Integrate TPM 2.0 software stack into Qubes OS Dom0

[BeataZdunczyk]

Is your feature request related to a problem? Please describe.

Currently, Qubes OS AEM does not have support for TPM 2.0. This task is required to integrate the TPM 2.0 software stack into Qubes OS Dom0 to support TPM 2.0.

Is your feature request related to a new idea or technology that would benefit the project? Please describe.

This issue is required add TPM 2.0 support on Intel hardware in Qubes OS AEM.

Describe the solution you'd like

Integrate the TPM 2.0 software stack into Qubes OS Dom0.

Describe alternatives you've considered

N/A

Additional context

This feature request is part of Phase 2 in TrenchBoot as Anti Evil Maid project, as outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem-v2/.

Relevant documentation you've consulted

N/A

[SergiiDmytruk]

PR: https://github.com/QubesOS/qubes-antievilmaid/pull/42

[SergiiDmytruk]

@krystian-hebel wrote:

@SergiiDmytruk > Binaries were there, but running them failed due to lack of TCTI implementations (e.g., libtss2-tcti-swtpm.so) from tpm2-tss. These are looked up at runtime, so dracut doesn’t add them automatically.

Yeah, the way these are loaded is so unusual that gdb segfaults when trying to debug anything…

@SergiiDmytruk > Listing libraries for dracut made tpm2_pcrread work in initrd. tss2_pcrread doesn’t work without config and I guess maybe we don’t need tss2* at all, they are both provided by tpm2-tools hence I’ve added both.

I’ve played with minimizing tpm2-tools for one of earlier phases, I think this is (or at least was back then) the minimum set of libraries required to launch tpm2_pcrread: https://boot.3mdeb.com/tb/test_initramfs.cpio. We don’t need tss2 tools, but some of libtss is required.

Yes, I dropped tss2* binaries later.

[SergiiDmytruk]

tpm2-abrmd is also a dependency. The issue is that its version in Fedora32 is too old to work with Qubes's tpm2-tss package (wants libtpm2-tss_sys.so.0), so a new Qubes component seems necessary. I've made one locally which seems to work, but upstream will need to create a repository for it. @marmarek, maybe you know another way or can confirm the need for a new component.

[marmarek]

It is okay to focus on Qubes OS 4.2, so F37 in dom0. We can consider backporting to R4.1 (and adding that package in the process) later, if a) R4.1 would still be supported at that time and b) changes are not too disruptive to qualify for stable backport (which is rather unlikely).

[SergiiDmytruk]

Looks like dbus isn't optional for tpm2-abrmd and it will have to be added to initramfs. Tried with dbus-broker as a simpler version, but it didn't work.

[SergiiDmytruk]

On Qubes 4.2 custom package for tpm2-abrmd isn't necessary, but it doesn't mean that it works in initramfs...

mkdir -p /run/dbus
dbus-daemon --system
tpm2-abrmd --allow-root &

works, but systemctl start tpm2-abrmd doesn't and gives no information as to why, just hangs until a timeout.

[SergiiDmytruk]

Hate systemd. After finding out how to debug it, turned out that default dependencies caused a deadlock. Plus tpm2-abrmd needs to depend on dbus to be ordered before it. And dbus needs to be added to initramfs. With these changes tpm2-abrmd seems to start fine in aem-unseal and continues to work in aem-seal. Will send a PR after cleaning up changes and verifying how well they work.

[SergiiDmytruk]

@marmarek Looks like qubes-tpm2-abrmd is needed for 4.2 as well only to edit tpm2-abrmd.service file to allow running it during boot process, unless there is a better way of doing it (providing a separate service-file probably isn't a good idea, same for editing it in place by the scripts).

[marmarek]

@marmarek Looks like qubes-tpm2-abrmd is needed for 4.2 as well only to edit tpm2-abrmd.service file to allow running it during boot process, unless there is a better way of doing it (providing a separate service-file probably isn't a good idea, same for editing it in place by the scripts).

Can't the service file be modified with a drop-in file? This mechanism is quite flexible, including the possibility to adjust/override dependencies, ordering, Exec lines etc.

[SergiiDmytruk]

Can't the service file be modified with a drop-in file? This mechanism is quite flexible, including the possibility to adjust/override dependencies, ordering, Exec lines etc.

You're right, that seems to be enough. Thanks.

[SergiiDmytruk]

Dedicated PR: https://github.com/QubesOS/qubes-antievilmaid/pull/46

[SergiiDmytruk]

The PR mentioned above was merged 2 days ago.