Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On Mon, Feb 19, 2024 at 11:47:52AM +0100, Lennart Poettering wrote:
> On Fr, 16.02.24 11:28, Mikko Rapeli (mikko.rapeli@xxxxxxxxxx) wrote:
> 
> > Support for fTPM devices is problematic. First, the kernel support must be modules
> > but loading needs to be specially handled after starting tee-supplicant. For normal
> > boot udev handles optee detection and triggers tee-supplicant@teepriv0.service
> > startup which unloads tpm_ftpm_tee kernel module, starts tee-supplicant and then
> > loads the kernel module again. After this RPMB works. To do the same in initramfs, I added
> > Wants: and After: dependencies from systemd-repart.service, systemd-cryptsetup@.service,
> > systemd-pcrmachine.service and systemd-pcrphase-initrd.service:
> 
> Kernel module unloading is not supposed to happen in clean
> codepaths. It's a debug/development feature, it's not safe to do as
> part of regular boot.
> 
> But why do you need an unload a kernel module at all? that smells...

Yes, I agree that this smells bad but it's the current optee/ftpm/kernel implementation
which requires tee-supplicant in userspace to be running at module load time for RPMB to work.
AFAIK there is some work on going to fix this and support RPMB directly from optee kernel
drivers.

Cheers,

-Mikko
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux