Then you have to load the kernel module. It is compiled into the kernel but not loaded.
CONFIG_TCG_TPM=m
The simplest way would probably be to load the module at boot time with the modprobe command by putting the command into the /etc/sysconfig/firewall.local
file. Although this is used for defining special firewall rules that can not be done via the WUI, it can also be used for running scripts or any Linux Command Line commands. https://wiki.ipfire.org/configuration/firewall/firewall-local
However, if your intent is to use it as an entropy source, then since kernel version 5.6 the kernel collects all the required entropy information internally and so having external entropy sources no longer makes sense.
As far as I am aware the kernel will first collect all entropy to the required level internally so if there is still some acceptance of external entropy sources it only occurs after the kernel has completed its work. From the following thread it is not clear to me if kernel still accepts external entropy sources or not via rngd or any other method.
Well found. I thought there was something like that around but when i was posting i could only find the firewall.local reference in the wiki. Thanks for finding and noting it.
Another question, @bonnietwin. Should we write in the wiki a document stating that a non-firewall based script running at boot, including loading kernel modules, should be put in there? If yes, (this is for @jon), where?
The Linux kernel has its own random number generator, and that should automatically be seeded by any HWRNGs if they are available. So there is no extra setup to be done.
You seem to be saying here that a HWRNG is still of use with the change of the entropy calculation in the kernel from version 5.6 onwards but I thought @arne_f had been saying the opposite in one of our conf calls, that there was no point in having a HWRNG.
The problem for the original poster was that the TPM module in IPFire is compiled in but not loaded and therefore, even if the TPM entropy is of use with the current kernel version, it does need some setup otherwise the unit is not being enabled in the kernel.
As mentioned earlier I will leave things alone. Fiddling with linux kernel stuff is a little beyond my paygrade unless of course the steps that need to be taken are well documented and there exists a clear benefit.
The kernel uses a number of sources to seed its RNG. That includes any HWRNGs and RDRAND and so on.
For that reason it is useless to run rngd which used to do this in the past. That is what Arne was referring to. Therefore IPFire supports all RNGs that are supported by the kernel directly.
Maybe the TPM is not supported by the Linux kernel if the module is not loaded automatically?
FYI… the Protectlii team responded to my enquiry and due to a lack of experience with the IPFire kernel they are unable to assist further with this issue.