From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Sat, 13 Jul 2024 16:55:58 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qv1-f61.google.com (mail-qv1-f61.google.com [209.85.219.61]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 46DEtuod029023 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 13 Jul 2024 16:55:57 +0200 Received: by mail-qv1-f61.google.com with SMTP id 6a1803df08f44-6b5de421bc6sf38452726d6.0 for ; Sat, 13 Jul 2024 07:55:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1720882551; x=1721487351; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=VcMbTrVzr3qhH2TqvYc9l9iay8hYMlmlfztW0h1cyg0=; b=b3uDZaT3M16qlXf4yU2HXnmJePsoG4wphHw46+YKykLXP201DTPZQluSzCnoU5uM6e 0Ls1VvZYFgcBwvU1lErRlYdxexhnfNeVhDXjrh8w2Kvll+cZ/qVaXqf8VKo4NTdjnxeo UP0nDQTXZWnGv2FHNoPw7zrRBRvE9P67rP+SliSyeFrJBlT5mIjn0y2g4lNAPxsGp8fI 50hlZhllhpqgJBdmyAOHM1oYvPJH01rcyfbhnd8FPGzJ3eAHh6N0DLtHHVxerHLgO9vR 76apIJVBn2Y6b8hGO1iH7Vnq3YMTpyIdXwQ7AxsygHfTyNotUegQ8/iZYT0BpM1+so09 +Bbg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720882551; x=1721487351; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=VcMbTrVzr3qhH2TqvYc9l9iay8hYMlmlfztW0h1cyg0=; b=fNtaZ+3b0Ijw97wesKrjVcnlQSAv23+qMg7H1DV41CVaE7YZw8o3SpqjSJazFoLmqD vbSimH8V/7VXsXTSG5fik6SH1GVkW5i9cNZNF+t2TudCP4A6s+P/VzGkX7MsAAZ9d1P4 dLYngJqWxI8Hc3VSu+MofeUgjlnhNXrIQqtcs6x6X5r0gGEqZLNk6Im9G+/H8g30FIMc E5Pjbab0rqq7eBbkUIXlcFwVqc5d3VIxl6Loz4WT3mSqtBu6gSFu5LVeQVkdJD9Voxne IoAJllETAukJLHqLcdWhB/KTTnX/x4HczFOtn1LXeVK0CtRRvmaeszras2uiSIxgRL+N 6rIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720882551; x=1721487351; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-sender:mime-version:subject:references:in-reply-to :message-id:to:from:date:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=VcMbTrVzr3qhH2TqvYc9l9iay8hYMlmlfztW0h1cyg0=; b=IA7P+xurpWe6ZPA6v3Bngn7fQ//x/4svRHA7BzY36bU6qis5oL7yqlQ2j3+c3e6zox zCrlHNWbQBfhx0KFFJ7Pdh7VyU9KO+OaPpVuD7tqMwGT2BeUgHtrUYFwi1/VdTHuGHZC P00uDhpLw8PhQ+VOSVx123ZqwPx3/W3OrI0hDqvn1Kr0aLF+IgnCmTFkqkF+b493etCl GnbwB7/Fomyxyw2lR0TagyxhEWebKvt5HBc99psA/yk5/5Q79LngmOecIUmzb2cwj1Sw D4FboE6zcjtoIkEeN8NvwiOa4sd3jndyFlalrq5UAJRqNV1aNkXPMvuCwQOpN0D+bvsL LSSg== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCUctkKyz2uY2f8XUSIBzgGNc7h5RNUm8gIkk9Uxi0+E5bW4TGw85RkQOAiIzKCkASJFXp4rVzYkoFRotiOUbVZl0VE= X-Gm-Message-State: AOJu0Yz5lMbf08MBzKe3gHAQTpagoHQ1M7EQlLSx56FckOVfdPfBlJuQ /UcN0aMZyWb6XShM4u/3gVwSl5GeNy1NcF+rUnBdE/LKSqf8Eao0 X-Google-Smtp-Source: AGHT+IG55NSWIT3o5e7wi64i4kojbAb9AR6Kg4uDra5I0JHxpvlubFdy13p9amiPhNrV6JC6tzpRPQ== X-Received: by 2002:a05:6214:c6e:b0:6b0:4201:3840 with SMTP id 6a1803df08f44-6b61c1c24bdmr166465036d6.40.1720882550543; Sat, 13 Jul 2024 07:55:50 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6214:4a59:b0:6b0:91e6:b46d with SMTP id 6a1803df08f44-6b74b41ec94ls49679416d6.1.-pod-prod-02-us; Sat, 13 Jul 2024 07:55:49 -0700 (PDT) X-Received: by 2002:ad4:576f:0:b0:6b5:e544:d464 with SMTP id 6a1803df08f44-6b61c1c1c5amr8524466d6.12.1720882549668; Sat, 13 Jul 2024 07:55:49 -0700 (PDT) Date: Sat, 13 Jul 2024 07:55:48 -0700 (PDT) From: Rakesh Kumar To: isar-users Message-Id: <70361b22-2139-4644-9946-c0e7c482f767n@googlegroups.com> In-Reply-To: <325084db-4440-4e5b-835c-8bb74a088f92n@googlegroups.com> References: <20240710053335.2163596-1-kumar.rakesh@siemens.com> <325084db-4440-4e5b-835c-8bb74a088f92n@googlegroups.com> Subject: Re: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_214540_818225260.1720882548969" X-Original-Sender: rakesh.shine007@gmail.com Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: R0CAdxImOeOm ------=_Part_214540_818225260.1720882548969 Content-Type: multipart/alternative; boundary="----=_Part_214541_440667245.1720882548969" ------=_Part_214541_440667245.1720882548969 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi all, Any update on this patch? Rakesh On Wednesday, July 10, 2024 at 6:57:20=E2=80=AFPM UTC+5:30 Rakesh Kumar wro= te: > thanks, Jan Kiszka, for pointing that out! I have made the corrections= =20 > in git message now.=20 > > > > > Regards, > Rakesh > > On Wednesday, July 10, 2024 at 4:51:11=E2=80=AFPM UTC+5:30 Jan Kiszka wro= te: > >> On 10.07.24 07:33, Rakesh Kumar wrote:=20 >> > To ensure proper initialization of the fTPM and tee-supplicant service= s=20 >> before=20 >> > the root filesystem is mounted, we are relocating their initialization= =20 >> to the=20 >> > local-top section of initramfs. This change ensures that the encrypted= =20 >> filesystems=20 >> > are properly initialized and ready for use before the root filesystem= =20 >> is mounted at=20 >> > local-bottom stage.=20 >> >> Close but not fully correct: The rootfs is mounted AFTER the top stage= =20 >> and BEFORE bottom.=20 >> >> >=20 >> > Reason for local-top:=20 >> >=20 >> > * Early Initialization: The local-top scripts run before the root=20 >> filesystem is mounted.=20 >> > This timing is essential for encrypted root filesystems since the=20 >> decryption process must be=20 >> > completed before the filesystem can be accessed.=20 >> >=20 >> > * Dependency Handling: The encryption setup requires initializing=20 >> dependencies such as=20 >> > fTPM (firmware Trusted Platform Module) devices. Performing these task= s=20 >> early in the boot process=20 >> > ensures that all necessary components are in place before the root=20 >> filesystem is mounted.=20 >> >> This will still need some isar-cip-core patch in order to add a PREREQ= =20 >> on fTPM if a concrete target using fTPM for disk encryption. But Quirin= =20 >> just had another idea, leaving the stage to him now. :)=20 >> >> Jan=20 >> >> >=20 >> > Signed-off-by: Rakesh Kumar =20 >> > ---=20 >> > .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb | 4 ++--=20 >> > .../initramfs-tee-supplicant-hook_0.1.bb | 4 ++--=20 >> > 2 files changed, 4 insertions(+), 4 deletions(-)=20 >> >=20 >> > diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/ >> initramfs-tee-ftpm-hook_0.1.bb=20 >> b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/ >> initramfs-tee-ftpm-hook_0.1.bb=20 >> > index db38e618..82fec1bb 100644=20 >> > --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/ >> initramfs-tee-ftpm-hook_0.1.bb=20 >> > +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/ >> initramfs-tee-ftpm-hook_0.1.bb=20 >> > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools"=20 >> >=20 >> > do_install[cleandirs] +=3D " \=20 >> > ${D}/usr/share/initramfs-tools/hooks \=20 >> > - ${D}/usr/share/initramfs-tools/scripts/local-bottom"=20 >> > + ${D}/usr/share/initramfs-tools/scripts/local-top"=20 >> >=20 >> > do_install() {=20 >> > install -m 0755 "${WORKDIR}/tee-ftpm.hook" \=20 >> > "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"=20 >> > install -m 0755 "${WORKDIR}/tee-ftpm.script" \=20 >> > - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"=20 >> > + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"=20 >> > }=20 >> > diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/ >> initramfs-tee-supplicant-hook_0.1.bb=20 >> b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/ >> initramfs-tee-supplicant-hook_0.1.bb=20 >> > index 3768b8e0..a7a19bee 100644=20 >> > --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/ >> initramfs-tee-supplicant-hook_0.1.bb=20 >> > +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/ >> initramfs-tee-supplicant-hook_0.1.bb=20 >> > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools, tee-supplican= t,=20 >> procps"=20 >> >=20 >> > do_install[cleandirs] +=3D " \=20 >> > ${D}/usr/share/initramfs-tools/hooks \=20 >> > - ${D}/usr/share/initramfs-tools/scripts/local-bottom"=20 >> > + ${D}/usr/share/initramfs-tools/scripts/local-top"=20 >> >=20 >> > do_install() {=20 >> > install -m 0755 "${WORKDIR}/tee-supplicant.hook" \=20 >> > "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"=20 >> > install -m 0755 "${WORKDIR}/tee-supplicant.script" \=20 >> > - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"= =20 >> > + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant"=20 >> > }=20 >> >> --=20 >> Siemens AG, Technology=20 >> Linux Expert Center=20 >> >> --=20 You received this message because you are subscribed to the Google Groups "= isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= isar-users/70361b22-2139-4644-9946-c0e7c482f767n%40googlegroups.com. ------=_Part_214541_440667245.1720882548969 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi all,

Any update on this patch?

Rakesh

On Wednesday, July 10, 2024 at 6:57:20=E2=80=AFPM UTC= +5:30 Rakesh Kumar wrote:
thanks, Jan Kiszka, for pointing that out!= =C2=A0 I have made the=C2=A0corrections in git message now.=C2=A0



Regards,
Rakesh

On Wednesday, July 10, 2024 at 4:51:11=E2=80=AFPM UTC+5:30= Jan Kiszka wrote:
On = 10.07.24 07:33, Rakesh Kumar wrote:
> To ensure proper initialization of the fTPM and tee-supplicant ser= vices before
> the root filesystem is mounted, we are relocating their initializa= tion to the
> local-top section of initramfs. This change ensures that the encry= pted filesystems
> are properly initialized and ready for use before the root filesys= tem is mounted at
> local-bottom stage.

Close but not fully correct: The rootfs is mounted AFTER the top stage
and BEFORE bottom.

>=20
> Reason for local-top:
>=20
> * Early Initialization: The local-top scripts run before the root = filesystem is mounted.
> This timing is essential for encrypted root filesystems since th= e decryption process must be
> completed before the filesystem can be accessed.
>=20
> * Dependency Handling: The encryption setup requires initializing = dependencies such as
> fTPM (firmware Trusted Platform Module) devices. Performing thes= e tasks early in the boot process
> ensures that all necessary components are in place before the ro= ot filesystem is mounted.

This will still need some isar-cip-core patch in order to add a PREREQ
on fTPM if a concrete target using fTPM for disk encryption. But Quirin
just had another idea, leaving the stage to him now. :)

Jan

>=20
> Signed-off-by: Rakesh Kumar <kumar....@siem= ens.com>
> ---
> .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb | 4 ++--
> .../initramfs-tee-supplicant-hook_0.1.bb | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>=20
> diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb= b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> index db38e618..82fec1bb 100644
> --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools"
> =20
> do_install[cleandirs] +=3D " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
> =20
> do_install() {
> install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
> install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom= /tee-ftpm"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/te= e-ftpm"
> }
> diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/= initramfs-te= e-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplic= ant-hook/ini= tramfs-tee-supplicant-hook_0.1.bb
> index 3768b8e0..a7a19bee 100644
> --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s= upplicant-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s= upplicant-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS =3D "initramfs-tools, tee-= supplicant, procps"
> =20
> do_install[cleandirs] +=3D " \
> ${D}/usr/share/initramfs-tools/hooks \
> - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> + ${D}/usr/share/initramfs-tools/scripts/local-top"
> =20
> do_install() {
> install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
> "${D}/usr/share/initramfs-tools/hooks/tee-supplicant= "
> install -m 0755 "${WORKDIR}/tee-supplicant.script" = \
> - "${D}/usr/share/initramfs-tools/scripts/local-bottom= /tee-supplicant"
> + "${D}/usr/share/initramfs-tools/scripts/local-top/te= e-supplicant"
> }

--=20
Siemens AG, Technology
Linux Expert Center

--
You received this message because you are subscribed to the Google Groups &= quot;isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to isar-use= rs+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg= id/isar-users/70361b22-2139-4644-9946-c0e7c482f767n%40googlegroups.com.=
------=_Part_214541_440667245.1720882548969-- ------=_Part_214540_818225260.1720882548969--