Hello, Le 2023-07-13 23:10, jflf_ker...@gmx.com a écrit : > Package: src:linux > Version: 6.1.20-2~bpo11+1 > Severity: normal > X-Debbugs-Cc: jflf_ker...@gmx.com > > Dear Maintainer, > > Currently no Debian kernel enables support for TPM hardware RNG. On one of my > systems: > > $ uname -a > Linux XXX 6.1.0-0.deb11.7-amd64 #1 SMP PREEMPT_DYNAMIC Debian > 6.1.20-2~bpo11+1 (2023-04-23) x86_64 GNU/Linux > > $ cat /sys/class/tpm/tpm0/device/description > TPM 2.0 Device > > $ ls /dev/tpm* > /dev/tpm0 /dev/tpmrm0 > > $ sudo tpm2_getrandom 16 | xxd -p > 7ba65632453b191385a3989485ac80a3 > > $ grep HW_RANDOM_TPM /boot/config-$(uname -r) > <nothing> > > $ find /lib/modules/$(uname -r) -iname \*tpm\*rng\* > <nothing again> > > $ ls /dev/hwrng > ls: cannot access '/dev/hwrng': No such file or directory > > > I have checked the current bookworm and trixie kernel debs, and they don't > include it either. It should be enabled there too. > > I manage multiple older amd64 machines that have discrete TPM chips, but no > RDRAND instruction or any other hardware RNG. Enabling support for the TPM RNG > would provide the kernel with additional entropy earlier in the boot process.
Indeed, this regression compared to the kernel provided in bullseye is due to a configuration issue. For HW_RANDOM_TPM to be enabled, the TCG_TPM and HW_RANDOM config symbols are required but there is a subtlety in the way they have to be built. If TCG_TPM is built-in then HW_RANDOM must not be loadable (built as a module). If we take a look at the kernel configuration files prior being constructed, we can see that both TCG_TPM and HW_RANDOM config symbols should be built as modules: $ grep -Er "TCG_TPM|HW_RANDOM=" arm64/config:CONFIG_TCG_TPM=m kernelarch-x86/config:CONFIG_TCG_TPM=m config:CONFIG_HW_RANDOM=m config.cloud:CONFIG_TCG_TPM=m However after these files have been constructed, the TCG_TPM config symbol is no longer provided as module but built-in: $ grep TCG_TPM /boot/config-6.3.0-1-amd64 CONFIG_TCG_TPM=y This change is what causes HW_RANDOM_TPM to be disabled and is probably due to [1]. Ben, Salvatore, to fix this regression we should either force TCG_TPM to be built as a module or make HW_RANDOM built-in. The second solution have my preference, WDYT? Cheers, Vincent [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=644f17412f5acf01a19af9d04a921937a2bc86c6
signature.asc
Description: PGP signature
