Hi, I've just taken a new device with hardware TPM support but I can't get it to work. It seems not to be detected even by OpenWRT, has anyone had experience with TPM on OpenWRT?
@Peppe2201, welcome to the community!
Have you installed kmod-tpm and related software for your TPM?
Not yet, after doing it what should I do?
I don't know what you should do. You haven't explained your use case for a TPM on a router.
If you installed the drivers though, the device should be enumerated in the OS then.
I'm having kernel issues:
satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-tpm: * kernel (= 4.14.123-1-2895a7d269c329f772135fce1adf4f29) * opkg_install_cmd: Cannot install package kmod-tpm.
can you post the info from these commands
opkg update ; opkg info kernel ; opkg info kmod-tpm ; cat /etc/os-release | grep RELEASE
I've forced the installation of the module
Downloading http://gra.mirror.cyberbits.eu/openwrt/snapshots/packages/x86_64/luci/Packages.gz Updated list of available packages in /var/opkg-lists/openwrt_luci Downloading http://gra.mirror.cyberbits.eu/openwrt/snapshots/packages/x86_64/luci/Packages.sig Signature check passed. Downloading http://gra.mirror.cyberbits.eu/openwrt/snapshots/packages/x86_64/packages/Packages.gz Updated list of available packages in /var/opkg-lists/openwrt_packages Downloading http://gra.mirror.cyberbits.eu/openwrt/snapshots/packages/x86_64/packages/Packages.sig Signature check passed. Downloading http://gra.mirror.cyberbits.eu/openwrt/snapshots/packages/x86_64/base/Packages.gz Updated list of available packages in /var/opkg-lists/openwrt_base Downloading http://gra.mirror.cyberbits.eu/openwrt/snapshots/packages/x86_64/base/Packages.sig Signature check passed. Downloading http://gra.mirror.cyberbits.eu/openwrt/snapshots/packages/x86_64/routing/Packages.gz Updated list of available packages in /var/opkg-lists/openwrt_routing Downloading http://gra.mirror.cyberbits.eu/openwrt/snapshots/packages/x86_64/routing/Packages.sig Signature check passed. Downloading http://gra.mirror.cyberbits.eu/openwrt/snapshots/packages/x86_64/telephony/Packages.gz Updated list of available packages in /var/opkg-lists/openwrt_telephony Downloading http://gra.mirror.cyberbits.eu/openwrt/snapshots/packages/x86_64/telephony/Packages.sig Signature check passed. Downloading http://openmptcprouter.com:80/release/targets/x86/64/packages/Packages.gz Updated list of available packages in /var/opkg-lists/openmptcprouter_core Downloading http://openmptcprouter.com:80/release/targets/x86/64/packages/Packages.sig Signature check passed. Downloading http://openmptcprouter.com:80/release/packages/x86_64/base/Packages.gz Updated list of available packages in /var/opkg-lists/openmptcprouter_base Downloading http://openmptcprouter.com:80/release/packages/x86_64/base/Packages.sig Signature check passed. Downloading http://openmptcprouter.com:80/release/packages/x86_64/luci/Packages.gz Updated list of available packages in /var/opkg-lists/openmptcprouter_luci Downloading http://openmptcprouter.com:80/release/packages/x86_64/luci/Packages.sig Signature check passed. Downloading http://openmptcprouter.com:80/release/packages/x86_64/openmptcprouter/Packages.gz Updated list of available packages in /var/opkg-lists/openmptcprouter_openmptcprouter Downloading http://openmptcprouter.com:80/release/packages/x86_64/openmptcprouter/Packages.sig Signature check passed. Downloading http://openmptcprouter.com:80/release/packages/x86_64/packages/Packages.gz Updated list of available packages in /var/opkg-lists/openmptcprouter_packages Downloading http://openmptcprouter.com:80/release/packages/x86_64/packages/Packages.sig Signature check passed. Package: kernel Version: 4.14.115-1-c1a87074d3d1a3df6fffb66234f48d56 Depends: libc Status: install user installed Architecture: x86_64 Installed-Time: 1557139381 Package: kmod-tpm Version: 4.14.123-1 Depends: kernel (= 4.14.123-1-2895a7d269c329f772135fce1adf4f29) Status: install user installed Section: kernel Architecture: x86_64 Size: 23302 Filename: kmod-tpm_4.14.123-1_x86_64.ipk Description: This enables TPM Hardware Support. Installed-Time: 1559819625 LEDE_RELEASE="openmptcprouter v0.49.6 r0+9945-bc85640cdc"
If your using snapshot instead of release you need to install any packages you require soon after.
If you wait too long the snapshot is rebuilt and the new packages will not install.
You need to upgrade to the current snapshot and then install all the required packages promptly
How can I check it? I'm using a custom fork of OpenWRT in this moment (OpenMPTCProuter).
This is not an official OpenWrt repository. The error you're referring to might be caused by another issue with openmtp's builds.
Can you try OpenWrt?
I've upgraded to kernel 4.19 and used a PC with TPM on it, installed kmod-tpm and kmod-tpm-tis, i think the module is loaded
root@router:~# ls -l /dev/tpm* crw------- 1 root root 10, 224 Jul 24 08:13 /dev/tpm0
What I have to do now?
That really depends on why you need to use a TPM on a router:
Can you explain your use case for a TPM on a router?
I'm trying to full encrypt the disk and auto decrypt it on the startup
- What does that have to do with a TPM (or rather, how do you plan to use a TPM to accomplish this)?
- What make/model device do you have?
- If you "fully encrypt" a disk, how does it decrypt itself (are you referring to the bootloader)?
- If the device is runs decrypted after boot - what prevents a malicious person from simply....powering on the device to get the data?
- Is this OpenWrt related?
- Have you installed OpenWrt?
If not, you should probably go here:
Yikes! You are correct but, pretty please, turn down your volume one or two notches. You are almost distorting.
I can see one point in doing that, edge case as it may be: Connecting an external disk to your device and have the device itself bolted down in such a way that a casual burglar won't bother with the (seemingly inexpensive) device and at most take the disk itself.
(Edit, for full disclosure: I have done that at some time in my not too glorious past. I have since moved from automatic decryption to decrypting after startup.)
I can never get my words above 0db when I read them...and never learned that bolding or capitalizing meant specific things except in context, so apologies to the OP if they were offended.
Nonetheless, I'm highlighting that access is available once the device is on/booted...that immediately defeats the effort placed into the encryption. Your "edge case" is a good idea...being a router, it still didn't cross my mind as a safe idea, though.
The larger the standing data, the safer this becomes, on a curve that the malicious person has time to remove the drive, or re-route the data. Having access to the powered-on router allows for that as well.
The OP would need to better describe what they want (and when in the boot process) to be able to elaborate on what one would need to perform that.
Oh, I wholeheartedly agree. I think at this point the OP should again chime in and actually state what his devices and "security concept" are. It's such a broad topic otherwise that we could go on speculating amongst us for the next two weeks.
Just my $0.02: Others (including me) can.
Feel free to open a public or private discussion about bold/capslock, in order not to disturb this topic here too much. Thanks!
I want to use TPM to have a secure way to store the key for decryption. I've watched some LUKS scripts for auto decryption at boot time. In this case I want to protect the router to prevent malicious person from stole the hard drive and edit settings on it.
How have you maked the automatic decryption to decrypting after startup?