Conversation
jarkko

Jarkko Sakkinen

Non-productive #feature extra-ordinaire in #systemd: you have to list #TPM kernel module names. Why not instead sd-tpm that would copy them all? They don’t cost much space.
1
0
0
pid_eins@mastodon.social

Lennart Poettering

Reply to @jarkko

@jarkko list? Where? You really dont. I think most of the kmods for tpms are autoloaded, no?

1
0
0
jarkko

Jarkko Sakkinen

Reply to @pid_eins@mastodon.social

@pid_eins I was setting up systemd with UKI manually for the first time and mixed up systemd and arch specific configuration :-) So I’m spreading FUD apparently…

Where this spins of has a legit motivation: I’m trying to get my host desktop and VM guests to be in par with latest systemd with UKI kernel so that I can debug keyring and TPM related issues in a relevant environment [1]. I’m co-maintainer for both keyring and TPM, and if you think those kernel subsystems, today systemd is the substantial user for both, and thus a great user space QA target. It is always using the latest stuff that we are delivering.

In arch specific mkinitcpio.conf there’s an array MODULES=(<list of modules>), and all examples I’ve seen put like MODULES(tpm_tis) there. A script (unsurpsingly) called `mkinitcpio then takes that description and includes them to the final initrd. Even being distro specific, that does not calculate tho, I mean any possible use case for TPM requires it to be initramfs (e.g. IMA). It is pretty much a brick unless that is the case :-) So without testing I’d guess that those examples must be wrong and I’ll try first not to add anything to MODULES… Yep, and obviously they are autoloaded, when initramfs has them. [1] https://codeberg.org/jarkko/archest-linux

2
0
0
triskelion@floss.social

Triskelion

Reply to @jarkko
Edited 3 months ago

@jarkko just use mkosi instead of mkinitcpio, oh, wait, kernel in Arch doesn't support it yet :P

1
0
0
jarkko

Jarkko Sakkinen

Reply to @jarkko
@pid_eins I want to expirement at least with mok signing key stored as tpm2 private key asn1 blob to the drive and signing operation done tpm2_key_rsa instead of OpenSSL. Thus need to upscale from BuildRoot testing to something with packages 🙂
0
0
0
jarkko

Jarkko Sakkinen

Reply to @triskelion@floss.social
@triskelion first that is both untrue argument.

second, it takes me less time to modify sbsign than mkosi for testing the features in question (e.g. tests tweak mok signing procedure).

sometimes, if you don't have anything constructive to say, it is best to say nothing.
0
0
0
About social.kernel.org

Terms of service

  1. Please do not use this service in violation of the Linux Kernel Code of Conduct. Doing so will result in your account suspension with the referral of the matter to the CoC committee.

  2. "Repeating"/"boosting" someone else's status on this platform will be treated as endorsement and will fall under rule #1.

  3. You are encouraged to use this platform to promote your work on the Linux Kernel, but there is no restriction on permitted topics (with the exception of anything covered by #1 above).

  4. There is no requirement to post in English, but it should be considered the primary language of communication on this platform.

Privacy notice

The admins of this service have access to all posted statuses. They aren't looking, but if it's something they shouldn't know about, then you should not post it on this platform.

Please see the Linux Foundation Privacy Policy, which applies to this platform as well.

Getting your own account

If you would like an account on this instance, please check that the following applies to you:

  • You are listed in MAINTAINERS or CREDITS

  • OR: You have a kernel.org account or email address

  • OR: You have a long and established history of involvement with the Linux Kernel

If the above is true and you agree with the Terms of Service and Privacy Notice listed above, please use these instructions to request an account: