Hi all, I'm moving here discussion that I started with Jarkko and Peter on LinkedIn. I'm preparing for 2 talks during LPC 2019 System Boot MC and one of it will discuss TPM 2.0 sysfs support [1]. This was discussed couple times [2] and explained why it is not done yet by Jarkko [3]. Why is this important? - there seem to be no default method to distinguish if we dealing with TPM 1.2 or 2.0 in the system - distros use various tools to detect TPM based on sysfs (e.g. Qubes OS scripts) - tpm2-software has ton of dependencies, is not easy to build, development is way faster then distros can manage and packages are often out of date or even broken, so using it can be troublesome - for deeply embedded systems adding fully-featured tpm2-software doesn't make sense e.g. if we just need PCRs values Jarkko comment on detecting 1.2 vs 2.0: "Detecting TPM 2.0 is dead easy: send any idempotent TPM 2.0 command and check if the tag field matches 0x8002 (TPM_NO_SESSIONS). The sysfs features for TPM 1.2 are for the large part useless as you can get the same data by using TPM commands." Ok, but doesn't this mean I need TPM2 software stack? Peter mentioned that it can be tricky to invoke such tools early in boot process. Finally, I do not feel expert in the field of Linux integrity and don't want to argue for sysfs if it doesn't make sense for TPM 2.0, but if that's the situation I would like to know what are the best practices to solve above issues. If you think there is something important to be discussed in above context please let me know. [1] https://linuxplumbersconf.org/event/4/contributions/516/ [2] https://patchwork.kernel.org/project/linux-integrity/list/?series=&submitter=&state=*&q=sysfs&archive=&delegate= [3] https://lwn.net/Articles/624241/ Best Regards, -- Piotr Król Embedded Systems Consultant GPG: B2EE71E967AA9E4C https://3mdeb.com | @3mdeb_com
