[11/13] kernel: Enable support for TPM hardware

Message ID 20210917114229.10704-11-michael.tremer@ipfire.org
State Staged
Commit b7ed5dc81796dbc49b48306259bd72fbd35c107f
Headers show
Series [01/13] kernel: Change timer tick to 1000Hz | expand

Commit Message

Michael Tremer Sept. 17, 2021, 11:42 a.m. UTC
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
 config/kernel/kernel.config.armv6l-ipfire  | 12 +++++++++++-
 config/kernel/kernel.config.i586-ipfire    | 16 +++++++++++++++-
 config/kernel/kernel.config.x86_64-ipfire  | 17 ++++++++++++++++-
 4 files changed, 56 insertions(+), 4 deletions(-)

Comments

Peter Müller Sept. 18, 2021, 4:15 p.m. UTC | #1
Hello Michael,
hello *,

just a small comment for the records: As discussed in the last monthly telephone
conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
left to be locked down in IPFire thanks to enforced kernel module signing.

So no user needs to worry about introducing TPM support coming with a lack of
digital sovereignty - that is, if something like this even exits on today's hardware. :-)

Acked-by: Peter Müller <peter.mueller@ipfire.org>

Thanks, and best regards,
Peter Müller


> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ---
>   config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>   config/kernel/kernel.config.armv6l-ipfire  | 12 +++++++++++-
>   config/kernel/kernel.config.i586-ipfire    | 16 +++++++++++++++-
>   config/kernel/kernel.config.x86_64-ipfire  | 17 ++++++++++++++++-
>   4 files changed, 56 insertions(+), 4 deletions(-)
> 
> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
> index aa34b64db..49ee85970 100644
> --- a/config/kernel/kernel.config.aarch64-ipfire
> +++ b/config/kernel/kernel.config.aarch64-ipfire
> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>   CONFIG_RAW_DRIVER=y
>   CONFIG_MAX_RAW_DEVS=8192
>   CONFIG_DEVPORT=y
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_ATMEL=m
> +CONFIG_TCG_INFINEON=m
> +CONFIG_TCG_CRB=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>   # CONFIG_XILLYBUS is not set
>   # end of Character devices
>   
> @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>   CONFIG_KEYS=y
>   # CONFIG_KEYS_REQUEST_CACHE is not set
>   # CONFIG_PERSISTENT_KEYRINGS is not set
> +# CONFIG_TRUSTED_KEYS is not set
>   # CONFIG_ENCRYPTED_KEYS is not set
>   # CONFIG_KEY_DH_OPERATIONS is not set
>   CONFIG_SECURITY_DMESG_RESTRICT=y
> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
> index 7b82e87df..b11a179e3 100644
> --- a/config/kernel/kernel.config.armv6l-ipfire
> +++ b/config/kernel/kernel.config.armv6l-ipfire
> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>   CONFIG_RAW_DRIVER=y
>   CONFIG_MAX_RAW_DEVS=8192
>   CONFIG_DEVPORT=y
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>   # CONFIG_XILLYBUS is not set
>   # end of Character devices
>   
> @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>   CONFIG_KEYS=y
>   # CONFIG_KEYS_REQUEST_CACHE is not set
>   # CONFIG_PERSISTENT_KEYRINGS is not set
> +# CONFIG_TRUSTED_KEYS is not set
>   # CONFIG_ENCRYPTED_KEYS is not set
>   # CONFIG_KEY_DH_OPERATIONS is not set
>   CONFIG_SECURITY_DMESG_RESTRICT=y
> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
> index 90d4ac856..2d7158c96 100644
> --- a/config/kernel/kernel.config.i586-ipfire
> +++ b/config/kernel/kernel.config.i586-ipfire
> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>   CONFIG_HPET=y
>   # CONFIG_HPET_MMAP is not set
>   CONFIG_HANGCHECK_TIMER=m
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_NSC=m
> +CONFIG_TCG_ATMEL=m
> +CONFIG_TCG_INFINEON=m
> +CONFIG_TCG_XEN=m
> +CONFIG_TCG_CRB=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>   # CONFIG_TELCLOCK is not set
>   # CONFIG_XILLYBUS is not set
>   # end of Character devices
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index fe93d731c..65014f41a 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>   CONFIG_HPET=y
>   # CONFIG_HPET_MMAP is not set
>   CONFIG_HANGCHECK_TIMER=m
> -# CONFIG_TCG_TPM is not set
> +CONFIG_TCG_TPM=m
> +CONFIG_HW_RANDOM_TPM=y
> +CONFIG_TCG_TIS_CORE=m
> +CONFIG_TCG_TIS=m
> +CONFIG_TCG_TIS_I2C_ATMEL=m
> +CONFIG_TCG_TIS_I2C_INFINEON=m
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
> +CONFIG_TCG_NSC=m
> +CONFIG_TCG_ATMEL=m
> +CONFIG_TCG_INFINEON=m
> +CONFIG_TCG_XEN=m
> +CONFIG_TCG_CRB=m
> +CONFIG_TCG_VTPM_PROXY=m
> +CONFIG_TCG_TIS_ST33ZP24=m
> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>   # CONFIG_TELCLOCK is not set
>   # CONFIG_XILLYBUS is not set
>   # end of Character devices
> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>   CONFIG_KEYS=y
>   # CONFIG_KEYS_REQUEST_CACHE is not set
>   # CONFIG_PERSISTENT_KEYRINGS is not set
> +# CONFIG_TRUSTED_KEYS is not set
>   # CONFIG_ENCRYPTED_KEYS is not set
>   # CONFIG_KEY_DH_OPERATIONS is not set
>   CONFIG_SECURITY_DMESG_RESTRICT=y
>
Michael Tremer Sept. 21, 2021, 9:50 a.m. UTC | #2
Hello,

> On 18 Sep 2021, at 17:15, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Michael,
> hello *,
> 
> just a small comment for the records: As discussed in the last monthly telephone
> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
> left to be locked down in IPFire thanks to enforced kernel module signing.

Does anyone have any hardware at grabs to verify that this works?

rngd —-list should list the TPM device as a potential source.

> So no user needs to worry about introducing TPM support coming with a lack of
> digital sovereignty - that is, if something like this even exits on today's hardware. :-)
> 
> Acked-by: Peter Müller <peter.mueller@ipfire.org>
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
>> ---
>>  config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>>  config/kernel/kernel.config.armv6l-ipfire  | 12 +++++++++++-
>>  config/kernel/kernel.config.i586-ipfire    | 16 +++++++++++++++-
>>  config/kernel/kernel.config.x86_64-ipfire  | 17 ++++++++++++++++-
>>  4 files changed, 56 insertions(+), 4 deletions(-)
>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>> index aa34b64db..49ee85970 100644
>> --- a/config/kernel/kernel.config.aarch64-ipfire
>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>>  CONFIG_RAW_DRIVER=y
>>  CONFIG_MAX_RAW_DEVS=8192
>>  CONFIG_DEVPORT=y
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_ATMEL=m
>> +CONFIG_TCG_INFINEON=m
>> +CONFIG_TCG_CRB=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>  # CONFIG_XILLYBUS is not set
>>  # end of Character devices
>>  @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>>  CONFIG_KEYS=y
>>  # CONFIG_KEYS_REQUEST_CACHE is not set
>>  # CONFIG_PERSISTENT_KEYRINGS is not set
>> +# CONFIG_TRUSTED_KEYS is not set
>>  # CONFIG_ENCRYPTED_KEYS is not set
>>  # CONFIG_KEY_DH_OPERATIONS is not set
>>  CONFIG_SECURITY_DMESG_RESTRICT=y
>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>> index 7b82e87df..b11a179e3 100644
>> --- a/config/kernel/kernel.config.armv6l-ipfire
>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>>  CONFIG_RAW_DRIVER=y
>>  CONFIG_MAX_RAW_DEVS=8192
>>  CONFIG_DEVPORT=y
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>  # CONFIG_XILLYBUS is not set
>>  # end of Character devices
>>  @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>>  CONFIG_KEYS=y
>>  # CONFIG_KEYS_REQUEST_CACHE is not set
>>  # CONFIG_PERSISTENT_KEYRINGS is not set
>> +# CONFIG_TRUSTED_KEYS is not set
>>  # CONFIG_ENCRYPTED_KEYS is not set
>>  # CONFIG_KEY_DH_OPERATIONS is not set
>>  CONFIG_SECURITY_DMESG_RESTRICT=y
>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>> index 90d4ac856..2d7158c96 100644
>> --- a/config/kernel/kernel.config.i586-ipfire
>> +++ b/config/kernel/kernel.config.i586-ipfire
>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>>  CONFIG_HPET=y
>>  # CONFIG_HPET_MMAP is not set
>>  CONFIG_HANGCHECK_TIMER=m
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_NSC=m
>> +CONFIG_TCG_ATMEL=m
>> +CONFIG_TCG_INFINEON=m
>> +CONFIG_TCG_XEN=m
>> +CONFIG_TCG_CRB=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>  # CONFIG_TELCLOCK is not set
>>  # CONFIG_XILLYBUS is not set
>>  # end of Character devices
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>> index fe93d731c..65014f41a 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>>  CONFIG_HPET=y
>>  # CONFIG_HPET_MMAP is not set
>>  CONFIG_HANGCHECK_TIMER=m
>> -# CONFIG_TCG_TPM is not set
>> +CONFIG_TCG_TPM=m
>> +CONFIG_HW_RANDOM_TPM=y
>> +CONFIG_TCG_TIS_CORE=m
>> +CONFIG_TCG_TIS=m
>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>> +CONFIG_TCG_NSC=m
>> +CONFIG_TCG_ATMEL=m
>> +CONFIG_TCG_INFINEON=m
>> +CONFIG_TCG_XEN=m
>> +CONFIG_TCG_CRB=m
>> +CONFIG_TCG_VTPM_PROXY=m
>> +CONFIG_TCG_TIS_ST33ZP24=m
>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>  # CONFIG_TELCLOCK is not set
>>  # CONFIG_XILLYBUS is not set
>>  # end of Character devices
>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>>  CONFIG_KEYS=y
>>  # CONFIG_KEYS_REQUEST_CACHE is not set
>>  # CONFIG_PERSISTENT_KEYRINGS is not set
>> +# CONFIG_TRUSTED_KEYS is not set
>>  # CONFIG_ENCRYPTED_KEYS is not set
>>  # CONFIG_KEY_DH_OPERATIONS is not set
>>  CONFIG_SECURITY_DMESG_RESTRICT=y
Adolf Belka Sept. 21, 2021, 11:40 a.m. UTC | #3
Hi Michael,

On 21/09/2021 11:50, Michael Tremer wrote:
> Hello,
>
>> On 18 Sep 2021, at 17:15, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Hello Michael,
>> hello *,
>>
>> just a small comment for the records: As discussed in the last monthly telephone
>> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
>> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
>> left to be locked down in IPFire thanks to enforced kernel module signing.
> Does anyone have any hardware at grabs to verify that this works?
>
> rngd —-list should list the TPM device as a potential source.

On my running system I got the following response to the command:-

Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
4: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
2: Intel RDRAND Instruction RNG (rdrand)
Available entropy sources that failed initalization:
0: Hardware RNG Device (hwrng)


and on my VM testbed system I got the same message:-

Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
4: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
2: Intel RDRAND Instruction RNG (rdrand)
Available entropy sources that failed initalization:
0: Hardware RNG Device (hwrng)

I suspect that available but disabled means that I would need to turn it on in the bios. Is that a correct assumption?

To test it I presume that I need to copy the changes into the kernel config for the architecture I am using and also need to reboot.

Once I have the changers in place how do I tell if it is working?

Regards,

Adolf.

>> So no user needs to worry about introducing TPM support coming with a lack of
>> digital sovereignty - that is, if something like this even exits on today's hardware. :-)
>>
>> Acked-by: Peter Müller <peter.mueller@ipfire.org>
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>
>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
>>> ---
>>>   config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>>>   config/kernel/kernel.config.armv6l-ipfire  | 12 +++++++++++-
>>>   config/kernel/kernel.config.i586-ipfire    | 16 +++++++++++++++-
>>>   config/kernel/kernel.config.x86_64-ipfire  | 17 ++++++++++++++++-
>>>   4 files changed, 56 insertions(+), 4 deletions(-)
>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>> index aa34b64db..49ee85970 100644
>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>>>   CONFIG_RAW_DRIVER=y
>>>   CONFIG_MAX_RAW_DEVS=8192
>>>   CONFIG_DEVPORT=y
>>> -# CONFIG_TCG_TPM is not set
>>> +CONFIG_TCG_TPM=m
>>> +CONFIG_HW_RANDOM_TPM=y
>>> +CONFIG_TCG_TIS_CORE=m
>>> +CONFIG_TCG_TIS=m
>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>> +CONFIG_TCG_ATMEL=m
>>> +CONFIG_TCG_INFINEON=m
>>> +CONFIG_TCG_CRB=m
>>> +CONFIG_TCG_VTPM_PROXY=m
>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>   # CONFIG_XILLYBUS is not set
>>>   # end of Character devices
>>>   @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>>>   CONFIG_KEYS=y
>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>> +# CONFIG_TRUSTED_KEYS is not set
>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>   CONFIG_SECURITY_DMESG_RESTRICT=y
>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>> index 7b82e87df..b11a179e3 100644
>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>>>   CONFIG_RAW_DRIVER=y
>>>   CONFIG_MAX_RAW_DEVS=8192
>>>   CONFIG_DEVPORT=y
>>> -# CONFIG_TCG_TPM is not set
>>> +CONFIG_TCG_TPM=m
>>> +CONFIG_HW_RANDOM_TPM=y
>>> +CONFIG_TCG_TIS_CORE=m
>>> +CONFIG_TCG_TIS=m
>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>> +CONFIG_TCG_VTPM_PROXY=m
>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>   # CONFIG_XILLYBUS is not set
>>>   # end of Character devices
>>>   @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>>>   CONFIG_KEYS=y
>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>> +# CONFIG_TRUSTED_KEYS is not set
>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>   CONFIG_SECURITY_DMESG_RESTRICT=y
>>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>>> index 90d4ac856..2d7158c96 100644
>>> --- a/config/kernel/kernel.config.i586-ipfire
>>> +++ b/config/kernel/kernel.config.i586-ipfire
>>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>>>   CONFIG_HPET=y
>>>   # CONFIG_HPET_MMAP is not set
>>>   CONFIG_HANGCHECK_TIMER=m
>>> -# CONFIG_TCG_TPM is not set
>>> +CONFIG_TCG_TPM=m
>>> +CONFIG_HW_RANDOM_TPM=y
>>> +CONFIG_TCG_TIS_CORE=m
>>> +CONFIG_TCG_TIS=m
>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>> +CONFIG_TCG_NSC=m
>>> +CONFIG_TCG_ATMEL=m
>>> +CONFIG_TCG_INFINEON=m
>>> +CONFIG_TCG_XEN=m
>>> +CONFIG_TCG_CRB=m
>>> +CONFIG_TCG_VTPM_PROXY=m
>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>   # CONFIG_TELCLOCK is not set
>>>   # CONFIG_XILLYBUS is not set
>>>   # end of Character devices
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>> index fe93d731c..65014f41a 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>>>   CONFIG_HPET=y
>>>   # CONFIG_HPET_MMAP is not set
>>>   CONFIG_HANGCHECK_TIMER=m
>>> -# CONFIG_TCG_TPM is not set
>>> +CONFIG_TCG_TPM=m
>>> +CONFIG_HW_RANDOM_TPM=y
>>> +CONFIG_TCG_TIS_CORE=m
>>> +CONFIG_TCG_TIS=m
>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>> +CONFIG_TCG_NSC=m
>>> +CONFIG_TCG_ATMEL=m
>>> +CONFIG_TCG_INFINEON=m
>>> +CONFIG_TCG_XEN=m
>>> +CONFIG_TCG_CRB=m
>>> +CONFIG_TCG_VTPM_PROXY=m
>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>   # CONFIG_TELCLOCK is not set
>>>   # CONFIG_XILLYBUS is not set
>>>   # end of Character devices
>>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>>>   CONFIG_KEYS=y
>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>> +# CONFIG_TRUSTED_KEYS is not set
>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>   CONFIG_SECURITY_DMESG_RESTRICT=y
Adolf Belka Sept. 21, 2021, 12:31 p.m. UTC | #4
Hi Michael,

After a bit more searching around I don't think I have TPM capability on my systems.

Regards,

Adolf.

On 21/09/2021 13:40, Adolf Belka wrote:
> Hi Michael,
>
> On 21/09/2021 11:50, Michael Tremer wrote:
>> Hello,
>>
>>> On 18 Sep 2021, at 17:15, Peter Müller <peter.mueller@ipfire.org> wrote:
>>>
>>> Hello Michael,
>>> hello *,
>>>
>>> just a small comment for the records: As discussed in the last monthly telephone
>>> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
>>> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
>>> left to be locked down in IPFire thanks to enforced kernel module signing.
>> Does anyone have any hardware at grabs to verify that this works?
>>
>> rngd —-list should list the TPM device as a potential source.
>
> On my running system I got the following response to the command:-
>
> Entropy sources that are available but disabled
> 1: TPM RNG Device (tpm)
> 4: NIST Network Entropy Beacon (nist)
> Available and enabled entropy sources:
> 2: Intel RDRAND Instruction RNG (rdrand)
> Available entropy sources that failed initalization:
> 0: Hardware RNG Device (hwrng)
>
>
> and on my VM testbed system I got the same message:-
>
> Entropy sources that are available but disabled
> 1: TPM RNG Device (tpm)
> 4: NIST Network Entropy Beacon (nist)
> Available and enabled entropy sources:
> 2: Intel RDRAND Instruction RNG (rdrand)
> Available entropy sources that failed initalization:
> 0: Hardware RNG Device (hwrng)
>
> I suspect that available but disabled means that I would need to turn it on in the bios. Is that a correct assumption?
>
> To test it I presume that I need to copy the changes into the kernel config for the architecture I am using and also need to reboot.
>
> Once I have the changers in place how do I tell if it is working?
>
> Regards,
>
> Adolf.
>
>>> So no user needs to worry about introducing TPM support coming with a lack of
>>> digital sovereignty - that is, if something like this even exits on today's hardware. :-)
>>>
>>> Acked-by: Peter Müller <peter.mueller@ipfire.org>
>>>
>>> Thanks, and best regards,
>>> Peter Müller
>>>
>>>
>>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
>>>> ---
>>>>   config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>>>>   config/kernel/kernel.config.armv6l-ipfire  | 12 +++++++++++-
>>>>   config/kernel/kernel.config.i586-ipfire    | 16 +++++++++++++++-
>>>>   config/kernel/kernel.config.x86_64-ipfire  | 17 ++++++++++++++++-
>>>>   4 files changed, 56 insertions(+), 4 deletions(-)
>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>>> index aa34b64db..49ee85970 100644
>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>>>>   CONFIG_RAW_DRIVER=y
>>>>   CONFIG_MAX_RAW_DEVS=8192
>>>>   CONFIG_DEVPORT=y
>>>> -# CONFIG_TCG_TPM is not set
>>>> +CONFIG_TCG_TPM=m
>>>> +CONFIG_HW_RANDOM_TPM=y
>>>> +CONFIG_TCG_TIS_CORE=m
>>>> +CONFIG_TCG_TIS=m
>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>> +CONFIG_TCG_ATMEL=m
>>>> +CONFIG_TCG_INFINEON=m
>>>> +CONFIG_TCG_CRB=m
>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>   # CONFIG_XILLYBUS is not set
>>>>   # end of Character devices
>>>>   @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>>>>   CONFIG_KEYS=y
>>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>>   CONFIG_SECURITY_DMESG_RESTRICT=y
>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>>> index 7b82e87df..b11a179e3 100644
>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>>>>   CONFIG_RAW_DRIVER=y
>>>>   CONFIG_MAX_RAW_DEVS=8192
>>>>   CONFIG_DEVPORT=y
>>>> -# CONFIG_TCG_TPM is not set
>>>> +CONFIG_TCG_TPM=m
>>>> +CONFIG_HW_RANDOM_TPM=y
>>>> +CONFIG_TCG_TIS_CORE=m
>>>> +CONFIG_TCG_TIS=m
>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>   # CONFIG_XILLYBUS is not set
>>>>   # end of Character devices
>>>>   @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>>>>   CONFIG_KEYS=y
>>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>>   CONFIG_SECURITY_DMESG_RESTRICT=y
>>>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>>>> index 90d4ac856..2d7158c96 100644
>>>> --- a/config/kernel/kernel.config.i586-ipfire
>>>> +++ b/config/kernel/kernel.config.i586-ipfire
>>>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>>>>   CONFIG_HPET=y
>>>>   # CONFIG_HPET_MMAP is not set
>>>>   CONFIG_HANGCHECK_TIMER=m
>>>> -# CONFIG_TCG_TPM is not set
>>>> +CONFIG_TCG_TPM=m
>>>> +CONFIG_HW_RANDOM_TPM=y
>>>> +CONFIG_TCG_TIS_CORE=m
>>>> +CONFIG_TCG_TIS=m
>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>> +CONFIG_TCG_NSC=m
>>>> +CONFIG_TCG_ATMEL=m
>>>> +CONFIG_TCG_INFINEON=m
>>>> +CONFIG_TCG_XEN=m
>>>> +CONFIG_TCG_CRB=m
>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>   # CONFIG_TELCLOCK is not set
>>>>   # CONFIG_XILLYBUS is not set
>>>>   # end of Character devices
>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>>> index fe93d731c..65014f41a 100644
>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>>>>   CONFIG_HPET=y
>>>>   # CONFIG_HPET_MMAP is not set
>>>>   CONFIG_HANGCHECK_TIMER=m
>>>> -# CONFIG_TCG_TPM is not set
>>>> +CONFIG_TCG_TPM=m
>>>> +CONFIG_HW_RANDOM_TPM=y
>>>> +CONFIG_TCG_TIS_CORE=m
>>>> +CONFIG_TCG_TIS=m
>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>> +CONFIG_TCG_NSC=m
>>>> +CONFIG_TCG_ATMEL=m
>>>> +CONFIG_TCG_INFINEON=m
>>>> +CONFIG_TCG_XEN=m
>>>> +CONFIG_TCG_CRB=m
>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>   # CONFIG_TELCLOCK is not set
>>>>   # CONFIG_XILLYBUS is not set
>>>>   # end of Character devices
>>>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>>>>   CONFIG_KEYS=y
>>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>>   CONFIG_SECURITY_DMESG_RESTRICT=y
Michael Tremer Oct. 1, 2021, 5:25 p.m. UTC | #5
Hello,

I gave this a go on an IPFire Business Appliance:

[root@fw01 ~]# rngd -x 2 -x 0 -n 1 --test
Note, reference of entropy sources by index is deprecated, use entropy source short name instead
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Note, reference of entropy sources by index is deprecated, use entropy source short name instead
Disabling 0: Hardware RNG Device (hwrng)
Note, reference of entropy sources by index is deprecated, use entropy source short name instead
Enabling 1: TPM RNG Device (tpm)
Initializing available sources
[tpm   ]: The TPM entropy source only supports TPM1.2 hardware and is deprecated.  TPM2.0 and later hardware exports entropy via /dev/hwrng, which can be collected via the hwrng entropy source in rngd
[tpm   ]: Initialization Failed
can't open any entropy sourceMaybe RNG device modules are not loaded

So if the kernel is exporting this correctly, the default configuration of rngd will use the TPM:

[root@fw01 ~]# rngd --list
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
4: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
2: Intel RDRAND Instruction RNG (rdrand)
Available entropy sources that failed initalization:
0: Hardware RNG Device (hwrng)

This one is running the production kernel, but as soon as the kernel makes /dev/hwrng available, we should be fine.

Best,
-Michael

> On 21 Sep 2021, at 13:31, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi Michael,
> 
> After a bit more searching around I don't think I have TPM capability on my systems.
> 
> Regards,
> 
> Adolf.
> 
> On 21/09/2021 13:40, Adolf Belka wrote:
>> Hi Michael,
>> 
>> On 21/09/2021 11:50, Michael Tremer wrote:
>>> Hello,
>>> 
>>>> On 18 Sep 2021, at 17:15, Peter Müller <peter.mueller@ipfire.org> wrote:
>>>> 
>>>> Hello Michael,
>>>> hello *,
>>>> 
>>>> just a small comment for the records: As discussed in the last monthly telephone
>>>> conference (https://wiki.ipfire.org/devel/telco/2021-09-06), we will use a TPM only
>>>> for HWRNG purposes. Nothing else will depend on it, as there is nothing relevant
>>>> left to be locked down in IPFire thanks to enforced kernel module signing.
>>> Does anyone have any hardware at grabs to verify that this works?
>>> 
>>> rngd —-list should list the TPM device as a potential source.
>> 
>> On my running system I got the following response to the command:-
>> 
>> Entropy sources that are available but disabled
>> 1: TPM RNG Device (tpm)
>> 4: NIST Network Entropy Beacon (nist)
>> Available and enabled entropy sources:
>> 2: Intel RDRAND Instruction RNG (rdrand)
>> Available entropy sources that failed initalization:
>> 0: Hardware RNG Device (hwrng)
>> 
>> 
>> and on my VM testbed system I got the same message:-
>> 
>> Entropy sources that are available but disabled
>> 1: TPM RNG Device (tpm)
>> 4: NIST Network Entropy Beacon (nist)
>> Available and enabled entropy sources:
>> 2: Intel RDRAND Instruction RNG (rdrand)
>> Available entropy sources that failed initalization:
>> 0: Hardware RNG Device (hwrng)
>> 
>> I suspect that available but disabled means that I would need to turn it on in the bios. Is that a correct assumption?
>> 
>> To test it I presume that I need to copy the changes into the kernel config for the architecture I am using and also need to reboot.
>> 
>> Once I have the changers in place how do I tell if it is working?
>> 
>> Regards,
>> 
>> Adolf.
>> 
>>>> So no user needs to worry about introducing TPM support coming with a lack of
>>>> digital sovereignty - that is, if something like this even exits on today's hardware. :-)
>>>> 
>>>> Acked-by: Peter Müller <peter.mueller@ipfire.org>
>>>> 
>>>> Thanks, and best regards,
>>>> Peter Müller
>>>> 
>>>> 
>>>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
>>>>> ---
>>>>>   config/kernel/kernel.config.aarch64-ipfire | 15 ++++++++++++++-
>>>>>   config/kernel/kernel.config.armv6l-ipfire  | 12 +++++++++++-
>>>>>   config/kernel/kernel.config.i586-ipfire    | 16 +++++++++++++++-
>>>>>   config/kernel/kernel.config.x86_64-ipfire  | 17 ++++++++++++++++-
>>>>>   4 files changed, 56 insertions(+), 4 deletions(-)
>>>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
>>>>> index aa34b64db..49ee85970 100644
>>>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>>>> @@ -3422,7 +3422,19 @@ CONFIG_DEVMEM=y
>>>>>   CONFIG_RAW_DRIVER=y
>>>>>   CONFIG_MAX_RAW_DEVS=8192
>>>>>   CONFIG_DEVPORT=y
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_ATMEL=m
>>>>> +CONFIG_TCG_INFINEON=m
>>>>> +CONFIG_TCG_CRB=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>>   # CONFIG_XILLYBUS is not set
>>>>>   # end of Character devices
>>>>>   @@ -7271,6 +7283,7 @@ CONFIG_IO_WQ=y
>>>>>   CONFIG_KEYS=y
>>>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>>>   CONFIG_SECURITY_DMESG_RESTRICT=y
>>>>> diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
>>>>> index 7b82e87df..b11a179e3 100644
>>>>> --- a/config/kernel/kernel.config.armv6l-ipfire
>>>>> +++ b/config/kernel/kernel.config.armv6l-ipfire
>>>>> @@ -3463,7 +3463,16 @@ CONFIG_DEVMEM=y
>>>>>   CONFIG_RAW_DRIVER=y
>>>>>   CONFIG_MAX_RAW_DEVS=8192
>>>>>   CONFIG_DEVPORT=y
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>>   # CONFIG_XILLYBUS is not set
>>>>>   # end of Character devices
>>>>>   @@ -7366,6 +7375,7 @@ CONFIG_IO_WQ=y
>>>>>   CONFIG_KEYS=y
>>>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>>>   CONFIG_SECURITY_DMESG_RESTRICT=y
>>>>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
>>>>> index 90d4ac856..2d7158c96 100644
>>>>> --- a/config/kernel/kernel.config.i586-ipfire
>>>>> +++ b/config/kernel/kernel.config.i586-ipfire
>>>>> @@ -3449,7 +3449,21 @@ CONFIG_DEVPORT=y
>>>>>   CONFIG_HPET=y
>>>>>   # CONFIG_HPET_MMAP is not set
>>>>>   CONFIG_HANGCHECK_TIMER=m
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_NSC=m
>>>>> +CONFIG_TCG_ATMEL=m
>>>>> +CONFIG_TCG_INFINEON=m
>>>>> +CONFIG_TCG_XEN=m
>>>>> +CONFIG_TCG_CRB=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>>   # CONFIG_TELCLOCK is not set
>>>>>   # CONFIG_XILLYBUS is not set
>>>>>   # end of Character devices
>>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>>>> index fe93d731c..65014f41a 100644
>>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>>> @@ -3413,7 +3413,21 @@ CONFIG_DEVPORT=y
>>>>>   CONFIG_HPET=y
>>>>>   # CONFIG_HPET_MMAP is not set
>>>>>   CONFIG_HANGCHECK_TIMER=m
>>>>> -# CONFIG_TCG_TPM is not set
>>>>> +CONFIG_TCG_TPM=m
>>>>> +CONFIG_HW_RANDOM_TPM=y
>>>>> +CONFIG_TCG_TIS_CORE=m
>>>>> +CONFIG_TCG_TIS=m
>>>>> +CONFIG_TCG_TIS_I2C_ATMEL=m
>>>>> +CONFIG_TCG_TIS_I2C_INFINEON=m
>>>>> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>>>>> +CONFIG_TCG_NSC=m
>>>>> +CONFIG_TCG_ATMEL=m
>>>>> +CONFIG_TCG_INFINEON=m
>>>>> +CONFIG_TCG_XEN=m
>>>>> +CONFIG_TCG_CRB=m
>>>>> +CONFIG_TCG_VTPM_PROXY=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24=m
>>>>> +CONFIG_TCG_TIS_ST33ZP24_I2C=m
>>>>>   # CONFIG_TELCLOCK is not set
>>>>>   # CONFIG_XILLYBUS is not set
>>>>>   # end of Character devices
>>>>> @@ -6746,6 +6760,7 @@ CONFIG_IO_WQ=y
>>>>>   CONFIG_KEYS=y
>>>>>   # CONFIG_KEYS_REQUEST_CACHE is not set
>>>>>   # CONFIG_PERSISTENT_KEYRINGS is not set
>>>>> +# CONFIG_TRUSTED_KEYS is not set
>>>>>   # CONFIG_ENCRYPTED_KEYS is not set
>>>>>   # CONFIG_KEY_DH_OPERATIONS is not set
>>>>>   CONFIG_SECURITY_DMESG_RESTRICT=y

Patch

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index aa34b64db..49ee85970 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -3422,7 +3422,19 @@  CONFIG_DEVMEM=y
 CONFIG_RAW_DRIVER=y
 CONFIG_MAX_RAW_DEVS=8192
 CONFIG_DEVPORT=y
-# CONFIG_TCG_TPM is not set
+CONFIG_TCG_TPM=m
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
+CONFIG_TCG_CRB=m
+CONFIG_TCG_VTPM_PROXY=m
+CONFIG_TCG_TIS_ST33ZP24=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
 # CONFIG_XILLYBUS is not set
 # end of Character devices
 
@@ -7271,6 +7283,7 @@  CONFIG_IO_WQ=y
 CONFIG_KEYS=y
 # CONFIG_KEYS_REQUEST_CACHE is not set
 # CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_TRUSTED_KEYS is not set
 # CONFIG_ENCRYPTED_KEYS is not set
 # CONFIG_KEY_DH_OPERATIONS is not set
 CONFIG_SECURITY_DMESG_RESTRICT=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 7b82e87df..b11a179e3 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -3463,7 +3463,16 @@  CONFIG_DEVMEM=y
 CONFIG_RAW_DRIVER=y
 CONFIG_MAX_RAW_DEVS=8192
 CONFIG_DEVPORT=y
-# CONFIG_TCG_TPM is not set
+CONFIG_TCG_TPM=m
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_VTPM_PROXY=m
+CONFIG_TCG_TIS_ST33ZP24=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
 # CONFIG_XILLYBUS is not set
 # end of Character devices
 
@@ -7366,6 +7375,7 @@  CONFIG_IO_WQ=y
 CONFIG_KEYS=y
 # CONFIG_KEYS_REQUEST_CACHE is not set
 # CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_TRUSTED_KEYS is not set
 # CONFIG_ENCRYPTED_KEYS is not set
 # CONFIG_KEY_DH_OPERATIONS is not set
 CONFIG_SECURITY_DMESG_RESTRICT=y
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 90d4ac856..2d7158c96 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -3449,7 +3449,21 @@  CONFIG_DEVPORT=y
 CONFIG_HPET=y
 # CONFIG_HPET_MMAP is not set
 CONFIG_HANGCHECK_TIMER=m
-# CONFIG_TCG_TPM is not set
+CONFIG_TCG_TPM=m
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_NSC=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
+CONFIG_TCG_XEN=m
+CONFIG_TCG_CRB=m
+CONFIG_TCG_VTPM_PROXY=m
+CONFIG_TCG_TIS_ST33ZP24=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
 # CONFIG_TELCLOCK is not set
 # CONFIG_XILLYBUS is not set
 # end of Character devices
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index fe93d731c..65014f41a 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -3413,7 +3413,21 @@  CONFIG_DEVPORT=y
 CONFIG_HPET=y
 # CONFIG_HPET_MMAP is not set
 CONFIG_HANGCHECK_TIMER=m
-# CONFIG_TCG_TPM is not set
+CONFIG_TCG_TPM=m
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_NSC=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
+CONFIG_TCG_XEN=m
+CONFIG_TCG_CRB=m
+CONFIG_TCG_VTPM_PROXY=m
+CONFIG_TCG_TIS_ST33ZP24=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
 # CONFIG_TELCLOCK is not set
 # CONFIG_XILLYBUS is not set
 # end of Character devices
@@ -6746,6 +6760,7 @@  CONFIG_IO_WQ=y
 CONFIG_KEYS=y
 # CONFIG_KEYS_REQUEST_CACHE is not set
 # CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_TRUSTED_KEYS is not set
 # CONFIG_ENCRYPTED_KEYS is not set
 # CONFIG_KEY_DH_OPERATIONS is not set
 CONFIG_SECURITY_DMESG_RESTRICT=y