26 ++++++++++++++++++ .../initramfs-tee-ftpm-hook_0.1.bb | 27 +++++++++++++++++++ 4 files changed, 79 insertions(+) create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script create mode 100644 meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb diff --git a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb index 211c201..8ec6d7c 100644 --- a/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb +++ b/meta-isar/recipes-initramfs/images/stm32mp15x-initramfs.bb @@ -11,4 +11,5 @@ inherit initramfs INITRAMFS_INSTALL += " \ initramfs-tee-supplicant-hook \ + initramfs-tee-ftpm-hook \ " diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook new file mode 100644 index 0000000..b7f7859 --- /dev/null +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.hook @@ -0,0 +1,25 @@ +#!/bin/sh +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# +PREREQ="tee-supplicant" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +# The tpm_ftpm_tee.ko does not exist in any stock debian kernels, it could be +# provided by customized kernel. +manual_add_modules tpm_ftpm_tee diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script new file mode 100644 index 0000000..ce321a0 --- /dev/null +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/files/tee-ftpm.script @@ -0,0 +1,26 @@ +#!/bin/sh +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# +PREREQ="tee-supplicant" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +FTPM_DEV=/dev/tpmrm0 +if ! test -c "${FTPM_DEV}"; then + panic "Can't discover the fTPM device ${FTPM_DEV}!" +fi diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb new file mode 100644 index 0000000..db38e61 --- /dev/null +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb @@ -0,0 +1,27 @@ +# Copyright (c) Siemens AG, 2023 +# +# Authors: +# Su Bao Cheng +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +SRC_URI += " \ + file://tee-ftpm.hook \ + file://tee-ftpm.script \ + " + +DEBIAN_DEPENDS = "initramfs-tools" + +do_install[cleandirs] += " \ + ${D}/usr/share/initramfs-tools/hooks \ + ${D}/usr/share/initramfs-tools/scripts/local-bottom" + +do_install() { + install -m 0755 "${WORKDIR}/tee-ftpm.hook" \ + "${D}/usr/share/initramfs-tools/hooks/tee-ftpm" + install -m 0755 "${WORKDIR}/tee-ftpm.script" \ + "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm" +} -- 2.39.2