Bugzilla – Bug 1216835
add tpm support to installation system
Last modified: 2023-12-19 09:51:10 UTC
The goal is to make the TPM accessible within the installation system. This means: - adding the necessary programs (tpm2.0-tools) and - auto-starting the communication daemon (tpm2-abrmd)
Implemented for Tumbleweeed: https://github.com/openSUSE/installation-images/pull/670
same for SLE15-SP5: https://github.com/openSUSE/installation-images/pull/671
Here are the manual steps for (as an example) SLE15-SP4-GA: Prepare a directory structure like this: gehc ├── initrd │ └── scripts │ └── early_setup ├── libefivar1-37-6.12.1.x86_64.rpm ├── libgio-2_0-0-2.70.4-150400.1.5.x86_64.rpm ├── libglib-2_0-0-2.70.4-150400.1.5.x86_64.rpm ├── libgmodule-2_0-0-2.70.4-150400.1.5.x86_64.rpm ├── libgobject-2_0-0-2.70.4-150400.1.5.x86_64.rpm ├── libtss2-esys0-3.1.0-150400.1.6.x86_64.rpm ├── libtss2-fapi1-3.1.0-150400.1.6.x86_64.rpm ├── libtss2-mu0-3.1.0-150400.1.6.x86_64.rpm ├── libtss2-rc0-3.1.0-150400.1.6.x86_64.rpm ├── libtss2-sys1-3.1.0-150400.1.6.x86_64.rpm ├── libtss2-tcti-device0-3.1.0-150400.1.6.x86_64.rpm ├── libtss2-tcti-tabrmd0-2.4.0-150400.1.6.x86_64.rpm ├── libtss2-tctildr0-3.1.0-150400.1.6.x86_64.rpm ├── tpm2.0-abrmd-2.4.0-150400.1.6.x86_64.rpm └── tpm2.0-tools-5.2-150400.4.6.x86_64.rpm The packages are the packages required by tpm2.0-abrmd and tpm2.0-tools that are not already in the default initrd. 'early_setup' is the shell script taken from the original initrd (in the 'scripts' directory) with the following 3 lines added (see also the github pull request in comment 2): if [ -c /dev/tpm0 -a -x /usr/sbin/tpm2-abrmd ] ; then /usr/sbin/tpm2-abrmd --allow-root > /var/log/tpm.log 2>&1 & fi Then run mksusecd --create new.iso \ $(for i in gehc/* ; do echo "--initrd $i" ; done) \ SLE-15-SP4-Full-x86_64-GM-Media1.iso
same for SLE15-SP6: https://github.com/openSUSE/installation-images/pull/675
Steffen, could you please take a look at this feedback from Jonathan Paulick at GEHC: I am having issues following the build instructions. I have tried both the instructions in Bugzilla and adapted our previous build instructions and am getting the same error. The error I am seeing is an Invalid Signature for /repodata/repomd.xml. Is there a specific sles version I should be using to build? (See attached screenshots.)
Created attachment 871072 [details] mksusecd screenshot
Created attachment 871073 [details] Invalid signature screenshot
Please use the insecure=1 boot option to get around the signature check. What I'm looking for here is for feedback about the TPM support. This signature failue is unrelated to that.
In a video conference GEHC confirmed the current implementation is working for their purpose. Also, having the patch in SLE15-SP6 is sufficient. Backports to older SLE releases are not needed.