kairos icon indicating copy to clipboard operation
kairos copied to clipboard

Published 20 hours ago verified publisher icon kairos-io

spike: identify an ARM64 device that supports fTPM

Open mudler opened this issue 11 months ago • 14 comments

Is your feature request related to a problem? Please describe. As part of https://github.com/kairos-io/kairos/issues/3094 we need to have access to an ARM-based device which supports fTPM

Describe the solution you'd like Identify a set of devices that the team can get their hands on easily

Describe alternatives you've considered Use emulation, but that is not real life.

Additional context

mudler avatar Jan 07 '25 10:01 mudler

I bought http://radxa.com/products/orion/o6/ which should be here by february or so. It should support fTPM out of the box, and key management as well

Itxaka avatar Jan 07 '25 11:01 Itxaka

Seems RPI5 is not a good fit: https://trustedfirmware-a.readthedocs.io/en/v2.11/plat/rpi5.html

Screenshot From 2025-01-08 09-16-10

mudler avatar Jan 08 '25 08:01 mudler

I sent an email to Radxa to help us identify a suitable device.

jimmykarily avatar Jan 08 '25 09:01 jimmykarily

Even something like https://system76.com/desktops/thelio-astra-a1-n1/configure which is incredible, doesnt have fTPM and relies into an external plugged in TPM device https://www.newegg.com/asrock-rack-tpm-spi/p/N82E16816775069

Itxaka avatar Jan 08 '25 09:01 Itxaka

wait, isnt fTPM from AMD? Does arm boards also implement it? Or do they rely into a real TPM module like the one linked above? If its hte latter, maybe we could jsut get a board that has a TPM SPI header and add a TPM module and test with that?

Itxaka avatar Jan 08 '25 09:01 Itxaka

seems like even rpi can be used with a tpm module: https://buyzero.de/collections/andere-platinen/products/letstrust-hardware-tpm-trusted-platform-module

Itxaka avatar Jan 08 '25 09:01 Itxaka

we should definitely get one of these ^ to try it out. Nice finding @Itxaka .

jimmykarily avatar Jan 08 '25 09:01 jimmykarily

Regarding rpi5, I tried various things to get it to work but to no avail. First I took all the dtb file from the upstream raspberry pi OS this allowed me to get to the point where the u-boot logo is shown. But I couldn't get it any further than that. I even built a u-boot.bin from the master branch just in case they have some very recent patches but it didn't work either.

I read here that it might work on opensuse soon. In this page it says it needs kernel > 6.13 or patches so maybe we need to wait a little bit longer (until 6.13 makes it here?).

jimmykarily avatar Jan 13 '25 06:01 jimmykarily

Get a few of these: https://computeblade.com/ (dev and tpm versions have tpm 2.0)

tbrasser avatar Jan 13 '25 11:01 tbrasser

Raxda folks confirmed that the Orion 6 has full trustzone and TPM support so we will need to wait for it to be delivered to test it but sounds pretty good.

Itxaka avatar Jan 14 '25 08:01 Itxaka

Another candidate: https://www.ipi.wiki/products/ampere-altra-developer-platform?srsltid=AfmBOormblyiXGogITG2Y3md6UpTs68nEjjlivSU2NLepdcILU94nLvn (thanks @wrkode)

jimmykarily avatar Jan 20 '25 15:01 jimmykarily

Orion arrived. Has Secureboot but no TPM. Pin pads are in there though so I need to buy one and solder it xD

Itxaka avatar Mar 18 '25 10:03 Itxaka

Orion arrived. Has Secureboot but no TPM. Pin pads are in there though so I need to buy one and solder it xD

WAT!? :D

jimmykarily avatar Mar 20 '25 06:03 jimmykarily

Moving this out from the release cycle - we have already spiked on it and we could not successfully find a device for testing so far. We will get back at this when we have more cycles to invest on.

mudler avatar Apr 01 '25 07:04 mudler