On Wed, Nov 27, 2019 at 02:56 PM, Diego Santa Cruz wrote:

Hello,

 

I need to use a TPM2 software stack for my project (tpm2-tools, tpm2-abrmd, tpm2-tss, etc.), where I am already using Yocto, meta-intel, meta-oe, meta-networking, etc.

 

I see there are at least the following three layers that carry the necessary TPM2 bits, with varying recipe versions.

• meta-tpm in meta-security repo (https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/)
• meta-tpm2 in meta-secure-core repo (https://github.com/jiazhang0/meta-secure-core)
• meta-measured (https://github.com/flihp/meta-measured)

 

My current objective is to use the TPM2 as a security chip from our software (in the future we may extend its use to root fs encryption keys and the like). Are there any recommendations as to which of these layers would be more appropriate, is better maintained, etc.?

I've personally used the meta-tpm2 layer in meta-secure-core repo with good success on both Intel and ARM platforms with Infineon TPM chips.  In particular, I used the cryptfs-tpm2 and secure-core initramfs recipes from that layer for managing root fs encryption.  IIRC, this layer seemed to offer the best support for what we needed regarding TPM2 on Yocto 'Sumo' at the time.

I haven't really looked at the other layers recently so I can't give a comparison with those.  However, I did notice a significant amount of activity via the mailing list related to TPM2 support for the meta-security repo in recent weeks, so that's probably worth a look too.

 

 

BTW, the meta-tpm layer in meta-security repo is not listed in the OpenEmbedded Layer index, although meta-security itself and some of the other layers in that repo are listed. Is that because of a name clash with the ones under the meta-secure-core repo, which also carries layers named meta-tpm and meta-integrity?

 

Thanks,

 

Diego

--
Diego Santa Cruz, PhD
Technology Architect
spinetix.com