From: Jon Mason <jdmason@kudzu.us>
To: Mikko Rapeli <mikko.rapeli@linaro.org>
Cc: meta-arm@lists.yoctoproject.org
Subject: Re: [PATCH 1/2] trusted-firmware-a: continue if TPM device is missing
Date: Tue, 23 Apr 2024 14:21:12 -0400 [thread overview]
Message-ID: <Zif8GPUamF5+3fDR@kudzu.us> (raw)
In-Reply-To: <ZiYRvZYE2yaO49MU@nuoska>
On Mon, Apr 22, 2024 at 10:29:01AM +0300, Mikko Rapeli wrote:
> Hi,
>
> On Sat, Apr 20, 2024 at 06:40:54PM -0400, Jon Mason wrote:
> > On Wed, Apr 17, 2024 at 02:07:21PM +0300, Mikko Rapeli wrote:
> > > All other firmware boot components also continue booting
> > > if TPM is not found. It is up to subsequent SW components
> > > to e.g. fail if rootfs can't be decrypted. Enables policies
> > > like fall back to unencrypted rootfs if TPM device is
> > > not found with qemu and swtpm.
> > >
> > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> >
> > This series is failing on all instances of qemuarm64-secureboot and
> > qemuarm-secureboot. You can see it on my gitlab CI at:
> > https://gitlab.com/jonmason00/meta-arm/-/pipelines/1261200728
> >
> > All of them appear to be due to detecting the following error (snipped
> > from the dmesg of the errorlog):
> > optee-ftpm optee-ta-bc50d971-d4c9-42c4-82cb-343fb7f37896: ftpm_tee_probe: tee_client_open_session failed, err=ffff3024
> > optee-ftpm: probe of optee-ta-bc50d971-d4c9-42c4-82cb-343fb7f37896 failed with error -22
>
> Bummer, checking what I missed here.
>
> Did optee-test/xtest run and possibly pass despite of this? I don't see this from the logs.
optee-test is only being compiled, not being run as part of CI
(patches very much wanted and welcomed). So, nothing exciting here
except the kernel trying to load the modules and erroring out.
Thanks,
Jon
>
> Cheers,
>
> -Mikko
>
> > Thanks,
> > Jon
> >
> > > ---
> > > ...ot.c-ignore-TPM-error-and-continue-w.patch | 36 +++++++++++++++++++
> > > .../trusted-firmware-a_2.10.3.bb | 5 +++
> > > 2 files changed, 41 insertions(+)
> > > create mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch
> > >
> > > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch b/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch
> > > new file mode 100644
> > > index 00000000..2d189d8e
> > > --- /dev/null
> > > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/files/0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch
> > > @@ -0,0 +1,36 @@
> > > +From 1d1425bde8435d6e2b3e4f2b7bcb2eb293ef9601 Mon Sep 17 00:00:00 2001
> > > +From: Mikko Rapeli <mikko.rapeli@linaro.org>
> > > +Date: Mon, 15 Jan 2024 09:26:56 +0000
> > > +Subject: [PATCH] qemu_measured_boot.c: ignore TPM error and continue with boot
> > > +
> > > +If firmware is configured with TPM support but it's missing
> > > +on HW, e.g. swtpm not started and/or configured with qemu,
> > > +then continue booting. Missing TPM is not a fatal error.
> > > +Enables testing boot without TPM device to see that
> > > +missing TPM is detected further up the SW stack and correct
> > > +fallback actions are taken.
> > > +
> > > +Upstream-Status: Pending
> > > +
> > > +Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > > +---
> > > + plat/qemu/qemu/qemu_measured_boot.c | 3 ++-
> > > + 1 file changed, 2 insertions(+), 1 deletion(-)
> > > +
> > > +diff --git a/plat/qemu/qemu/qemu_measured_boot.c b/plat/qemu/qemu/qemu_measured_boot.c
> > > +index 122bb23b14..731b081c47 100644
> > > +--- a/plat/qemu/qemu/qemu_measured_boot.c
> > > ++++ b/plat/qemu/qemu/qemu_measured_boot.c
> > > +@@ -79,7 +79,8 @@ void bl2_plat_mboot_finish(void)
> > > + * Note: In QEMU platform, OP-TEE uses nt_fw_config to get the
> > > + * secure Event Log buffer address.
> > > + */
> > > +- panic();
> > > ++ ERROR("Ignoring TPM errors, continuing without\n");
> > > ++ return;
> > > + }
> > > +
> > > + /* Copy Event Log to Non-secure memory */
> > > +--
> > > +2.34.1
> > > +
> > > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb
> > > index b30ac725..13942dbb 100644
> > > --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb
> > > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.10.3.bb
> > > @@ -11,3 +11,8 @@ SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=ht
> > > SRCREV_mbedtls = "72718dd87e087215ce9155a826ee5a66cfbe9631"
> > >
> > > LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
> > > +
> > > +# continue to boot also without TPM
> > > +SRC_URI += "\
> > > + file://0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch \
> > > +"
> > > --
> > > 2.34.1
> > >
> > >
>
next prev parent reply other threads:[~2024-04-23 18:21 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-17 11:07 [PATCH 1/2] trusted-firmware-a: continue if TPM device is missing Mikko Rapeli
2024-04-17 11:07 ` [PATCH 2/2] optee-ftpm: enumerate also without tee-supplicant Mikko Rapeli
2024-04-22 8:02 ` [meta-arm] " Sumit Garg
2024-04-22 8:13 ` Mikko Rapeli
2024-04-30 12:44 ` Mikko Rapeli
2024-04-20 22:40 ` [PATCH 1/2] trusted-firmware-a: continue if TPM device is missing Jon Mason
2024-04-22 7:29 ` Mikko Rapeli
2024-04-23 18:21 ` Jon Mason [this message]
2024-04-24 6:37 ` Mikko Rapeli
-- strict thread matches above, loose matches on Subject: below --
2024-04-30 12:37 [PATCH v2 0/6] TPM and fTPM test Mikko Rapeli
2024-04-30 12:37 ` [PATCH 1/6] trusted-firmware-a: continue if TPM device is missing Mikko Rapeli
2024-04-30 12:37 ` [PATCH 2/6] optee-os: inrease heap size with fTPM Mikko Rapeli
2024-04-30 12:37 ` [PATCH 3/6] oeqa runtime: add optee.py test Mikko Rapeli
2024-04-30 12:37 ` [PATCH 4/6] oeqa runtime: add ftpm.py test Mikko Rapeli
2024-04-30 12:37 ` [PATCH 5/6] ci/qemuarm64-secureboot.yml: install optee and test both optee and ftpm Mikko Rapeli
2024-04-30 12:37 ` [PATCH 6/6] ci/qemuarm-secureboot.yml: " Mikko Rapeli
2024-05-01 2:06 ` [PATCH v2 0/6] TPM and fTPM test Jon Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zif8GPUamF5+3fDR@kudzu.us \
--to=jdmason@kudzu.us \
--cc=meta-arm@lists.yoctoproject.org \
--cc=mikko.rapeli@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.