All of lore.kernel.org
 help / color / mirror / Atom feed
* Which layer is best for tpm2 stack
@ 2019-11-27 22:56 Diego Santa Cruz
       [not found] ` <25293.1574938811729379315@lists.yoctoproject.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Diego Santa Cruz @ 2019-11-27 22:56 UTC (permalink / raw)
  To: yocto

[-- Attachment #1: Type: text/plain, Size: 1229 bytes --]

Hello,

I need to use a TPM2 software stack for my project (tpm2-tools, tpm2-abrmd, tpm2-tss, etc.), where I am already using Yocto, meta-intel, meta-oe, meta-networking, etc.

I see there are at least the following three layers that carry the necessary TPM2 bits, with varying recipe versions.

  *   meta-tpm in meta-security repo (https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/)
  *   meta-tpm2 in meta-secure-core repo (https://github.com/jiazhang0/meta-secure-core)
  *   meta-measured (https://github.com/flihp/meta-measured)

My current objective is to use the TPM2 as a security chip from our software (in the future we may extend its use to root fs encryption keys and the like). Are there any recommendations as to which of these layers would be more appropriate, is better maintained, etc.?

BTW, the meta-tpm layer in meta-security repo is not listed in the OpenEmbedded Layer index, although meta-security itself and some of the other layers in that repo are listed. Is that because of a name clash with the ones under the meta-secure-core repo, which also carries layers named meta-tpm and meta-integrity?

Thanks,

Diego
--
Diego Santa Cruz, PhD
Technology Architect
spinetix.com


[-- Attachment #2: Type: text/html, Size: 6452 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Private: Re: [yocto] Which layer is best for tpm2 stack
       [not found] ` <25293.1574938811729379315@lists.yoctoproject.org>
@ 2019-11-29 10:01   ` Diego Santa Cruz
  2019-11-29 10:05     ` Maciej Pijanowski
  0 siblings, 1 reply; 3+ messages in thread
From: Diego Santa Cruz @ 2019-11-29 10:01 UTC (permalink / raw)
  To: yocto; +Cc: dan

[-- Attachment #1: Type: text/plain, Size: 2847 bytes --]

Dear all,

I got the feedback below by private email (was meant to be sent to the m-l), so I think I’ll go with meta-tmp2 from meta-secure-core for now.

But I may switch to meta-tpm from meta-security in the future as it seems to have more tpm2 related recipes (I’m on thud for now and the tpm2-tools in thud branch of meta-security is too old).

Any other feedback from the community?

Thanks,

Diego

--
Diego Santa Cruz, PhD
Technology Architect
T +41 21 341 15 50
diego.santacruz@spinetix.com<mailto:diego.santacruz@spinetix.com> | Subscribe to our Newlsetter<http://eepurl.com/dgs82P>
spinetix.com

From: Dan O'Donovan via Lists.Yoctoproject.Org <dan=emutex.com@lists.yoctoproject.org>
Sent: 28 November 2019 12:00
To: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
Subject: Private: Re: [yocto] Which layer is best for tpm2 stack

On Wed, Nov 27, 2019 at 02:56 PM, Diego Santa Cruz wrote:

Hello,



I need to use a TPM2 software stack for my project (tpm2-tools, tpm2-abrmd, tpm2-tss, etc.), where I am already using Yocto, meta-intel, meta-oe, meta-networking, etc.



I see there are at least the following three layers that carry the necessary TPM2 bits, with varying recipe versions.

  *   meta-tpm in meta-security repo (https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/)
  *   meta-tpm2 in meta-secure-core repo (https://github.com/jiazhang0/meta-secure-core)
  *   meta-measured (https://github.com/flihp/meta-measured)



My current objective is to use the TPM2 as a security chip from our software (in the future we may extend its use to root fs encryption keys and the like). Are there any recommendations as to which of these layers would be more appropriate, is better maintained, etc.?
I've personally used the meta-tpm2 layer in meta-secure-core repo with good success on both Intel and ARM platforms with Infineon TPM chips.  In particular, I used the cryptfs-tpm2 and secure-core initramfs recipes from that layer for managing root fs encryption.  IIRC, this layer seemed to offer the best support for what we needed regarding TPM2 on Yocto 'Sumo' at the time.

I haven't really looked at the other layers recently so I can't give a comparison with those.  However, I did notice a significant amount of activity via the mailing list related to TPM2 support for the meta-security repo in recent weeks, so that's probably worth a look too.





BTW, the meta-tpm layer in meta-security repo is not listed in the OpenEmbedded Layer index, although meta-security itself and some of the other layers in that repo are listed. Is that because of a name clash with the ones under the meta-secure-core repo, which also carries layers named meta-tpm and meta-integrity?



Thanks,



Diego

--
Diego Santa Cruz, PhD
Technology Architect
spinetix.com



[-- Attachment #2: Type: text/html, Size: 12005 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Private: Re: [yocto] Which layer is best for tpm2 stack
  2019-11-29 10:01   ` Private: Re: [yocto] " Diego Santa Cruz
@ 2019-11-29 10:05     ` Maciej Pijanowski
  0 siblings, 0 replies; 3+ messages in thread
From: Maciej Pijanowski @ 2019-11-29 10:05 UTC (permalink / raw)
  To: diego.santacruz, yocto


[-- Attachment #1.1.1: Type: text/plain, Size: 4076 bytes --]


On 29.11.2019 11:01, Diego Santa Cruz via Lists.Yoctoproject.Org wrote:
>
> Dear all,
>
>  
>
> I got the feedback below by private email (was meant to be sent to the
> m-l), so I think I’ll go with meta-tmp2 from meta-secure-core for now.
>
>  
>
> But I may switch to meta-tpm from meta-security in the future as it
> seems to have more tpm2 related recipes (I’m on thud for now and the
> tpm2-tools in thud branch of meta-security is too old).
>
>  
>
> Any other feedback from the community?
>
I'm currently using meta-tpm from meta-security for tpm2-tools.
My reasoning was that this one will likely be the one to go in the long
run since it's hosted on the poky git (?).
>
>  
>
> Thanks,
>
>  
>
> Diego
>
>  
>
> --
> *Diego Santa Cruz, PhD*
> Technology Architect
> T +41 21 341 15 50
> diego.santacruz@spinetix.com <mailto:diego.santacruz@spinetix.com>|
> Subscribe to our Newlsetter <http://eepurl.com/dgs82P>
>
> spinetix.com
>
>  
>
> *From:*Dan O'Donovan via Lists.Yoctoproject.Org
> <dan=emutex.com@lists.yoctoproject.org>
> *Sent:* 28 November 2019 12:00
> *To:* Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
> *Subject:* Private: Re: [yocto] Which layer is best for tpm2 stack
>
>  
>
> On Wed, Nov 27, 2019 at 02:56 PM, Diego Santa Cruz wrote:
>
>     Hello,
>
>      
>
>     I need to use a TPM2 software stack for my project (tpm2-tools,
>     tpm2-abrmd, tpm2-tss, etc.), where I am already using Yocto,
>     meta-intel, meta-oe, meta-networking, etc.
>
>      
>
>     I see there are at least the following three layers that carry the
>     necessary TPM2 bits, with varying recipe versions.
>
>       * meta-tpm in meta-security repo
>         (https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/)
>       * meta-tpm2 in meta-secure-core repo
>         (https://github.com/jiazhang0/meta-secure-core)
>       * meta-measured (https://github.com/flihp/meta-measured)
>
>      
>
>     My current objective is to use the TPM2 as a security chip from
>     our software (in the future we may extend its use to root fs
>     encryption keys and the like). Are there any recommendations as to
>     which of these layers would be more appropriate, is better
>     maintained, etc.?
>
> I've personally used the meta-tpm2 layer in meta-secure-core repo with
> good success on both Intel and ARM platforms with Infineon TPM chips. 
> In particular, I used the cryptfs-tpm2 and secure-core initramfs
> recipes from that layer for managing root fs encryption.  IIRC, this
> layer seemed to offer the best support for what we needed regarding
> TPM2 on Yocto 'Sumo' at the time.
>
> I haven't really looked at the other layers recently so I can't give a
> comparison with those.  However, I did notice a significant amount of
> activity via the mailing list related to TPM2 support for the
> meta-security repo in recent weeks, so that's probably worth a look too.
>
>      
>
>      
>
>     BTW, the meta-tpm layer in meta-security repo is not listed in the
>     OpenEmbedded Layer index, although meta-security itself and some
>     of the other layers in that repo are listed. Is that because of a
>     name clash with the ones under the meta-secure-core repo, which
>     also carries layers named meta-tpm and meta-integrity?
>
>      
>
>     Thanks,
>
>      
>
>     Diego
>
>     -- 
>     *Diego Santa Cruz, PhD**
>     *Technology Architect
>     spinetix.com
>
>      
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#47463): https://lists.yoctoproject.org/g/yocto/message/47463
> Mute This Topic: https://lists.yoctoproject.org/mt/64331549/3616795
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub  [maciej.pijanowski@3mdeb.com]
> -=-=-=-=-=-=-=-=-=-=-=-

-- 
Maciej Pijanowski
Embedded Systems Engineer
GPG: F1401D2E1CCB19EF
https://3mdeb.com | @3mdeb_com


[-- Attachment #1.1.2: Type: text/html, Size: 16307 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 817 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-29 10:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-27 22:56 Which layer is best for tpm2 stack Diego Santa Cruz
     [not found] ` <25293.1574938811729379315@lists.yoctoproject.org>
2019-11-29 10:01   ` Private: Re: [yocto] " Diego Santa Cruz
2019-11-29 10:05     ` Maciej Pijanowski

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.