How to enable TPM on IPfire

rjschilt · 24 February 2023 05:26

I recently purchased a new Protectlii VP2410 appliance and have successfully installed IPfire.

Here is a link to my hardware profile: fireinfo.ipfire.org - Profile 8a9376d8774c2dceb94d20f72284cac2990e703f

I purchased the appliance with a TPM module which is recognised by the BIOS and also by the kernel:

[root@ipfire ~]# rngd -l
Entropy sources that are available but disabled
1: TPM RNG Device (tpm)
5: NIST Network Entropy Beacon (nist)
Available and enabled entropy sources:
0: Hardware RNG Device (hwrng)
2: Intel RDRAND Instruction RNG (rdrand)
Available entropy sources that failed initalization:
[root@ipfire ~]# ls -lah /dev/tpm*
crw------- 1 root root 10, 224 Feb 24 13:59 /dev/tpm0
crw------- 1 root root 247, 65536 Feb 24 13:59 /dev/tpmrm0

My question is twofold… do I need to enable the TPM RNG entropy source and if yes then how to do this?

I have perused the KB and forum but have not managed to find anything - perhaps I’ve missed something obvious.

Any guidance / assistance would be greatly appreciated.

bonnietwin · 24 February 2023 13:49

First you have to enable the TPM in the BIOS.

Then you have to load the kernel module. It is compiled into the kernel but not loaded.

CONFIG_TCG_TPM=m

The simplest way would probably be to load the module at boot time with the modprobe command by putting the command into the
/etc/sysconfig/firewall.local
file. Although this is used for defining special firewall rules that can not be done via the WUI, it can also be used for running scripts or any Linux Command Line commands.
https://wiki.ipfire.org/configuration/firewall/firewall-local

However, if your intent is to use it as an entropy source, then since kernel version 5.6 the kernel collects all the required entropy information internally and so having external entropy sources no longer makes sense.

As far as I am aware the kernel will first collect all entropy to the required level internally so if there is still some acceptance of external entropy sources it only occurs after the kernel has completed its work. From the following thread it is not clear to me if kernel still accepts external entropy sources or not via rngd or any other method.

kernel group mail thread on the topic

The only benefit for TPM entropy or a TRNG is for other Linux programs that require a source of entropy but IPFire uses its entropy from the kernel.

rjschilt · 24 February 2023 14:39

Thanks Adolf,

Appreciate you taking the time to explain that in detail.

Based on your explanation I’m inclined to leave things as they are.

Perhaps I could have saved some money purchasing the VP2410 appliance without the TPM hardware module.

Nevermind, we live and learn.

Cheers,

cfusco · 24 February 2023 15:47

what about /etc/sysconfig/rc.local, can be used for loading kernel modules as well?

bonnietwin · 24 February 2023 16:21

Well found. I thought there was something like that around but when i was posting i could only find the firewall.local reference in the wiki. Thanks for finding and noting it.

cfusco · 24 February 2023 16:37

Thank.

Another question, @bonnietwin. Should we write in the wiki a document stating that a non-firewall based script running at boot, including loading kernel modules, should be put in there? If yes, (this is for @jon), where?

jon · 24 February 2023 16:54

It is an interesting question but I don’t know the answer. This is a better question for Michael @ms

ms · 24 February 2023 18:22

Thanks, but I am not sure what the goal is here.

The Linux kernel has its own random number generator, and that should automatically be seeded by any HWRNGs if they are available. So there is no extra setup to be done.

bonnietwin · 24 February 2023 22:22

You seem to be saying here that a HWRNG is still of use with the change of the entropy calculation in the kernel from version 5.6 onwards but I thought @arne_f had been saying the opposite in one of our conf calls, that there was no point in having a HWRNG.

The problem for the original poster was that the TPM module in IPFire is compiled in but not loaded and therefore, even if the TPM entropy is of use with the current kernel version, it does need some setup otherwise the unit is not being enabled in the kernel.

rjschilt · 25 February 2023 04:00

Thank you gents,

As mentioned earlier I will leave things alone. Fiddling with linux kernel stuff is a little beyond my paygrade unless of course the steps that need to be taken are well documented and there exists a clear benefit.

I remain all ears to this discussion.

Cheers,

ms · 25 February 2023 12:32

The kernel uses a number of sources to seed its RNG. That includes any HWRNGs and RDRAND and so on.

For that reason it is useless to run rngd which used to do this in the past. That is what Arne was referring to. Therefore IPFire supports all RNGs that are supported by the kernel directly.

Maybe the TPM is not supported by the Linux kernel if the module is not loaded automatically?

rjschilt · 25 February 2023 16:43

Thanks again @ms

FYI… I have logged a ticket with Protectlii to see if they can shed any light on this matter.

Will keep you all posted.

rjschilt · 27 February 2023 20:57

FYI… the Protectlii team responded to my enquiry and due to a lack of experience with the IPFire kernel they are unable to assist further with this issue.