[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1041007: linux-image-6.1.0-0.deb11.7-amd64: Please enable TPM hardware RNG support (CONFIG_HW_RANDOM_TPM)

hi Vincent,

On Sat, Jul 29, 2023 at 12:33:35AM +0200, Vincent Blut wrote:
> Hello,
> 
> Le 2023-07-13 23:10, jflf_kernel@gmx.com a écrit :
> > Package: src:linux
> > Version: 6.1.20-2~bpo11+1
> > Severity: normal
> > X-Debbugs-Cc: jflf_kernel@gmx.com
> > 
> > Dear Maintainer,
> > 
> > Currently no Debian kernel enables support for TPM hardware RNG. On one of my
> > systems:
> > 
> > $ uname -a
> > Linux XXX 6.1.0-0.deb11.7-amd64 #1 SMP PREEMPT_DYNAMIC Debian
> > 6.1.20-2~bpo11+1 (2023-04-23) x86_64 GNU/Linux
> > 
> > $ cat /sys/class/tpm/tpm0/device/description
> > TPM 2.0 Device
> > 
> > $ ls /dev/tpm*
> > /dev/tpm0  /dev/tpmrm0
> > 
> > $ sudo tpm2_getrandom 16 | xxd -p
> > 7ba65632453b191385a3989485ac80a3
> > 
> > $ grep HW_RANDOM_TPM /boot/config-$(uname -r)
> > <nothing>
> > 
> > $ find /lib/modules/$(uname -r) -iname \*tpm\*rng\*
> > <nothing again>
> > 
> > $ ls /dev/hwrng
> > ls: cannot access '/dev/hwrng': No such file or directory
> > 
> > 
> > I have checked the current bookworm and trixie kernel debs, and they don't
> > include it either. It should be enabled there too.
> > 
> > I manage multiple older amd64 machines that have discrete TPM chips, but no
> > RDRAND instruction or any other hardware RNG. Enabling support for the TPM RNG
> > would provide the kernel with additional entropy earlier in the boot process.
> 
> Indeed, this regression compared to the kernel provided in bullseye is due to
> a configuration issue.
> For HW_RANDOM_TPM to be enabled, the TCG_TPM and HW_RANDOM config symbols are
> required but there is a subtlety in the way they have to be built. If TCG_TPM
> is built-in then HW_RANDOM must not be loadable (built as a module).
> 
> If we take a look at the kernel configuration files prior being constructed, we
> can see that both TCG_TPM and HW_RANDOM config symbols should be built as
> modules:
> 
> $ grep -Er "TCG_TPM|HW_RANDOM="
> arm64/config:CONFIG_TCG_TPM=m
> kernelarch-x86/config:CONFIG_TCG_TPM=m
> config:CONFIG_HW_RANDOM=m
> config.cloud:CONFIG_TCG_TPM=m
>  
> However after these files have been constructed, the TCG_TPM config symbol is
> no longer provided as module but built-in:
> 
> $ grep TCG_TPM /boot/config-6.3.0-1-amd64
> CONFIG_TCG_TPM=y
> 
> This change is what causes HW_RANDOM_TPM to be disabled and is probably due to
> [1].
> 
> Ben, Salvatore, to fix this regression we should either force TCG_TPM to be
> built as a module or make HW_RANDOM built-in. The second solution have my
> preference, WDYT?

I think the later option sounds fine, do we have an idea what that
implies on sizes? If Ben agrees as well on the approach then please
make two merge requests and let's work it top-down, first have it
fixed in unstable, and have a corresponding MR on the bookworm branch
to have it included in the next bookworm point release.

Regards,
Salvatore
Reply to: