[PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

[PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

['Rakesh Kumar' via isar-users]

To ensure proper initialization of the fTPM and tee-supplicant services before
the root filesystem is mounted, we are relocating their initialization to the
local-top section of initramfs. This change ensures that the encrypted filesystems
are properly initialized and ready for use before the root filesystem is mounted at
local-bottom stage.

Reason for local-top:

* Early Initialization: The local-top scripts run before the root filesystem is mounted.
  This timing is essential for encrypted root filesystems since the decryption process must be
  completed before the filesystem can be accessed.

* Dependency Handling: The encryption setup requires initializing dependencies such as
  fTPM (firmware Trusted Platform Module) devices. Performing these tasks early in the boot process
  ensures that all necessary components are in place before the root filesystem is mounted.

Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com>
---
 .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb    | 4 ++--
 .../initramfs-tee-supplicant-hook_0.1.bb                      | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
index db38e618..82fec1bb 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
@@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
 
 do_install[cleandirs] += " \
     ${D}/usr/share/initramfs-tools/hooks \
-    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+    ${D}/usr/share/initramfs-tools/scripts/local-top"
 
 do_install() {
     install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
         "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
     install -m 0755 "${WORKDIR}/tee-ftpm.script" \
-        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
+        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
 }
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
index 3768b8e0..a7a19bee 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
@@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps"
 
 do_install[cleandirs] += " \
     ${D}/usr/share/initramfs-tools/hooks \
-    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+    ${D}/usr/share/initramfs-tools/scripts/local-top"
 
 do_install() {
     install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
         "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
     install -m 0755 "${WORKDIR}/tee-supplicant.script" \
-        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
+        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant"
 }
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isar-users/20240710053335.2163596-1-kumar.rakesh%40siemens.com.

Re: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

['Jan Kiszka' via isar-users]

On 10.07.24 07:33, Rakesh Kumar wrote:
> To ensure proper initialization of the fTPM and tee-supplicant services before
> the root filesystem is mounted, we are relocating their initialization to the
> local-top section of initramfs. This change ensures that the encrypted filesystems
> are properly initialized and ready for use before the root filesystem is mounted at
> local-bottom stage.

Close but not fully correct: The rootfs is mounted AFTER the top stage
and BEFORE bottom.

> 
> Reason for local-top:
> 
> * Early Initialization: The local-top scripts run before the root filesystem is mounted.
>   This timing is essential for encrypted root filesystems since the decryption process must be
>   completed before the filesystem can be accessed.
> 
> * Dependency Handling: The encryption setup requires initializing dependencies such as
>   fTPM (firmware Trusted Platform Module) devices. Performing these tasks early in the boot process
>   ensures that all necessary components are in place before the root filesystem is mounted.

This will still need some isar-cip-core patch in order to add a PREREQ
on fTPM if a concrete target using fTPM for disk encryption. But Quirin
just had another idea, leaving the stage to him now. :)

Jan

> 
> Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com>
> ---
>  .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb    | 4 ++--
>  .../initramfs-tee-supplicant-hook_0.1.bb                      | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> index db38e618..82fec1bb 100644
> --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
>  
>  do_install[cleandirs] += " \
>      ${D}/usr/share/initramfs-tools/hooks \
> -    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +    ${D}/usr/share/initramfs-tools/scripts/local-top"
>  
>  do_install() {
>      install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
>          "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
>      install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> -        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
> +        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
>  }
> diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
> index 3768b8e0..a7a19bee 100644
> --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps"
>  
>  do_install[cleandirs] += " \
>      ${D}/usr/share/initramfs-tools/hooks \
> -    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +    ${D}/usr/share/initramfs-tools/scripts/local-top"
>  
>  do_install() {
>      install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
>          "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
>      install -m 0755 "${WORKDIR}/tee-supplicant.script" \
> -        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
> +        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant"
>  }

-- 
Siemens AG, Technology
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isar-users/fa89edf3-30be-4692-baa1-9c69876c96d4%40siemens.com.

[PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

['Rakesh Kumar' via isar-users]

To ensure proper initialization of the fTPM and tee-supplicant services before
the root filesystem is mounted, we are relocating their initialization to the
local-top section of initramfs. This change ensures that the encrypted root filesystems
are properly initialized and mounted before the local-bottom scripts run.

Reason for local-top:

* Early Initialization: The local-top scripts run before the root filesystem is mounted.
  This timing is essential for encrypted root filesystems since the decryption process must be
  completed before the filesystem can be accessed.

* Dependency Handling: The encryption setup requires initializing dependencies such as
  fTPM (firmware Trusted Platform Module) devices. Performing these tasks early in the boot process
  ensures that all necessary components are in place before the root filesystem is mounted.

Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com>
---
 .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb    | 4 ++--
 .../initramfs-tee-supplicant-hook_0.1.bb                      | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
index db38e618..82fec1bb 100644
--- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
+++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
@@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
 
 do_install[cleandirs] += " \
     ${D}/usr/share/initramfs-tools/hooks \
-    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+    ${D}/usr/share/initramfs-tools/scripts/local-top"
 
 do_install() {
     install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
         "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
     install -m 0755 "${WORKDIR}/tee-ftpm.script" \
-        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
+        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
 }
diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
index 3768b8e0..a7a19bee 100644
--- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
+++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-hook_0.1.bb
@@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps"
 
 do_install[cleandirs] += " \
     ${D}/usr/share/initramfs-tools/hooks \
-    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
+    ${D}/usr/share/initramfs-tools/scripts/local-top"
 
 do_install() {
     install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
         "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
     install -m 0755 "${WORKDIR}/tee-supplicant.script" \
-        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
+        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant"
 }
-- 
2.39.2

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isar-users/20240710123046.2174029-1-kumar.rakesh%40siemens.com.

Re: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

[Rakesh Kumar]

[-- Attachment #1.1: Type: text/plain, Size: 4349 bytes --]

thanks, Jan Kiszka, for pointing that out!  I have made the corrections in 
git message now. 




Regards,
Rakesh

On Wednesday, July 10, 2024 at 4:51:11 PM UTC+5:30 Jan Kiszka wrote:

> On 10.07.24 07:33, Rakesh Kumar wrote:
> > To ensure proper initialization of the fTPM and tee-supplicant services 
> before
> > the root filesystem is mounted, we are relocating their initialization 
> to the
> > local-top section of initramfs. This change ensures that the encrypted 
> filesystems
> > are properly initialized and ready for use before the root filesystem is 
> mounted at
> > local-bottom stage.
>
> Close but not fully correct: The rootfs is mounted AFTER the top stage
> and BEFORE bottom.
>
> > 
> > Reason for local-top:
> > 
> > * Early Initialization: The local-top scripts run before the root 
> filesystem is mounted.
> > This timing is essential for encrypted root filesystems since the 
> decryption process must be
> > completed before the filesystem can be accessed.
> > 
> > * Dependency Handling: The encryption setup requires initializing 
> dependencies such as
> > fTPM (firmware Trusted Platform Module) devices. Performing these tasks 
> early in the boot process
> > ensures that all necessary components are in place before the root 
> filesystem is mounted.
>
> This will still need some isar-cip-core patch in order to add a PREREQ
> on fTPM if a concrete target using fTPM for disk encryption. But Quirin
> just had another idea, leaving the stage to him now. :)
>
> Jan
>
> > 
> > Signed-off-by: Rakesh Kumar <kumar....@siemens.com>
> > ---
> > .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb | 4 ++--
> > .../initramfs-tee-supplicant-hook_0.1.bb | 4 ++--
> > 2 files changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/
> initramfs-tee-ftpm-hook_0.1.bb 
> b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/
> initramfs-tee-ftpm-hook_0.1.bb
> > index db38e618..82fec1bb 100644
> > --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/
> initramfs-tee-ftpm-hook_0.1.bb
> > +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/
> initramfs-tee-ftpm-hook_0.1.bb
> > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
> > 
> > do_install[cleandirs] += " \
> > ${D}/usr/share/initramfs-tools/hooks \
> > - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> > + ${D}/usr/share/initramfs-tools/scripts/local-top"
> > 
> > do_install() {
> > install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
> > "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
> > install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> > - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
> > + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
> > }
> > diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/
> initramfs-tee-supplicant-hook_0.1.bb 
> b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/
> initramfs-tee-supplicant-hook_0.1.bb
> > index 3768b8e0..a7a19bee 100644
> > --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/
> initramfs-tee-supplicant-hook_0.1.bb
> > +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/
> initramfs-tee-supplicant-hook_0.1.bb
> > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, 
> procps"
> > 
> > do_install[cleandirs] += " \
> > ${D}/usr/share/initramfs-tools/hooks \
> > - ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> > + ${D}/usr/share/initramfs-tools/scripts/local-top"
> > 
> > do_install() {
> > install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
> > "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
> > install -m 0755 "${WORKDIR}/tee-supplicant.script" \
> > - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
> > + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant"
> > }
>
> -- 
> Siemens AG, Technology
> Linux Expert Center
>
>

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isar-users/325084db-4440-4e5b-835c-8bb74a088f92n%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 8294 bytes --]

Re: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

[Rakesh Kumar]

[-- Attachment #1.1: Type: text/plain, Size: 4645 bytes --]

Hi all,

Any update on this patch?

Rakesh

On Wednesday, July 10, 2024 at 6:57:20 PM UTC+5:30 Rakesh Kumar wrote:

> thanks, Jan Kiszka, for pointing that out!  I have made the corrections 
> in git message now. 
>
>
>
>
> Regards,
> Rakesh
>
> On Wednesday, July 10, 2024 at 4:51:11 PM UTC+5:30 Jan Kiszka wrote:
>
>> On 10.07.24 07:33, Rakesh Kumar wrote: 
>> > To ensure proper initialization of the fTPM and tee-supplicant services 
>> before 
>> > the root filesystem is mounted, we are relocating their initialization 
>> to the 
>> > local-top section of initramfs. This change ensures that the encrypted 
>> filesystems 
>> > are properly initialized and ready for use before the root filesystem 
>> is mounted at 
>> > local-bottom stage. 
>>
>> Close but not fully correct: The rootfs is mounted AFTER the top stage 
>> and BEFORE bottom. 
>>
>> > 
>> > Reason for local-top: 
>> > 
>> > * Early Initialization: The local-top scripts run before the root 
>> filesystem is mounted. 
>> > This timing is essential for encrypted root filesystems since the 
>> decryption process must be 
>> > completed before the filesystem can be accessed. 
>> > 
>> > * Dependency Handling: The encryption setup requires initializing 
>> dependencies such as 
>> > fTPM (firmware Trusted Platform Module) devices. Performing these tasks 
>> early in the boot process 
>> > ensures that all necessary components are in place before the root 
>> filesystem is mounted. 
>>
>> This will still need some isar-cip-core patch in order to add a PREREQ 
>> on fTPM if a concrete target using fTPM for disk encryption. But Quirin 
>> just had another idea, leaving the stage to him now. :) 
>>
>> Jan 
>>
>> > 
>> > Signed-off-by: Rakesh Kumar <kumar....@siemens.com> 
>> > --- 
>> > .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb | 4 ++-- 
>> > .../initramfs-tee-supplicant-hook_0.1.bb | 4 ++-- 
>> > 2 files changed, 4 insertions(+), 4 deletions(-) 
>> > 
>> > diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/
>> initramfs-tee-ftpm-hook_0.1.bb 
>> b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/
>> initramfs-tee-ftpm-hook_0.1.bb 
>> > index db38e618..82fec1bb 100644 
>> > --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/
>> initramfs-tee-ftpm-hook_0.1.bb 
>> > +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/
>> initramfs-tee-ftpm-hook_0.1.bb 
>> > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools" 
>> > 
>> > do_install[cleandirs] += " \ 
>> > ${D}/usr/share/initramfs-tools/hooks \ 
>> > - ${D}/usr/share/initramfs-tools/scripts/local-bottom" 
>> > + ${D}/usr/share/initramfs-tools/scripts/local-top" 
>> > 
>> > do_install() { 
>> > install -m 0755 "${WORKDIR}/tee-ftpm.hook" \ 
>> > "${D}/usr/share/initramfs-tools/hooks/tee-ftpm" 
>> > install -m 0755 "${WORKDIR}/tee-ftpm.script" \ 
>> > - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm" 
>> > + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm" 
>> > } 
>> > diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/
>> initramfs-tee-supplicant-hook_0.1.bb 
>> b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/
>> initramfs-tee-supplicant-hook_0.1.bb 
>> > index 3768b8e0..a7a19bee 100644 
>> > --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/
>> initramfs-tee-supplicant-hook_0.1.bb 
>> > +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/
>> initramfs-tee-supplicant-hook_0.1.bb 
>> > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, 
>> procps" 
>> > 
>> > do_install[cleandirs] += " \ 
>> > ${D}/usr/share/initramfs-tools/hooks \ 
>> > - ${D}/usr/share/initramfs-tools/scripts/local-bottom" 
>> > + ${D}/usr/share/initramfs-tools/scripts/local-top" 
>> > 
>> > do_install() { 
>> > install -m 0755 "${WORKDIR}/tee-supplicant.hook" \ 
>> > "${D}/usr/share/initramfs-tools/hooks/tee-supplicant" 
>> > install -m 0755 "${WORKDIR}/tee-supplicant.script" \ 
>> > - "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant" 
>> > + "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant" 
>> > } 
>>
>> -- 
>> Siemens AG, Technology 
>> Linux Expert Center 
>>
>>

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isar-users/70361b22-2139-4644-9946-c0e7c482f767n%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 8612 bytes --]

RE: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

['Kumar, Rakesh' via isar-users]

Hi all,

Any updates on this patch.

If this patch needs any correction/improvement then please give your inputs on this.

Regards,
Rakesh

-----Original Message-----
From: Kiszka, Jan (T CED) <jan.kiszka@siemens.com> 
Sent: 10 July 2024 16:51
To: Kumar, Rakesh (DI CTO FDS CES LX PBU 1) <kumar.rakesh@siemens.com>; isar-users@googlegroups.com; Gylstorff, Quirin (T CED OES-DE) <quirin.gylstorff@siemens.com>
Cc: Hombourger, Cedric (DI CTO FDS CES LX) <cedric.hombourger@siemens.com>
Subject: Re: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

On 10.07.24 07:33, Rakesh Kumar wrote:
> To ensure proper initialization of the fTPM and tee-supplicant 
> services before the root filesystem is mounted, we are relocating 
> their initialization to the local-top section of initramfs. This 
> change ensures that the encrypted filesystems are properly initialized 
> and ready for use before the root filesystem is mounted at local-bottom stage.

Close but not fully correct: The rootfs is mounted AFTER the top stage and BEFORE bottom.

> 
> Reason for local-top:
> 
> * Early Initialization: The local-top scripts run before the root filesystem is mounted.
>   This timing is essential for encrypted root filesystems since the decryption process must be
>   completed before the filesystem can be accessed.
> 
> * Dependency Handling: The encryption setup requires initializing dependencies such as
>   fTPM (firmware Trusted Platform Module) devices. Performing these tasks early in the boot process
>   ensures that all necessary components are in place before the root filesystem is mounted.

This will still need some isar-cip-core patch in order to add a PREREQ on fTPM if a concrete target using fTPM for disk encryption. But Quirin just had another idea, leaving the stage to him now. :)

Jan

> 
> Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com>
> ---
>  .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb    | 4 ++--
>  .../initramfs-tee-supplicant-hook_0.1.bb                      | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git 
> a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-ho
> ok_0.1.bb 
> b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-ho
> ok_0.1.bb
> index db38e618..82fec1bb 100644
> --- 
> a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-ho
> ok_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftp
> +++ m-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
>  
>  do_install[cleandirs] += " \
>      ${D}/usr/share/initramfs-tools/hooks \
> -    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +    ${D}/usr/share/initramfs-tools/scripts/local-top"
>  
>  do_install() {
>      install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
>          "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
>      install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> -        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-ftpm"
> +        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
>  }
> diff --git 
> a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s
> upplicant-hook_0.1.bb 
> b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s
> upplicant-hook_0.1.bb
> index 3768b8e0..a7a19bee 100644
> --- 
> a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-tee-s
> upplicant-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-t
> +++ ee-supplicant-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-supplicant, procps"
>  
>  do_install[cleandirs] += " \
>      ${D}/usr/share/initramfs-tools/hooks \
> -    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +    ${D}/usr/share/initramfs-tools/scripts/local-top"
>  
>  do_install() {
>      install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
>          "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
>      install -m 0755 "${WORKDIR}/tee-supplicant.script" \
> -        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-supplicant"
> +        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-supplicant"
>  }

--
Siemens AG, Technology
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isar-users/SG2PR06MB5189A49EE62C2C306267649297A82%40SG2PR06MB5189.apcprd06.prod.outlook.com.

Re: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

[Uladzimir Bely]

On Mon, 2024-07-22 at 05:43 +0000, 'Kumar, Rakesh' via isar-users
wrote:
> Hi all,
> 
> Any updates on this patch.
> 
> If this patch needs any correction/improvement then please give your
> inputs on this.
> 

We are going to check the patch in CI and merge as usually. A delay in
testing is due, among other things, to the lack of "v2" suffix in new
patch version. So, in e-mail hierarchy it still looks like first
version of the patch under discussion. Please further use "v2", "v3...
when sending new versions of the patches.


> Regards,
> Rakesh
> 
> -----Original Message-----
> From: Kiszka, Jan (T CED) <jan.kiszka@siemens.com> 
> Sent: 10 July 2024 16:51
> To: Kumar, Rakesh (DI CTO FDS CES LX PBU 1)
> <kumar.rakesh@siemens.com>; isar-users@googlegroups.com; Gylstorff,
> Quirin (T CED OES-DE) <quirin.gylstorff@siemens.com>
> Cc: Hombourger, Cedric (DI CTO FDS CES LX)
> <cedric.hombourger@siemens.com>
> Subject: Re: [PATCH] initramfs: move fTPM and tee-supplicant
> initialization to local-top stage
> 
> On 10.07.24 07:33, Rakesh Kumar wrote:
> > To ensure proper initialization of the fTPM and tee-supplicant 
> > services before the root filesystem is mounted, we are relocating 
> > their initialization to the local-top section of initramfs. This 
> > change ensures that the encrypted filesystems are properly
> > initialized 
> > and ready for use before the root filesystem is mounted at local-
> > bottom stage.
> 
> Close but not fully correct: The rootfs is mounted AFTER the top
> stage and BEFORE bottom.
> 
> > 
> > Reason for local-top:
> > 
> > * Early Initialization: The local-top scripts run before the root
> > filesystem is mounted.
> >   This timing is essential for encrypted root filesystems since the
> > decryption process must be
> >   completed before the filesystem can be accessed.
> > 
> > * Dependency Handling: The encryption setup requires initializing
> > dependencies such as
> >   fTPM (firmware Trusted Platform Module) devices. Performing these
> > tasks early in the boot process
> >   ensures that all necessary components are in place before the
> > root filesystem is mounted.
> 
> This will still need some isar-cip-core patch in order to add a
> PREREQ on fTPM if a concrete target using fTPM for disk encryption.
> But Quirin just had another idea, leaving the stage to him now. :)
> 
> Jan
> 
> > 
> > Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com>
> > ---
> >  .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb    | 4
> > ++--
> >  .../initramfs-tee-supplicant-hook_0.1.bb                      | 4
> > ++--
> >  2 files changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git 
> > a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> > ftpm-ho
> > ok_0.1.bb 
> > b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> > ftpm-ho
> > ok_0.1.bb
> > index db38e618..82fec1bb 100644
> > --- 
> > a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> > ftpm-ho
> > ok_0.1.bb
> > +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> > ftp
> > +++ m-hook_0.1.bb
> > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
> >  
> >  do_install[cleandirs] += " \
> >      ${D}/usr/share/initramfs-tools/hooks \
> > -    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> > +    ${D}/usr/share/initramfs-tools/scripts/local-top"
> >  
> >  do_install() {
> >      install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
> >          "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
> >      install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> > -        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-
> > ftpm"
> > +        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-
> > ftpm"
> >  }
> > diff --git 
> > a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> > tee-s
> > upplicant-hook_0.1.bb 
> > b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> > tee-s
> > upplicant-hook_0.1.bb
> > index 3768b8e0..a7a19bee 100644
> > --- 
> > a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> > tee-s
> > upplicant-hook_0.1.bb
> > +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-
> > hook/initramfs-t
> > +++ ee-supplicant-hook_0.1.bb
> > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-
> > supplicant, procps"
> >  
> >  do_install[cleandirs] += " \
> >      ${D}/usr/share/initramfs-tools/hooks \
> > -    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> > +    ${D}/usr/share/initramfs-tools/scripts/local-top"
> >  
> >  do_install() {
> >      install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
> >          "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
> >      install -m 0755 "${WORKDIR}/tee-supplicant.script" \
> > -        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-
> > supplicant"
> > +        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-
> > supplicant"
> >  }
> 
> --
> Siemens AG, Technology
> Linux Expert Center
> 

-- 
Best regards,
Uladzimir.



-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isar-users/5a0e3e458a2e951d09b435c96e05bb0cd0f4c5e1.camel%40ilbers.de.

Re: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

[Rakesh Kumar]

[-- Attachment #1.1: Type: text/plain, Size: 5956 bytes --]

Sure Uladzimir, I will take care of that going forward. thanks! 


Regards,
Rakesh

On Monday, July 22, 2024 at 2:22:35 PM UTC+5:30 Uladzimir Bely wrote:

> On Mon, 2024-07-22 at 05:43 +0000, 'Kumar, Rakesh' via isar-users
> wrote:
> > Hi all,
> > 
> > Any updates on this patch.
> > 
> > If this patch needs any correction/improvement then please give your
> > inputs on this.
> > 
>
> We are going to check the patch in CI and merge as usually. A delay in
> testing is due, among other things, to the lack of "v2" suffix in new
> patch version. So, in e-mail hierarchy it still looks like first
> version of the patch under discussion. Please further use "v2", "v3...
> when sending new versions of the patches.
>
>
> > Regards,
> > Rakesh
> > 
> > -----Original Message-----
> > From: Kiszka, Jan (T CED) <jan.k...@siemens.com> 
> > Sent: 10 July 2024 16:51
> > To: Kumar, Rakesh (DI CTO FDS CES LX PBU 1)
> > <kumar....@siemens.com>; isar-...@googlegroups.com; Gylstorff,
> > Quirin (T CED OES-DE) <quirin.g...@siemens.com>
> > Cc: Hombourger, Cedric (DI CTO FDS CES LX)
> > <cedric.h...@siemens.com>
> > Subject: Re: [PATCH] initramfs: move fTPM and tee-supplicant
> > initialization to local-top stage
> > 
> > On 10.07.24 07:33, Rakesh Kumar wrote:
> > > To ensure proper initialization of the fTPM and tee-supplicant 
> > > services before the root filesystem is mounted, we are relocating 
> > > their initialization to the local-top section of initramfs. This 
> > > change ensures that the encrypted filesystems are properly
> > > initialized 
> > > and ready for use before the root filesystem is mounted at local-
> > > bottom stage.
> > 
> > Close but not fully correct: The rootfs is mounted AFTER the top
> > stage and BEFORE bottom.
> > 
> > > 
> > > Reason for local-top:
> > > 
> > > * Early Initialization: The local-top scripts run before the root
> > > filesystem is mounted.
> > >   This timing is essential for encrypted root filesystems since the
> > > decryption process must be
> > >   completed before the filesystem can be accessed.
> > > 
> > > * Dependency Handling: The encryption setup requires initializing
> > > dependencies such as
> > >   fTPM (firmware Trusted Platform Module) devices. Performing these
> > > tasks early in the boot process
> > >   ensures that all necessary components are in place before the
> > > root filesystem is mounted.
> > 
> > This will still need some isar-cip-core patch in order to add a
> > PREREQ on fTPM if a concrete target using fTPM for disk encryption.
> > But Quirin just had another idea, leaving the stage to him now. :)
> > 
> > Jan
> > 
> > > 
> > > Signed-off-by: Rakesh Kumar <kumar....@siemens.com>
> > > ---
> > >  .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb    | 4
> > > ++--
> > >  .../initramfs-tee-supplicant-hook_0.1.bb                      | 4
> > > ++--
> > >  2 files changed, 4 insertions(+), 4 deletions(-)
> > > 
> > > diff --git 
> > > a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> > > ftpm-ho
> > > ok_0.1.bb 
> > > b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> > > ftpm-ho
> > > ok_0.1.bb
> > > index db38e618..82fec1bb 100644
> > > --- 
> > > a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> > > ftpm-ho
> > > ok_0.1.bb
> > > +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> > > ftp
> > > +++ m-hook_0.1.bb
> > > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
> > >  
> > >  do_install[cleandirs] += " \
> > >      ${D}/usr/share/initramfs-tools/hooks \
> > > -    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> > > +    ${D}/usr/share/initramfs-tools/scripts/local-top"
> > >  
> > >  do_install() {
> > >      install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
> > >          "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
> > >      install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> > > -        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-
> > > ftpm"
> > > +        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-
> > > ftpm"
> > >  }
> > > diff --git 
> > > a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> > > tee-s
> > > upplicant-hook_0.1.bb 
> > > b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> > > tee-s
> > > upplicant-hook_0.1.bb
> > > index 3768b8e0..a7a19bee 100644
> > > --- 
> > > a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> > > tee-s
> > > upplicant-hook_0.1.bb
> > > +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-
> > > hook/initramfs-t
> > > +++ ee-supplicant-hook_0.1.bb
> > > @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-
> > > supplicant, procps"
> > >  
> > >  do_install[cleandirs] += " \
> > >      ${D}/usr/share/initramfs-tools/hooks \
> > > -    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> > > +    ${D}/usr/share/initramfs-tools/scripts/local-top"
> > >  
> > >  do_install() {
> > >      install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
> > >          "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
> > >      install -m 0755 "${WORKDIR}/tee-supplicant.script" \
> > > -        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-
> > > supplicant"
> > > +        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-
> > > supplicant"
> > >  }
> > 
> > --
> > Siemens AG, Technology
> > Linux Expert Center
> > 
>
> -- 
> Best regards,
> Uladzimir.
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isar-users/1520ebfe-5e48-4866-b4be-c9090a17e1fcn%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 10467 bytes --]

Re: [PATCH] initramfs: move fTPM and tee-supplicant initialization to local-top stage

[Uladzimir Bely]

On Wed, 2024-07-10 at 11:03 +0530, 'Rakesh Kumar' via isar-users wrote:
> To ensure proper initialization of the fTPM and tee-supplicant
> services before
> the root filesystem is mounted, we are relocating their
> initialization to the
> local-top section of initramfs. This change ensures that the
> encrypted filesystems
> are properly initialized and ready for use before the root filesystem
> is mounted at
> local-bottom stage.
> 
> Reason for local-top:
> 
> * Early Initialization: The local-top scripts run before the root
> filesystem is mounted.
>   This timing is essential for encrypted root filesystems since the
> decryption process must be
>   completed before the filesystem can be accessed.
> 
> * Dependency Handling: The encryption setup requires initializing
> dependencies such as
>   fTPM (firmware Trusted Platform Module) devices. Performing these
> tasks early in the boot process
>   ensures that all necessary components are in place before the root
> filesystem is mounted.
> 
> Signed-off-by: Rakesh Kumar <kumar.rakesh@siemens.com>
> ---
>  .../initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb    | 4
> ++--
>  .../initramfs-tee-supplicant-hook_0.1.bb                      | 4
> ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/meta/recipes-initramfs/initramfs-tee-ftpm-
> hook/initramfs-tee-ftpm-hook_0.1.bb b/meta/recipes-
> initramfs/initramfs-tee-ftpm-hook/initramfs-tee-ftpm-hook_0.1.bb
> index db38e618..82fec1bb 100644
> --- a/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> ftpm-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-ftpm-hook/initramfs-tee-
> ftpm-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools"
>  
>  do_install[cleandirs] += " \
>      ${D}/usr/share/initramfs-tools/hooks \
> -    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +    ${D}/usr/share/initramfs-tools/scripts/local-top"
>  
>  do_install() {
>      install -m 0755 "${WORKDIR}/tee-ftpm.hook" \
>          "${D}/usr/share/initramfs-tools/hooks/tee-ftpm"
>      install -m 0755 "${WORKDIR}/tee-ftpm.script" \
> -        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-
> ftpm"
> +        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-ftpm"
>  }
> diff --git a/meta/recipes-initramfs/initramfs-tee-supplicant-
> hook/initramfs-tee-supplicant-hook_0.1.bb b/meta/recipes-
> initramfs/initramfs-tee-supplicant-hook/initramfs-tee-supplicant-
> hook_0.1.bb
> index 3768b8e0..a7a19bee 100644
> --- a/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> tee-supplicant-hook_0.1.bb
> +++ b/meta/recipes-initramfs/initramfs-tee-supplicant-hook/initramfs-
> tee-supplicant-hook_0.1.bb
> @@ -17,11 +17,11 @@ DEBIAN_DEPENDS = "initramfs-tools, tee-
> supplicant, procps"
>  
>  do_install[cleandirs] += " \
>      ${D}/usr/share/initramfs-tools/hooks \
> -    ${D}/usr/share/initramfs-tools/scripts/local-bottom"
> +    ${D}/usr/share/initramfs-tools/scripts/local-top"
>  
>  do_install() {
>      install -m 0755 "${WORKDIR}/tee-supplicant.hook" \
>          "${D}/usr/share/initramfs-tools/hooks/tee-supplicant"
>      install -m 0755 "${WORKDIR}/tee-supplicant.script" \
> -        "${D}/usr/share/initramfs-tools/scripts/local-bottom/tee-
> supplicant"
> +        "${D}/usr/share/initramfs-tools/scripts/local-top/tee-
> supplicant"
>  }
> -- 
> 2.39.2
> 

Applied v2 to next, thanks.

-- 
Best regards,
Uladzimir.



-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isar-users/e5cf41d3a2a12ec0b26c7d920cf8138073b7e8ea.camel%40ilbers.de.