Skip to content

Add '/dev/tcm0' to default conf #841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jouyouyun wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add '/dev/tcm0' to default conf #841

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/tabrmd-defaults.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
#define TABRMD_ENTROPY_SRC_DEFAULT "/dev/urandom"
#define TABRMD_SESSIONS_MAX_DEFAULT 4
#define TABRMD_SESSIONS_MAX 64
#define TABRMD_TCTI_CONF_DEFAULT "device:/dev/tpm0"
#define TABRMD_TCTI_CONF_DEFAULT "device:/dev/tpm0;device:/dev/tcm0"
#define TABRMD_TRANSIENT_MAX_DEFAULT 27
#define TABRMD_TRANSIENT_MAX 100

Expand Down
38 changes: 32 additions & 6 deletions src/tabrmd-init.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include "tabrmd-init.h"
#include "tabrmd-options.h"
#include "tabrmd.h"
#include "tss2_common.h"
#include "util.h"

/*
Expand Down Expand Up @@ -47,6 +48,35 @@ signal_handler (gpointer user_data)
return G_SOURCE_CONTINUE;
}

/*
* This function attempts to initialize the configured device nodes in sequence
* and returns once successful, otherwise it continues to try until the end of
* the traversal.
*/
static gint
tss2_tctildr_init(const gmain_data_t *data, TSS2_TCTI_CONTEXT **tcti_ctx)
Copy link
Copy Markdown
Member

@williamcroberts williamcroberts Nov 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

put this logic in the tpm2-tss backend for the device tcti rather than tabrmd. This way everything using the tcti libraries gets this support. You'll have a dependency on the updated tpm2-tss library and tpm2-abrmd to support this.

Copy link
Copy Markdown
Author

@jouyouyun jouyouyun Nov 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your reply. TCM support has been added to tpm2-tss, see: tcti: Add '/dev/tcm0' to default conf . When the configuration of tctildr is empty, the default configuration will be automatically used to complete the initialization on the device with only tcm.
However, tpm2-abrmd specifies the configuration when initializing tctildr. If the configuration does not contain tcm, the initialization will fail on the device with only tcm, so this part of the code is added.

Copy link
Copy Markdown
Member

@williamcroberts williamcroberts Nov 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So then why don't we just use NULL for the default and let the tcti-ldr search logic prevail.

Copy link
Copy Markdown
Author

@jouyouyun jouyouyun Nov 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this seems feasible. I need to verify how to modify it.

Copy link
Copy Markdown
Author

@jouyouyun jouyouyun Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I apologize for the delayed response. After receiving your reply, I reviewed the code and found that in abrmd, the tcti_ctx needs to be constructed using the device path before using functions like tpm2_new/tpm2_init_tpm to complete the initialization.

It is not possible to reuse the TSS initialization function Tss2_Tcti_TctiLdr_Init for TSS2_TCTI_CONTEXT. Therefore, the functionality to parse the TCM device path still needs to be added to abrmd.

Copy link
Copy Markdown
Member

@williamcroberts williamcroberts Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I think I finally understand the problem. If we pass NULL on devices that have TPM, abrmd will attempt tpmrm0 before tpm0, which is not what we want and on tcm devices it would find tcm0, is that right?

If so, make it an array of strings to try rather than parsing on a semi-colon.

Copy link
Copy Markdown
Member

@williamcroberts williamcroberts Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also wonder if this is better off in a service file as tpm2-abrmd takes a tcti option. How do you start the service on tcm devices?

Copy link
Copy Markdown
Author

@jouyouyun jouyouyun Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TCM is compatible with the TPM 2.0 specification, the boot method is the same as TPM, only the device path is different.

Copy link
Copy Markdown
Member

@williamcroberts williamcroberts Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TCM is compatible with the TPM 2.0 specification, the boot method is the same as TPM, only the device path is different.

Yeah exactly, so what you do, you'll see these files under dist, is make tpm2-abrmd start up using the tcti option based on the presence of the TCM device

{
gint rc = TSS2_RC_SUCCESS, i = 0;
const char *delim = ";";
gchar **conf_list = NULL;

conf_list = g_strsplit(data->options.tcti_conf, delim, -1);
for (; conf_list[i] != NULL; i++) {
rc = Tss2_TctiLdr_Initialize(conf_list[i], tcti_ctx);
if (rc != TSS2_RC_SUCCESS || *tcti_ctx == NULL) {
g_critical("%s: failed to create TCTI with conf \"%s\", got RC: 0x%x",
__func__, data->options.tcti_conf, rc);
rc = EX_IOERR;
continue;
}
break;
}

g_strfreev(conf_list);
conf_list = NULL;
return rc;
}

/*
* This function is a callback invoked by the IpcFrontend object
* when a 'disconnect' event occurs. It sets a flag in the gmain_data_t
Expand Down Expand Up @@ -170,13 +200,9 @@ init_thread_func (gpointer user_data)
ipc_frontend_connect (data->ipc_frontend,
&data->init_mutex);

rc = Tss2_TctiLdr_Initialize (data->options.tcti_conf, &tcti_ctx);
if (rc != TSS2_RC_SUCCESS || tcti_ctx == NULL) {
g_critical ("%s: failed to create TCTI with conf \"%s\", got RC: 0x%x",
__func__, data->options.tcti_conf, rc);
ret = EX_IOERR;
rc = tss2_tctildr_init(data, &tcti_ctx);
if (rc != TSS2_RC_SUCCESS)
goto err_out;
}
tcti = tcti_new (tcti_ctx);
data->tpm2 = tpm2_new (tcti);
g_clear_object (&tcti);
Expand Down