Bug#1041007: linux-image-6.1.0-0.deb11.7-amd64: Please enable TPM hardware RNG support (CONFIG_HW_RANDOM_TPM)

[jflf_...@gmx.com]

Package: src:linux
Version: 6.1.20-2~bpo11+1
Severity: normal
X-Debbugs-Cc: jflf_...@gmx.com

Dear Maintainer,

Currently no Debian kernel enables support for TPM hardware RNG. On one of my
systems:

$ uname -a
Linux XXX 6.1.0-0.deb11.7-amd64 #1 SMP PREEMPT_DYNAMIC Debian
6.1.20-2~bpo11+1 (2023-04-23) x86_64 GNU/Linux

$ cat /sys/class/tpm/tpm0/device/description
TPM 2.0 Device

$ ls /dev/tpm*
/dev/tpm0 /dev/tpmrm0

$ sudo tpm2_getrandom 16 | xxd -p
7ba65632453b191385a3989485ac80a3

$ grep HW_RANDOM_TPM /boot/config-$(uname -r)
<nothing>

$ find /lib/modules/$(uname -r) -iname \*tpm\*rng\*
<nothing again>

$ ls /dev/hwrng
ls: cannot access '/dev/hwrng': No such file or directory


I have checked the current bookworm and trixie kernel debs, and they don't
include it either. It should be enabled there too.

I manage multiple older amd64 machines that have discrete TPM chips, but no
RDRAND instruction or any other hardware RNG. Enabling support for the TPM RNG
would provide the kernel with additional entropy earlier in the boot process.

Thank you very much!


-- Package-specific info:
** Version:
Linux version 6.1.0-0.deb11.7-amd64 (debian...@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP PREEMPT_DYNAMIC Debian 6.1.20-2~bpo11+1 (2023-04-23)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-6.1.0-0.deb11.7-amd64 root=UUID=0c206836-a588-4a57-9c6d-92d3f3e20d01 ro quiet nmi_watchdog=0

** Tainted: PUOE (12353)
* proprietary module was loaded
* taint requested by userspace application
* externally-built ("out-of-tree") module was loaded
* unsigned module was loaded

** Kernel log:
Jul 13 07:19:40 silverpad kernel: ACPI: SSDT 0x00000000D7FFA000 0004B7 (v02 LENOVO Tpm2Tabl 00001000 INTL 20141107)
Jul 13 07:19:40 silverpad kernel: ACPI: TPM2 0x00000000D7FF8000 000034 (v03 LENOVO TP-R0C 00001370 PTEC 00000002)
Jul 13 07:19:40 silverpad kernel: ACPI: Reserving TPM2 table memory at [mem 0xd7ff8000-0xd7ff8033]

** Model information
sys_vendor: LENOVO
product_name: 20GJCTO1WW
product_version: ThinkPad 13
chassis_vendor: LENOVO
chassis_version: None
bios_vendor: LENOVO
bios_version: R0CET49W (1.37 )
board_vendor: LENOVO
board_name: 20GJCTO1WW
board_version: SDK0J40709 WIN

** Loaded modules:
isofs
cdrom
uas
usb_storage
uinput
ctr
ccm
rfcomm
nft_fib_inet
nft_fib_ipv4
nft_fib_ipv6
nft_fib
nft_reject_inet
nf_reject_ipv4
vboxnetadp(OE)
nf_reject_ipv6
vboxnetflt(OE)
nft_reject
nft_ct
nft_chain_nat
nf_nat
nf_conntrack
nf_defrag_ipv6
nf_defrag_ipv4
vboxdrv(OE)
ip_set
nf_tables
nfnetlink
zstd
zstd_compress
cmac
algif_hash
algif_skcipher
zram
af_alg
zsmalloc
bnep
zfs(POE)
zunicode(POE)
zzstd(OE)
zlua(OE)
zavl(POE)
icp(POE)
zcommon(POE)
znvpair(POE)
spl(OE)
hid_logitech
ff_memless
hid_generic
snd_usb_audio
usbhid
snd_usbmidi_lib
snd_rawmidi
hid
snd_seq_device
cdc_ether
usbnet
r8152
mii
btusb
btrtl
btbcm
btintel
btmtk
bluetooth
jitterentropy_rng
uvcvideo
videobuf2_vmalloc
drbg
videobuf2_memops
videobuf2_v4l2
ansi_cprng
videobuf2_common
ecdh_generic
ecc
videodev
crc16
mc
snd_sof_pci_intel_skl
intel_rapl_msr
intel_rapl_common
snd_sof_intel_hda_common
snd_hda_codec_hdmi
x86_pkg_temp_thermal
intel_powerclamp
soundwire_intel
soundwire_generic_allocation
soundwire_cadence
coretemp
snd_sof_intel_hda
crc32_pclmul
snd_sof_pci
snd_sof_xtensa_dsp
snd_sof
snd_sof_utils
soundwire_bus
ghash_clmulni_intel
sha512_ssse3
sha512_generic
snd_soc_skl
snd_soc_hdac_hda
snd_ctl_led
snd_hda_ext_core
snd_soc_sst_ipc
snd_hda_codec_realtek
snd_soc_sst_dsp
snd_soc_acpi_intel_match
snd_soc_acpi
snd_hda_codec_generic
snd_soc_core
snd_compress
iwlmvm
snd_hda_intel
snd_intel_dspcfg
snd_intel_sdw_acpi
snd_hda_codec
intel_xhci_usb_role_switch
roles
snd_hda_core
aesni_intel
mac80211
crypto_simd
snd_hwdep
xhci_pci
cryptd
xhci_hcd
snd_pcm
mei_hdcp
ee1004
nls_ascii
rapl
libarc4
iwlwifi
e1000e
thinkpad_acpi
usbcore
nls_cp437
i2c_i801
mei_me
ptp
snd_timer
nvram
think_lmi
intel_lpss_pci
intel_cstate
platform_profile
vfat
intel_lpss
ledtrig_audio
fat
cfg80211
intel_uncore
intel_wmi_thunderbolt
wmi_bmof
firmware_attributes_class
pps_core
mei
i2c_smbus
usb_common
snd
idma64
intel_pch_thermal
battery
soundcore
rfkill
ac
button
intel_pmc_core
acpi_pad
joydev
sg
msr
sunrpc
ecryptfs
fuse
efi_pstore
configfs
ip_tables
x_tables
xfs
efivarfs
raid10
raid456
async_raid6_recov
async_memcpy
async_pq
async_xor
xor
async_tx
raid6_pq
libcrc32c
crc32c_generic
raid1
raid0
multipath
linear
md_mod
i915
i2c_algo_bit
drm_buddy
drm_display_helper
sd_mod
t10_pi
drm_kms_helper
crc64_rocksoft
crc64
crc_t10dif
cec
crct10dif_generic
rc_core
ahci
crct10dif_pclmul
libahci
ttm
crct10dif_common
libata
drm
crc32c_intel
psmouse
scsi_mod
evdev
serio_raw
scsi_common
video
wmi

-- System Information:
Debian Release: 11.7
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-0.deb11.7-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages linux-image-6.1.0-0.deb11.7-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.140
ii kmod 28-1
ii linux-base 4.6

Versions of packages linux-image-6.1.0-0.deb11.7-amd64 recommends:
ii apparmor 2.13.6-10
ii firmware-linux-free 20200122-1

Versions of packages linux-image-6.1.0-0.deb11.7-amd64 suggests:
pn debian-kernel-handbook <none>
ii grub-efi-amd64 2.06-3~deb11u5
pn linux-doc-6.1 <none>

Versions of packages linux-image-6.1.0-0.deb11.7-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
ii firmware-iwlwifi 20230210-4~bpo11+1
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
ii firmware-misc-nonfree 20230210-4~bpo11+1
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
ii firmware-realtek 20230210-4~bpo11+1
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>

-- no debconf information

[Vincent Blut]

Hello,

Indeed, this regression compared to the kernel provided in bullseye is due to
a configuration issue.
For HW_RANDOM_TPM to be enabled, the TCG_TPM and HW_RANDOM config symbols are
required but there is a subtlety in the way they have to be built. If TCG_TPM
is built-in then HW_RANDOM must not be loadable (built as a module).

If we take a look at the kernel configuration files prior being constructed, we
can see that both TCG_TPM and HW_RANDOM config symbols should be built as
modules:

$ grep -Er "TCG_TPM|HW_RANDOM="
arm64/config:CONFIG_TCG_TPM=m
kernelarch-x86/config:CONFIG_TCG_TPM=m
config:CONFIG_HW_RANDOM=m
config.cloud:CONFIG_TCG_TPM=m

However after these files have been constructed, the TCG_TPM config symbol is
no longer provided as module but built-in:

$ grep TCG_TPM /boot/config-6.3.0-1-amd64
CONFIG_TCG_TPM=y

This change is what causes HW_RANDOM_TPM to be disabled and is probably due to
[1].

Ben, Salvatore, to fix this regression we should either force TCG_TPM to be
built as a module or make HW_RANDOM built-in. The second solution have my
preference, WDYT?

Cheers,
Vincent

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=644f17412f5acf01a19af9d04a921937a2bc86c6

[Salvatore Bonaccorso]

hi Vincent,

I think the later option sounds fine, do we have an idea what that
implies on sizes? If Ben agrees as well on the approach then please
make two merge requests and let's work it top-down, first have it
fixed in unstable, and have a corresponding MR on the bookworm branch
to have it included in the next bookworm point release.

Regards,
Salvatore

[Björn Persson]

Hello, has there been any progress with this?

I just spent several days investigating why my random number generator
disappeared. I'm now running Bookworm on a Bullseye kernel because of
this regression. That's not a good long-term solution.

Björn Persson

[Vincent Blut]

Hi Björn,

Le 2023-08-15 07:49, Björn Persson a écrit :
> Hello, has there been any progress with this?

I started working on this a few days ago. I’ll try to send a merge request
over the weekend.

> […]
>
> Björn Persson

Cheers,
Vincent

[Debian Bug Tracking System]

Your message dated Thu, 14 Sep 2023 05:00:10 +0000
with message-id <E1qgeSY-...@fasolo.debian.org>
and subject line Bug#1041007: fixed in linux 6.5.3-1
has caused the Debian Bug report #1041007,
regarding linux-image-6.1.0-0.deb11.7-amd64: Please enable TPM hardware RNG support (CONFIG_HW_RANDOM_TPM)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


--
1041007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041007
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

[Debian Bug Tracking System]

Your message dated Fri, 29 Sep 2023 08:50:03 +0000
with message-id <E1qm9CF-...@fasolo.debian.org>
and subject line Bug#1041007: fixed in linux 6.1.55-1