[Buildroot] [PATCH v2 6/7] tpm2-tools: do not enforce dependency on tpm2-abrmd

Peter Korsgaard peter at korsgaard.com
Wed Jan 16 11:43:41 UTC 2019


>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:

 > Peter, All,
 > On 2019-01-15 11:15 +0100, Peter Korsgaard spake thusly:
 >> tpm2-tools is commonly used with the resource manager, tpm2-abrmd - But it
 >> CAN be used without, E.G.  by setting the TPM2TOOLS_TCTI_NAME environment
 >> variable to communicate directly with the kernel driver:
 >> 
 >> export TPM2TOOLS_TCTI_NAME=device
 >> 
 >> For some use cases (E.G.  initramfs) it makes sense to use tpm2-tools
 >> without abrmd, so downgrade the dependency from select to imply, so abrmd is
 >> enabled by default but can be explicitly disabled.
 >> 
 >> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
 >> ---
 >> package/tpm2-tools/Config.in | 2 +-
 >> 1 file changed, 1 insertion(+), 1 deletion(-)
 >> 
 >> diff --git a/package/tpm2-tools/Config.in b/package/tpm2-tools/Config.in
 >> index cc87e2a1bf..f4622b4ec9 100644
 >> --- a/package/tpm2-tools/Config.in
 >> +++ b/package/tpm2-tools/Config.in
 >> @@ -8,7 +8,7 @@ config BR2_PACKAGE_TPM2_TOOLS
 >> select BR2_PACKAGE_LIBCURL
 >> select BR2_PACKAGE_LIBGLIB2
 >> select BR2_PACKAGE_OPENSSL
 >> -	select BR2_PACKAGE_TPM2_ABRMD # run-time
 >> +	imply BR2_PACKAGE_TPM2_ABRMD # run-time

 > Sorry, but I reiterate my position: I don't like the use of 'imply'.

 > Either the thing is mandatory, in which case we select it or depend on
 > it, or the thing is optional, in which case we elt the user enable it.

I understand you don't like it, but what is the alternative? Just
mention the optional-but-likely-to-be-needed dependency in the help
text? That is IMHO worse than imply.

For this specific case, tpm2-tools fails with a somewhat confusing error
message if tpm2-abrmd isn't available unless a specific command line
option / environment variable is used:

# tpm2_pcrlist

** (process:8628): WARNING **: 11:38:39.606: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name com.intel.tss2.Tabrmd was not provided by any .service files
ERROR: Failed to initialize TABRMD TCTI context: 0xa0008

The solution is to set the TCTI name to device, either through the
TPM2TOOLS_TCTI_NAME environment variable or the --tcti option.

This is imho exactly the kind of use cases imply has been made for.


 > Use of imply does not sound nice to me, because it is not authoritative.
 > I'm afraid we get reports of users complaining that "sometimes the stuff
 > is enabled when I do X, while sometmes it is not enabled when I do the
 > same X.'

Is that any different than changing toolchain options or toggling
BR2_PACKAGE_BUSYBOX_SHOW_OTHERS?


 > The coutner argument has been that we were now trying to make sensible
 > choices for the user, so that things "work out of the box". My position
 > is that it is an illusion, because making things "just work" is more
 > often than not more involving than just enabling a package.

I agree that we probably cannot do this perfectly, but a solution for
E.G. 80% of the use cases is still an improvement, as long as the
remaining 20% can still change things.

 > For example, when dealing with TPM and such: keys and certs provisionning
 > and checking the chain of trust and such is only scratching the surface.
 > People that want to deal with this topic better know what they *are* doing,
 > as it is a sensible topic. Those people will have to understand what they
 > need if they do not already know.

Sure, but we can atleast ensure that the tpm2-tools utilites do not fail
out of the box because of a missing obscure dependency and that fairly
common use cases are possible.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list