mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-25 15:41:07 +00:00
6923fb5e20
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
41 lines
1.3 KiB
Makefile
41 lines
1.3 KiB
Makefile
# TPM2 TSS library
|
|
modules-$(CONFIG_TPM2_TSS) += tpm2-tss
|
|
|
|
tpm2-tss_version := 3.2.0
|
|
tpm2-tss_dir := tpm2-tss-$(tpm2-tss_version)
|
|
tpm2-tss_tar := tpm2-tss-$(tpm2-tss_version).tar.gz
|
|
tpm2-tss_url := https://github.com/tpm2-software/tpm2-tss/releases/download/$(tpm2-tss_version)/$(tpm2-tss_tar)
|
|
tpm2-tss_hash := 48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912
|
|
|
|
tpm2-tss_configure := aclocal && automake --add-missing && autoreconf -fi \
|
|
&& ./configure \
|
|
$(CROSS_TOOLS) \
|
|
--host $(MUSL_ARCH)-elf-linux \
|
|
--prefix "/" \
|
|
--disable-doxygen-doc \
|
|
--disable-doxygen-man \
|
|
--disable-doxygen-rtf \
|
|
--disable-doxygen-html \
|
|
--disable-fapi \
|
|
|
|
# Run one build to generate the executables with the pre-defined
|
|
# exec_prefix and datarootdir, then a second make to install the binaries
|
|
# into our actual target location
|
|
|
|
tpm2-tss_target := $(MAKE_JOBS) \
|
|
DESTDIR="$(INSTALL)" \
|
|
$(CROSS_TOOLS) \
|
|
install \
|
|
|
|
# tpm2 binary wants to dlopen some libraries, so be sure that
|
|
# they are available. It would be nice to statically link these.
|
|
tpm2-tss_libraries := \
|
|
src/tss2-rc/.libs/libtss2-rc.so.0 \
|
|
src/tss2-mu/.libs/libtss2-mu.so.0 \
|
|
src/tss2-sys/.libs/libtss2-sys.so.1 \
|
|
src/tss2-esys/.libs/libtss2-esys.so.0 \
|
|
src/tss2-tcti/.libs/libtss2-tctildr.so.0 \
|
|
src/tss2-tcti/.libs/libtss2-tcti-device.so.0 \
|
|
|
|
tpm2-tss_depends := openssl $(musl_dep)
|