From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 10 Jul 2024 15:27:27 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-yb1-f185.google.com (mail-yb1-f185.google.com [209.85.219.185]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 46ADRP9f011033 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 10 Jul 2024 15:27:26 +0200 Received: by mail-yb1-f185.google.com with SMTP id 3f1490d57ef6-e033e353528sf10088723276.0 for ; Wed, 10 Jul 2024 06:27:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1720618040; x=1721222840; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=vqc/010yDmBX+HO21/rjAZfby0WSMMgerk0HKJdj6xQ=; b=KmazB6JwI26OPNMaTyCvW2xONVApa7HF3JdObgzqwv0tTIhxyfHsCyeNyYsYdQa0Qj m2X45OTtM/qZgk1Nx3OpYoM2wU2BWEPnddaFnBoDiJVdeqO3/8uefwmcCF8hTlAuGeo3 oaoNjYFZTOnR7Gtmrvmvr2SWeUKsO6jIb6hAtGxb9ioKknO5w2qhJsgkazRUm/6VKa73 16uk3e6s7a82aGMHjkWN4zeIbsR2mGJRwUm5IhDdyGTXS9WhejK5wgG8foT2Gpi0WqZA WeAAVo1Pv3HZ3VbNfUTKnIls6jdQtWBvo2/f78RpSvCCsiz7JmHN+qJgs5VLQYYQS6c1 Yl9Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720618040; x=1721222840; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=vqc/010yDmBX+HO21/rjAZfby0WSMMgerk0HKJdj6xQ=; b=bTM4RJFLyyYBxnsZOp2nCna+rLnPc7r2vNd0fa4G8/WkRaOtE63fSH7abr3vGFjwsn 48k+OQpyYo4744vG5ZN+E9SziPImq1SbZqlLgpCkWGbSrEJdbv/YBkE8rwlxudXoHeKP u1QvqT4hpd+LN8AD+YOwW2GISfum8FsuswpAI4WL5eYTeZPW8suL4yQIpC6AhBXCSLi7 +t4nr+gj60xiru/gWL5tvWk0fVi4b61r6tnVH19aGbbGKSweDd879YUedjWhNRUhciNZ 3Ec6hHuzhMei+TNwD1zfAsOUcod+xmyMDm+MvyPrYosjH65vKrlgSdO+K8BWMVzvx6td P6Cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720618040; x=1721222840; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=vqc/010yDmBX+HO21/rjAZfby0WSMMgerk0HKJdj6xQ=; b=EvV2V+A3bmbWVe6mMJn3VQVFKnC+1l1xHp6LwNpglEWeFkWprNaxco9XlCHkD5pXxb dBis3VeqfcxZhWbqxzJ1YAzj2m0hCZR/i3gLW4wfYzXI7SZn9+vEKCeSJ0CRh9Jj60AZ x3KHAzWQ663kX2z1qtBPqy0tiRk2Sia2tfi8T6oWuyNobB16tTbWTeegQGUzfpZtL04/ LVg4DhN/XfmLTpsqxPXWqhwmNUmbcz2yYaNONSl+q3sTULrfTRaJ825CkihbiykwNPg/ b9ZbCDu3o+a9K/tLeH7ebKGpQGNaav17cCwPZb55nlYPc0xnql4gooTrE/3UMHjNUOEC 2TjA== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCX9lRqEci/LSZ4kBKubpiRoUwO6Hke3bxukb1PT59sum1ABEGVj2bmccdqQSQfEFTSETJ3ToO9SLwkTJbiCV4j2iFk= X-Gm-Message-State: AOJu0YwM0v8lPxYoXBExcOJvxBcR/Q5opVY9tM35NznJ51vN5jdXLMYk WS5RjT6VVj+h6ngoT2lCzwcUk8nP8IkiQtuIf1zL1SHxICl5SsoU X-Google-Smtp-Source: AGHT+IHayBrkrUwilxyxYZ02Arw5K6YZeMgsl6MMeW9MbEz+0ZeuWLRofqUwKmE0Xj3hPgVYLmcqkQ== X-Received: by 2002:a25:a2cd:0:b0:e02:721b:756a with SMTP id 3f1490d57ef6-e041b17767fmr5609942276.47.1720618040088; Wed, 10 Jul 2024 06:27:20 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6214:5190:b0:6b5:deec:5eb with SMTP id 6a1803df08f44-6b5ea380f2cls123483666d6.2.-pod-prod-02-us; Wed, 10 Jul 2024 06:27:19 -0700 (PDT) X-Received: by 2002:ad4:5f8a:0:b0:6b0:6601:c428 with SMTP id 6a1803df08f44-6b61bccb5e2mr1648936d6.7.1720618039705; Wed, 10 Jul 2024 06:27:19 -0700 (PDT) Received: by 2002:a05:620a:cc6:b0:79f:13a0:3096 with SMTP id af79cd13be357-7a13fd5857cms85a; Wed, 10 Jul 2024 05:39:34 -0700 (PDT) X-Received: by 2002:a05:6214:c2f:b0:6b0:8fb0:5c7e with SMTP id 6a1803df08f44-6b61bf8f7d9mr4427626d6.8.1720615173369; Wed, 10 Jul 2024 05:39:33 -0700 (PDT) Date: Wed, 10 Jul 2024 05:39:33 -0700 (PDT) From: Rakesh Kumar To: isar-users Message-Id: <325084db-4440-4e5b-835c-8bb74a088f92n@googlegroups.com> In-Reply-To: References: <20240710053335.2163596-1-kumar.rakesh@siemens.com> Subject: Re: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_130988_2010154108.1720615173188" X-Original-Sender: rakesh.shine007@gmail.com Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: U4oY/pUz3zUH ------=_Part_130988_2010154108.1720615173188 Content-Type: multipart/alternative; boundary="----=_Part_130989_784050006.1720615173188" ------=_Part_130989_784050006.1720615173188 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable thanks, Jan Kiszka, for pointing that out! I have made the corrections in= =20 git message now.=20 Regards, Rakesh On Wednesday, July 10, 2024 at 4:51:11=E2=80=AFPM UTC+5:30 Jan Kiszka wrote= : > On 10.07.24 07:33, Rakesh Kumar wrote: > > To ensure proper initialization of the fTPM and tee-supplicant services= =20 > before > > the root filesystem is mounted, we are relocating their initialization= =20 > to the > > local-top section of initramfs. This change ensures that the encrypted= =20 > filesystems > > are properly initialized and ready for use before the root filesystem i= s=20 > mounted at > > local-bottom stage. > > Close but not fully correct: The rootfs is mounted AFTER the top stage > and BEFORE bottom. > > >=20 > > Reason for local-top: > >=20 > > * Early Initialization: The local-top scripts run before the root=20 > filesystem is mounted. > > This timing is essential for encrypted root filesystems since the=20 > decryption process must be > > completed before the filesystem can be accessed. > >=20 > > * Dependency Handling: The encryption setup requires initializing=20 > dependencies such as > > fTPM (firmware Trusted Platform Module) devices. Performing these tasks= =20 > early in the boot process > > ensures that all necessary components are in place before the root=20 > filesystem is mounted. > > This will still need some isar-cip-core patch in order to add a PREREQ > on fTPM if a concrete target using fTPM for disk encryption. But Quirin > just had another idea, leaving the stage to him now. :) > > Jan > > >=20 > > Signed-off-by: Rakesh Kumar > > --- > > .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb | 4 ++-- > > .../initramfs-tee-supplicant-hook_0.1.bb | 4 ++-- > > 2 files changed, 4 insertions(+), 4 deletions(-) > >=20 > > diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/ > initramfs-tee-ftpm-hook_0.1.bb=20 > b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/ > initramfs-tee-ftpm-hook_0.1.bb > > index db38e618..82fec1bb 100644 > > --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/ > initramfs-tee-ftpm-hook_0.1.bb > > +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/ > initramfs-tee-ftpm-hook_0.1.bb > > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools" > >=20 > > do_install[cleandirs] +=3D " \ > > ${D}/usr/share/initramfs-tools/hooks \ > > - ${D}/usr/share/initramfs-tools/scripts/local-bottom" > > + ${D}/usr/share/initramfs-tools/scripts/local-top" > >=20 > > do_install() { > > install -m 0755 "${WORKDIR}/tee-ftpm.hook" \ > > "${D}/usr/share/initramfs-tools/hooks/tee-ftpm" > > install -m 0755 "${WORKDIR}/tee-ftpm.script" \ > > - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm" > > + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm" > > } > > diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/ > initramfs-tee-supplicant-hook_0.1.bb=20 > b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/ > initramfs-tee-supplicant-hook_0.1.bb > > index 3768b8e0..a7a19bee 100644 > > --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/ > initramfs-tee-supplicant-hook_0.1.bb > > +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/ > initramfs-tee-supplicant-hook_0.1.bb > > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools, tee-supplicant= ,=20 > procps" > >=20 > > do_install[cleandirs] +=3D " \ > > ${D}/usr/share/initramfs-tools/hooks \ > > - ${D}/usr/share/initramfs-tools/scripts/local-bottom" > > + ${D}/usr/share/initramfs-tools/scripts/local-top" > >=20 > > do_install() { > > install -m 0755 "${WORKDIR}/tee-supplicant.hook" \ > > "${D}/usr/share/initramfs-tools/hooks/tee-supplicant" > > install -m 0755 "${WORKDIR}/tee-supplicant.script" \ > > - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant" > > + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant" > > } > > --=20 > Siemens AG, Technology > Linux Expert Center > > --=20 You received this message because you are subscribed to the Google Groups "= isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= isar-users/325084db-4440-4e5b-835c-8bb74a088f92n%40googlegroups.com. ------=_Part_130989_784050006.1720615173188 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable thanks, Jan Kiszka, for poi= nting that out!=C2=A0 I have made the=C2=A0corrections in git messag= e now.=C2=A0




<= /div>
Regards,
Rakesh

On Wednesday, July 10, 2024 at = 4:51:11=E2=80=AFPM UTC+5:30 Jan Kiszka wrote:
On 10.07.24 07:33, Rakesh Kumar wrote:
> To ensure proper initialization of the fTPM and tee-supplicant ser= vices before
> the root filesystem is mounted, we are relocating their initializa= tion to the
> local-top section of initramfs. This change ensures that the encry= pted filesystems
> are properly initialized and ready for use before the root filesys= tem is mounted at
> local-bottom stage.

Close but not fully correct: The rootfs is mounted AFTER the top stage
and BEFORE bottom.

>=20
> Reason for local-top:
>=20
> * Early Initialization: The local-top scripts run before the root = filesystem is mounted.
> This timing is essential for encrypted root filesystems since th= e decryption process must be
> completed before the filesystem can be accessed.
>=20
> * Dependency Handling: The encryption setup requires initializing = dependencies such as
> fTPM (firmware Trusted Platform Module) devices. Performing thes= e tasks early in the boot process
> ensures that all necessary components are in place before the ro= ot filesystem is mounted.

This will still need some isar-cip-core patch in order to add a PREREQ
on fTPM if a concrete target using fTPM for disk encryption. But Quirin
just had another idea, leaving the stage to him now. :)

Jan

>=20
> Signed-off-by: Rakesh Kumar <kumar....@siemens.com>
> ---
> .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb | 4 ++--
> .../initramfs-tee-supplicant-hook_0.1.bb | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>=20
> diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb= b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> index db38e618..82fec1bb 100644
> --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools"
> =20
> do_install[cleandirs] +=3D " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
> =20
> do_install() {
> install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
> install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom= /tee-ftpm"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/te= e-ftpm"
> }
> diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/= initramfs-te= e-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplic= ant-hook/ini= tramfs-tee-supplicant-hook_0.1.bb
> index 3768b8e0..a7a19bee 100644
> --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s= upplicant-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s= upplicant-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools, tee-= supplicant, procps"
> =20
> do_install[cleandirs] +=3D " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
> =20
> do_install() {
> install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-supplicant= "
> install -m 0755 "${WORKDIR}/tee-supplicant.script" = \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom= /tee-supplicant"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/te= e-supplicant"
> }

--=20
Siemens AG, Technology
Linux Expert Center

--
You received this message because you are subscribed to the Google Groups &= quot;isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-use= rs+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg= id/isar-users/325084db-4440-4e5b-835c-8bb74a088f92n%40googlegroups.com.=
------=_Part_130989_784050006.1720615173188-- ------=_Part_130988_2010154108.1720615173188--