Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TPM2 - modules / tpmx / nitropc-v2 #1109

Closed
wants to merge 9 commits into from
Closed

TPM2 - modules / tpmx / nitropc-v2 #1109

wants to merge 9 commits into from

Conversation

daringer
Copy link
Collaborator

@daringer daringer commented Feb 6, 2022
edited
Loading

  • WIP: Add support for TPM2 in all shell scripts #1031 and TPM2 support #893 on top of the current master
  • new board nitropc_v2 is essentially a librem_mini_v2 / nitropc + tpm2 (not working due to some missing config-hacks I did inside coreboot, will pack them into a patch soon)
  • anyone crazy enough to test this on a supported platform is highly welcome to feedback, although I haven't had the chance to test @aesrentai's tpmx approach yet

expect this to change a lot, this is WIP

osresearch and others added 9 commits February 6, 2022 17:12
@osresearch @daringer
tpm2: add openssl, tpm2-tools, and tpm2-tss modules
35922c7 
Signed-off-by: Trammell Hudson <[email protected]>
@osresearch @daringer
tpm2: enable Linux securityfs
318264b 
Signed-off-by: Trammell Hudson <[email protected]>
@aesrentai @daringer
Move recovery from /etc/functions to /bin
f65c31f 
TPM2 cannot extend shell functions, only full binaries.  Thus move
recovery to its own file in /bin as it's the most common thing to be
extended.  An alternative is to use the tpm2 pcrextend with a
precomputed pcr digest, however that will not allow the use of the
generic tpm_extend function.

Signed-off-by: Cody Ho <[email protected]>
@aesrentai @daringer
initrd/bin: Add generic tpmx wrapper
d57cc33 
Used to abstract away all the differences between TPM1.2 and TPM2.
Eventually all code should be written to use this abstraction layer.

Signed-off-by: Cody Ho <[email protected]>
@aesrentai @daringer
initrd: use tpmx extend wrapper
5db5c6c 
Board specific scripts (ie t430-flash) have not been modified.

Signed-off-by: Cody Ho <[email protected]>
@aesrentai @daringer
initrd: add tpmx startsession and reset functions
4b47a6d 
Also remove most of tpm-reset and just call the tpmx code directly.
It's being left in because many guides on the internet still have
references to tpm-reset in them, so removing it may create unnecessary
confusion.

Signed-off-by: Cody Ho <[email protected]>
@aesrentai @daringer
Remove dead (commented out) code
e7fea90 
Contains various code cleanups and a note to retrieve USB device branding from
USB device info, not just checking vendor id
@daringer
fix pipefail in tpmx
d014ece
@daringer
wip: add nitropc v2 board
69cc5d4
@tlaurion
Copy link
Collaborator

@daringer Does not build?! public key missing?! See CircleCI logs!

@daringer
Copy link
Collaborator Author

I broke my circleci, need to check, but currently does not build yet, it is missing the coreboot hack, although it should build for other platforms but also not tested yet ...

@tlaurion tlaurion marked this pull request as draft June 22, 2022 14:01
@tlaurion
Copy link
Collaborator

@daringer : converted to draft. Updates?

@tlaurion
Copy link
Collaborator

Why not hardenedvault/vaultboot@4506fc2

@tlaurion tlaurion mentioned this pull request Aug 24, 2022
Closed
@tlaurion
Copy link
Collaborator

I completely forgot where I was, however, so I'll get back to you late this week on why I didn't just copy the entire hardenedvault wrapper-- I remember I had a reason but honestly I forgot what it was.

@daringer @aesrentai We are at a stage, with KVM/QEMU support under #1188 for swtpm HOTP and local testing, to take a leadership decision on what implementation to chose and go forward.

Personally, I would take @root-hardenedvault implementation, based on #893 and #907 prior work and go from there, making hardenedvault approach upstream (tested and used in hardware already).

@aesrentai @daringer : your input on his approach and why you decided to create/use another one (while similar #1109 ) would be interesting prior of going forward.

#1188 board configurations can be reused easily to create -tpm2 instead of tpm in additional board configurations to test without real hardware first. #1188 will be merged soon.

I'm asking for your input, since I would take that ball and move it forward under paid grant application work, thanks to Nlnet.

Originally posted by @tlaurion in #1031 (comment)

@tlaurion
Copy link
Collaborator

Superseded by #1292

@tlaurion tlaurion closed this Mar 13, 2023
@tlaurion tlaurion added the Bounty/Donations expected Work could/should be funded by interested stakeholder label Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Bounty/Donations expected Work could/should be funded by interested stakeholder
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@daringer @tlaurion @osresearch @aesrentai