如何使用 Yocto 为 Raspberry Pi 构建有效的 TPM2 映像？

Question

I want to build a Linux System with Yocto for the Raspberry Pi with enabled IMA & TPM2.0 support. Therefore I want to compile the kernel with IMA/EVM and TPM Configs and Recipes.

The IMA support should be enabled through the layer meta-secure-core/meta-integrity and adding DISTRO_FEATURE "ima", aswell as IMAGE_INSTALL_append "packagegroup-ima" for the tools. The TPM2 support should be enabled through the meta-security/meta-tpm layer and by adding MACHINE_FEATURES "tpm2" and installing "packagegroup-security-tpm2" via IMAGE_INSTALL_append.

Furthermore, if I understand it correctly, I need systemd as the init_manager.

Yocto Version (Thud/2.6.3). I tried Warrior but ran into build errors. This creates a 4.14.X Linux Kernel.

bblayers.conf:

BBLAYERS ?= " \
  /<working-dir>/poky/meta \
  /<working-dir>/poky/meta-poky \
  /<working-dir>/poky/meta-yocto-bsp \
  /<working-dir>/meta-openembedded/meta-oe \
  /<working-dir>/meta-openembedded/meta-python \
  /<working-dir>/meta-openembedded/meta-networking \
  /<working-dir>/meta-openembedded/meta-perl \
  /<working-dir>/meta-security \
  /<working-dir>/meta-security/meta-tpm \
  /<working-dir>/meta-secure-core/meta-integrity \
  /<working-dir>/meta-raspberrypi \
  "

local.conf:

MACHINE = "raspberrypi3"
...
DISTRO_FEATURES_append += "systemd ima"
VIRTUAL-RUNTIME_init_manager = "systemd"
MACHINE_FEATURES += "tpm2"
IMAGE_INSTALL_append += "packagegroup-security-tpm2 packagegroup-ima"
ENABLE_SPI_BUS = "1"
RPI_EXTRA_CONFIG = "\n \
dtoverlay=tpm-slb9670 \n"

Builds:

/<working-dir>/build/$ bitbake core-image-minimal

I expected the following entries in /proc/config.gz

For TPM:

    CONFIG_HW_RANDOM_TPM=y
    CONFIG_TCG_TPM=y
    CONFIG_TCG_TIS_CORE=y
    CONFIG_TCG_TIS=y
    CONFIG_TCG_CRB=y
    CONFIG_SECURITYFS=y

For IMA:

    CONFIG_IMA=y
    # CONFIG_IMA_KEXEC is not set
    # CONFIG_IMA_LSM_RULES is not set
    CONFIG_IMA_WRITE_POLICY=y
    CONFIG_IMA_READ_POLICY=y
    CONFIG_IMA_MEASURE_PCR_IDX=10
    # CONFIG_IMA_TEMPLATE is not set
    # CONFIG_IMA_NG_TEMPLATE=y is not set
    CONFIG_IMA_SIG_TEMPLATE=y
    CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
    # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
    CONFIG_IMA_DEFAULT_HASH_SHA256=y
    # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
    # CONFIG_IMA_DEFAULT_HASH_WP512 is not set
    CONFIG_IMA_DEFAULT_HASH="sha256"
    CONFIG_IMA_APPRAISE=y
    CONFIG_IMA_LOAD_X509=y
    CONFIG_IMA_APPRAISE_BOOTPARAM=y
    CONFIG_IMA_TRUSTED_KEYRING=y
    CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
    CONFIG_IMA_BLACKLIST_KEYRING=y
    CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
    # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set

However, searching on the built Linux on the Raspberry Pi for those settings none were enabled.

# modprobe configs
# cat /proc/config.gz | gunzip > running.conf
# cat running.conf | grep IMA

When I previously built for qemu, I didnt have those issues and I was able to confirm that my settings were enabled in the kernel. Only the tools like evmctl were installed.

Also, my settings for /boot/config.txt of the Raspi didnt seem to have an effect. In fact, there was no /boot/config.txt for me to open at all.

Ultimately, the TPM2 abrmd didnt start during boot (error msg) and I obviously couldnt access the TPM at /dev/tpm* via SPI. What did I do wrong? I'm new to Yocto and System Building/Linux Kernel in general.

Incase it's related to the Kernel Version, I tried to build for 4.19 but got build errors. I also messed around with the meta-rpi layer from jumpnowtek but it didnt fix my problem. There is also a meta-intel-iot-security/meta-integrity layer but its not maintained.

Answer 1

you missed to modify the DTS.

I create a guide and a github project to insert TPM on Raspberry. Please see the following:

https://github.com/simonetolotti/meta-raspberrypi-web/tree/tpm