Uprev tpm2 tools/tss

[shahs-ais]

These changes align with the tpm2 recipe versions used in meta-security, along with tpm2 script modifications corresponding to these new versions.

[shahs-ais]

The changes in commit 8da6c75 are a copy-paste from meta-security (see commit message) while the others are my modifications

[dpsmith]

HUGE stop right there. A much bigger discussion must be had about reverting/downgrading to rsa from ecc.

[shahs-ais]

HUGE stop right there. A much bigger discussion must be had about reverting/downgrading to rsa from ecc.

It was originally using RSA - I had updated it to ECC with my initial change as it improved the timing of taking TPM ownership, but Chris and I agreed offline that it would have to be revealuated later and I should revert it to RSA for now

[crogers1]

Few comments from me. The other thing I'm interested in is if forward sealing worked with the library and API updates. Forward sealing is important because when upgrading the platform, we don't need to boot into an untrusted state to generate a new set of measurements.

seal-system -f

[crogers1]

The only downside here is this brings in all the files in both tpm2-tools and tpm2-tss which greatly increases the size of initrd. The early initramfs only needs to be able to list the pcrs and extend pcr 15. I still think it's worthwhile to define tpm2-tools-initrd and only include the two binaries we need. If we have to eventually .bbappend the tpm2-tools recipe in the future if we incorporate meta-security, that costs virtually nothing.

[dpsmith]

i would recommend naming the package tpm2-tools-pcr, and later we can add any other pcr related utils in it that we might need.

[jandryuk]

I'm pretty sure I got forward seal working here: https://github.com/jandryuk/xenclient-oe/commits/tpm-funcs-5.5/

…

On Fri, Jun 27, 2025, 2:11 PM Chris Rogers ***@***.***> wrote: ***@***.**** requested changes on this pull request. Few comments from me. The other thing I'm interested in is if forward sealing worked with the library and API updates. Forward sealing is important because when upgrading the platform, we don't need to boot into an untrusted state to generate a new set of measurements. seal-system -f ------------------------------ In recipes-core/initrdscripts/initramfs-framework_%.bbappend <#1502 (comment)>: > @@ -57,7 +57,7 @@ RDEPENDS_initramfs-module-tpm = "${PN}-base initramfs-module-bootfs tpm-tools-sa FILES_initramfs-module-tpm = "/init.d/92-tpm" SUMMARY_initramfs-module-tpm2 = "initramfs support for tpm2" -RDEPENDS_initramfs-module-tpm2 = "${PN}-base initramfs-module-bootfs tpm2-tools-initrd" +RDEPENDS_initramfs-module-tpm2 = "${PN}-base initramfs-module-bootfs tpm2-tools tpm2-tss" The only downside here is this brings in all the files in both tpm2-tools and tpm2-tss which greatly increases the size of initrd. The early initramfs only needs to be able to list the pcrs and extend pcr 15. I still think it's worthwhile to define tpm2-tools-initrd and only include the two binaries we need. If we have to eventually .bbappend the tpm2-tools recipe in the future if we incorporate meta-security, that costs virtually nothing. ------------------------------ In recipes-openxt/xenclient-tpm-scripts/xenclient-tpm-scripts/tpm-functions <#1502 (comment)>: > ret=$? - [ ${ret} -ne 0 ] && echo ${err} && return ${ret} + rm -f ${h_ctx} The h_ctx is new with the API changes I'm guessing? Can the filepath for it be under /tmp instead of wherever this shell is executing? ------------------------------ In recipes-openxt/xenclient-tpm-scripts/xenclient-tpm-scripts/tpm-functions <#1502 (comment)>: > awk -F: '/size:/ { print $2 }' | \ tr -d ' ' ) - # Read the current contents into a temp file. - # tpm2_nvread could fail, and this ends up being a big pipeline to - # create an empty file, but that is fine for below. - tpm2_nvread -x "${tboot_idx}" -a "${TPM_RH_OWNER}" -P "${password}" \ - -s "${size}" -o 0 2>/dev/null \ - | tail -n 1 | tr -d ' ' | hex2bin > "${old_policy}" + # Read the current contents into a temp file. + # tpm2_nvread could fail, and this ends up being a big pipeline to + # create an empty file, but that is fine for below. + tpm2_nvread "${tboot_idx}" -C "${TPM_RH_OWNER}" -P "${password}" \ + -s "${size}" -o "${old_policy}" || true I would continue to direct output to dev null 2>/dev/null for this command if the stdout/stderr is still unnecessary. ------------------------------ In recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh <#1502 (comment)>: > @@ -0,0 +1,65 @@ +#!/bin/sh Based on the community call we should table the abrmd stuff. Maybe keep it on a branch on your fork in case we want it down the road, but otherwise I think we can drop the recipes and support files from this PR. — Reply to this email directly, view it on GitHub <#1502 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOKZPYSL577RWZSIJTZPXT3FWCNHAVCNFSM6AAAAAB7S7M4PWVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDSNRXGM2DAMZYHE> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[dpsmith]

Don't add the bits just to drop them in the next commit. Just squash this commit with the first one and drop all the abrmd changes.

[dpsmith]

Please don't do delta commits, this commit is doing nothing but correcting changes you should have done in the prior commits, creating unnecessary churn in the history. Split this up and move the changes back to the respective commits where it belongs.

[dpsmith]

Much better, if @crogers1 can confirm an independent build of this commit, then it should be ready to go in.

[shahs-ais]

Much better, if @crogers1 can confirm an independent build of this commit, then it should be ready to go in.

Thanks, there is also a minor change in the installer I forgot to add you on (fixes one of the TPM commands to align with the new version) - adding you now. As for this PR, I would not merge it yet as I have been having some issues yesterday/today with tpm2_run not executing correctly after the minimal dependency change (tpm2-tss-pcr) causing measured launch to fail. I have an idea of what's going on and will likely push a change for this tomorrow.

[shahs-ais]

PR is updated and should be good to go, once Chris does the final review.

[crogers1]

Custom build running here: https://openxt.ainfosec.com/buildbot/#/builders/22/builds/97

It includes the installer.git PR as well.

[dpsmith]

@shahs-ais, I merged the varstore wget PR, rebase this PR,then @crogers1 can kick off the builder to confirm a clean build.