Skip to content

Support TPM2 operations on scarthgap, add clevis to feeds, export OVMF Firmware.#957

Merged
chaitu236 merged 14 commits intoni:nilrt/master/scarthgapfrom
amstewart:dev/scarthgap/clevis
Mar 26, 2026
Merged

Support TPM2 operations on scarthgap, add clevis to feeds, export OVMF Firmware.#957
chaitu236 merged 14 commits intoni:nilrt/master/scarthgapfrom
amstewart:dev/scarthgap/clevis

Conversation

@amstewart
Copy link
Copy Markdown
Contributor

@amstewart amstewart commented Mar 2, 2026
edited
Loading

Summary of Changes

This PR backports commits from #977 to effectively add Clevis to scarthgap.

  1. Update the x64 NILRT kernel with config options to support TPM2 operations, including building in some modules that must be present during early boot (prior to dynamic module load) to catpure EFI logs.
  2. Enable the kernel securityfs sysfs module, so that users can interrogate information about mounted TPMs. Update fstab to mount the securityfs at /sys/kernel/security (the usual place.)
  3. Add tpm2 to the x64 MACHINEFEATURES, so that supporting recipes will know to build with that support included. See OE-core #190.
  4. Add recipes for jose and luksmeta and clevis. The former are dependencies and the latter is a utility to write PCR policies to TPMs. Some NILRT users have had good luck using clevis to implement their own version of measured boot on custom designs.
  5. Add clevis to the core feeds. We do not directly use it in the scarthgap mainline, but it should be available to users.
  6. Add TPM support to GRUB and set the config value to measure boot components, if a TPM is available on the hardware.

Justification

Some NILRT users have used clevis to implement their own form of measured boot. Though we do not intend to officially support that design on the scarthgap mainline, we can at least add official builds of the tools to enable expert customers.

Testing

  • I have built the core package feed with this PR in place. (bitbake packagefeed-ni-core)
  • I have built a NILRT QEMU VM with these changes and validated that TPM2 interaction and the securityfs seem to work with and without an attached TPM2.
  • Verified that you can install clevis and call it.

Testing on VM w/ TPM

(safemode) admin@NI-cRIO-903x-VM-cd57952b:/# ls /dev/tpm*
/dev/tpm0  /dev/tpmrm0
(safemode) admin@NI-cRIO-903x-VM-cd57952b:~# tpm2
Display all 103 possibilities? (y or n)
(safemode) admin@NI-cRIO-903x-VM-cd57952b:~# tpm2_pcrread
  sha1:
  sha256:
    0 : 0xBAB138F346E11554A671D9BE3939F39C3F377428F6A1B046925BD16EAB336DE0
    1 : 0x81C5E7CFA81DE84B26AEA0446406F59D78C00D9A443324B0EC7D7884EEF63547
    2 : 0xCAF7EA11AA9219EBA151DB64C6DCDF9DEA273660E69D1095A6156B0287A4AE6D
    3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    4 : 0xAE4D66066B03BD1E48C733C67438E6D294424A64DD620C9F913251C5EB2951D2
    5 : 0xF75B54B617CA998870D2146070636AD3B6C725F3CF7D7B30D518EDFC57559418
    6 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
    7 : 0xB5710BF57D25623E4019027DA116821FA99F5C81E9E38B87671CC574F9281439
    8 : 0xD37DA0A49F7E32E263A683A46B30714236199C2F088A55D2B08D2AB404C87338
    9 : 0x2C08FA1CA28D0615446568E74F34565DA88F5E8FAFED7C5A54AF61781D489CC1
    10: 0x0000000000000000000000000000000000000000000000000000000000000000
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0x0000000000000000000000000000000000000000000000000000000000000000
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x0000000000000000000000000000000000000000000000000000000000000000
  sha384:
  sha512:
(safemode) admin@NI-cRIO-903x-VM-cd57952b:/# ls /sys/kernel/security/tpm0
binary_bios_measurements
(safemode) admin@NI-cRIO-903x-VM-c31859e4:~# opkg install --noaction --no-install-recommends clevis
Installing libjansson4 (2.14) on root
Installing libonig5 (6.9.9) on root
Installing pcsc-lite (2.0.3) on root
Installing libpcsclite1 (2.0.3) on root
Installing cpio (2.15) on root
Installing ldd (2.39+git95+ce65d944e3) on root
Installing jose (14) on root
Installing jq (1.7.1) on root
Installing opensc (0.25.1) on root
Installing dracut (056) on root
Installing clevis (21) on root
(safemode) admin@NI-cRIO-903x-VM-c31859e4:~# opkg install  --no-install-recommends clevis
<snip>
(safemode) admin@NI-cRIO-903x-VM-cd57952b:~# clevis -h
Usage: clevis COMMAND [OPTIONS]

  clevis decrypt                     Decrypts using the policy defined at encryption time
  clevis encrypt pkcs11              Encrypts using a PKCS#11 token
  clevis encrypt sss                 Encrypts using a Shamir's Secret Sharing policy
  clevis luks bind                   Binds a LUKS device using the specified policy
  clevis luks edit                   Edit a binding from a clevis-bound slot in a LUKS device
  clevis luks list                   Lists pins bound to a LUKSv1 or LUKSv2 device
  clevis luks pass                   Returns the LUKS passphrase used for binding a particular slot.
  clevis luks regen                  Regenerate clevis binding
  clevis luks report                 Report tang keys' rotations
  clevis luks unbind                 Unbinds a pin bound to a LUKS volume
  clevis luks unlock                 Unlocks a LUKS volume

Testing on VM w/o TPM

(safemode) admin@NI-cRIO-903x-VM-3656e819:~# ls /dev/tpm*
ls: cannot access '/dev/tpm*': No such file or directory
(safemode) admin@NI-cRIO-903x-VM-3656e819:~# tpm2_pcrread
ERROR:tcti:/usr/src/debug/tpm2-tss/4.0.2/src/tss2-tcti/tcti-device.c:454:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:/usr/src/debug/tpm2-tss/4.0.2/src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:/usr/src/debug/tpm2-tss/4.0.2/src/tss2-tcti/tcti-device.c:454:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory 
ERROR:tcti:/usr/src/debug/tpm2-tss/4.0.2/src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:/usr/src/debug/tpm2-tss/4.0.2/src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:/usr/src/debug/tpm2-tss/4.0.2/src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:/usr/src/debug/tpm2-tss/4.0.2/src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
ERROR:tcti:/usr/src/debug/tpm2-tss/4.0.2/src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:/usr/src/debug/tpm2-tss/4.0.2/src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
ERROR: Could not load tcti, got: "(null)"
(safemode) admin@NI-cRIO-903x-VM-3656e819:~# ls /sys/kernel/security/
integrity/  lsm

Procedure

@amstewart amstewart mentioned this pull request Mar 2, 2026
Closed
3 tasks
@amstewart amstewart modified the milestones: scarthgap, next Mar 2, 2026
@amstewart amstewart mentioned this pull request Mar 2, 2026
Draft
4 tasks
@amstewart amstewart marked this pull request as ready for review March 3, 2026 16:19
@amstewart amstewart requested review from a team and chaitu236 March 3, 2026 16:20
@amstewart amstewart force-pushed the dev/scarthgap/clevis branch from 8cded94 to e0592b8 Compare March 3, 2026 16:42
chaitu236
chaitu236 requested changes Mar 3, 2026
View reviewed changes
usercw88 and others added 12 commits March 25, 2026 14:37
@usercw88 @amstewart
extra_x64: Enable TPM and TPM2 CONFIG options
7145923 
Signed-off-by: Can Wong <can.wong@emerson.com>
@amstewart
x64.conf: add tpm2 to MACHINE_FEATURES
f95b8a2 
PXIs and other x86_64 devices may be populated with TPM2 compatible
TPMs. Add 'tpm2' to the MACHINE_FEATURES so that recipes which use that
value to determine configured functionality are aware.

Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
@amstewart
grub-efi: styling cleanups
9c5b55a 
Syntax and styling changes to the file. Clean up and sort GRUB_BUILDIN.
Expand grub-mkimage arguments for clarity.

No intentional functional changes.

Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
@amstewart
grub-efi: add tpm module
34593dd 
Build in the 'tpm' module so that our GRUB config can use the TPM to
store measured bootloader component hashes.

Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
@amstewart
grub-efi: remove warning suppression
47d4c1f 
The grub-efi recipe compiles just fine without warning suppression, so
remove this workaround.

Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
@amstewart
grub: enable measured boot
7a09045 
Direct GRUB to measure the kernel boot stages and record them to PCR
registers 8 and 9 by setting the `measure_on` setting.

Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
@amstewart
jose: add jose library recipe
f5901ac 
The JOSE (Javascript Object Signing and Encryption) library is used by
Clevis as a data serialization format. It is maintained by LatchSet, the
same organization that maintains Clevis.

Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
@amstewart
luksmeta: add recipe at version 10
719dfab 
The luksmeta library provides utilities for interacting with LUKSv1
headers. It is used as by Clevis when building with luks support. It is
maintained by LatchSet - the same organization which owns Clevis.

Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
@amstewart
clevis: add clevis package at v21
aee00dc 
Clevis is a pluggable framework for automated decryption. It can be used
to provide automated decryption of data or even automated unlocking of
LUKS volumes.

Add a recipe for it at the latest release (v21) for use by NILRT
measured boot, to store LUKS decryption keys in the TPM.

Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
@amstewart
add clevis to NILRT
2ced68b 
Add the Clevis utility to NILRT x64, for use in measured boot (disk
encryption) workflows.

Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
@amstewart
fstab: mount securityfs
98fe89b 
The sescurityfs is a kernel virtual filesystem that provides access to
security devices like TPMs. Mount it to the sysfs so that it can be used
to read TPM events.

Signed-off-by: Alex Stewart <alex.stewart@emerson.com>
@amstewart
pkggrp-ni-tpm: add tpm2-tools
ec75556 
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
@amstewart amstewart force-pushed the dev/scarthgap/clevis branch from e0592b8 to ec75556 Compare March 25, 2026 19:57
@amstewart
Copy link
Copy Markdown
Contributor Author

amstewart commented Mar 25, 2026

Patch v2

  1. Refreshed this PR with commits from PR [next] Implement foundational changes for NILRT Device Encryption #977 to affect the same goal. I did not rebase the OVMF commits from the previous version, as they were only needed for a new type of nilrt.git VM creation script that I do not intend to backport to scarthgap.
  2. Implemented feedback.

chaitu236
chaitu236 requested changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chaitu236 chaitu236 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did we test tha desirable pkggrp builds?

@chaitu236 chaitu236 mentioned this pull request Mar 25, 2026
Open
4 tasks
@amstewart
clevis: remove dracut PACKAGECONFIG
871a3c3 
The dracut dependency gives clevis an overall dependency on a large
number of kernel module packages, so that it can include them in
initramfses. We don't use dracut or a mutable initramfs on NILRT, so
these are unnecessary dependencies.

Remove the dracut PACKAGECONFIG.

Signed-off-by: Alex Stewart <alex.stewart@ni.com>
@amstewart
linux:extra_x64: remove builtin modules
4cbb975 
Signed-off-by: Alex Stewart <alex.stewart@ni.com>
@amstewart
Copy link
Copy Markdown
Contributor Author

amstewart commented Mar 26, 2026
edited
Loading

Patch v3

  • Removed dracut from Clevis PACKAGECONFIG. It added many kernel module dependencies to the clevis install that will never be used, since we don't have a mutable initramfs anyway. It was always optional.
  • Removed kconfig overrides applied in extra_x64.cfg in the kernel recipe, which were overriding builtin kconfigs from the nati defconfig.

Testing

  • Revalidation complete. Confirmed on a QEMU VM+TPM2 that the TPM2 is enumerated, the securityfs captures early boot measurements, grub measures elements into the PCR registers, and that the user can install packagegroup-ni-tpm - containing tpm2_tools and clevis - and that they all seem to work.

@amstewart amstewart requested a review from chaitu236 March 26, 2026 20:33
@amstewart
Copy link
Copy Markdown
Contributor Author

amstewart commented Mar 26, 2026

Extended Validation. Reconfirmed that setting measure_on=true in the grub config does not error or warn on systems that do not have a TPM.

@chaitu236 chaitu236 merged commit 433d60c into ni:nilrt/master/scarthgap Mar 26, 2026
@amstewart amstewart deleted the dev/scarthgap/clevis branch March 26, 2026 21:13
@chaitu236
Copy link
Copy Markdown
Contributor

chaitu236 commented Mar 26, 2026

Cherry-picked all commits to nilrt/26.3/scarthgap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chaitu236 chaitu236 chaitu236 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@amstewart @chaitu236 @usercw88