Message ID | 20200125001510.708149-1-maurosr@linux.vnet.ibm.com |
---|---|
Headers | show |
Series | libstb: Advance TSS and mbedtls infrastructure. | expand |
On Fri, Jan 24, 2020, at 4:14 PM, Mauro S. M. Rodrigues wrote: > The previous TSS infrastructure code in skiboot, although correct, was only > enough for some fundamental TCG software stack operations, like PCR extend and > eventlog, and other TSB work like secvar requires broader infrastructure. > > In patches 6 to 14 we introduced and switch to a complete TSS implementation, > supporting the previously existent operations, like PCR Extend, PCR Read and > EventLog for measurement, and including a new set of basic operations, until > we're able to remote the old implementation at patch 15. > > For mbedtls it's a similar tale: additional support is necessary, like x509, and > such things are too tight to their original code base which makes too much > complicated to cherry-pick specific bits, and even harder to keep track on the > security aspects of it, like backporting security fixes, so it was decided to > bring the full implementation here. > > This patch series introduces both TSS and mbedtls as subtrees, which diminishes > the maintenance burden at skiboot size since we can now rely on external > implementations of TSS and tls. > > Note: Right now the following patch: > > [PATCH 06/15] Squashed 'libstb/tss2/ibmtpm20tss/' content from commit > > creates a subtree based on non-official tree (at > https://github.com/maurorodrigues/ibmtpm20tss branch maurosr/v4-tss-skiboot), > containing additional patches to support eventlog implementaion, which are > currently under review process to be merged in the official tree at > https://git.code.sf.net/p/ibmtpm20tss/tss, we plan to tie this subtree to the > official tree, but for review purposes we can use the temporary non-official > tree mentioned. SF is a bit of a red flag. Possibly a good idea to mirror it at github.com/open-power/ so no matter what happens with upstream there's a copy. > For mbedtls subtree it was used the follow git repository > https://github.com/ARMmbed/mbedtls tag: mbedtls-2.16.2 Probably also a good idea to have an open-power mirror.
On Sat, Jan 25, 2020 at 07:18:41PM -0800, Stewart Smith wrote: > On Fri, Jan 24, 2020, at 4:14 PM, Mauro S. M. Rodrigues wrote: > > The previous TSS infrastructure code in skiboot, although correct, was only > > enough for some fundamental TCG software stack operations, like PCR extend and > > eventlog, and other TSB work like secvar requires broader infrastructure. > > > > In patches 6 to 14 we introduced and switch to a complete TSS implementation, > > supporting the previously existent operations, like PCR Extend, PCR Read and > > EventLog for measurement, and including a new set of basic operations, until > > we're able to remote the old implementation at patch 15. > > > > For mbedtls it's a similar tale: additional support is necessary, like x509, and > > such things are too tight to their original code base which makes too much > > complicated to cherry-pick specific bits, and even harder to keep track on the > > security aspects of it, like backporting security fixes, so it was decided to > > bring the full implementation here. > > > > This patch series introduces both TSS and mbedtls as subtrees, which diminishes > > the maintenance burden at skiboot size since we can now rely on external > > implementations of TSS and tls. > > > > Note: Right now the following patch: > > > > [PATCH 06/15] Squashed 'libstb/tss2/ibmtpm20tss/' content from commit > > > > creates a subtree based on non-official tree (at > > https://github.com/maurorodrigues/ibmtpm20tss branch maurosr/v4-tss-skiboot), > > containing additional patches to support eventlog implementaion, which are > > currently under review process to be merged in the official tree at > > https://git.code.sf.net/p/ibmtpm20tss/tss, we plan to tie this subtree to the > > official tree, but for review purposes we can use the temporary non-official > > tree mentioned. > > SF is a bit of a red flag. > > Possibly a good idea to mirror it at github.com/open-power/ so no matter what happens with upstream there's a copy. Thanks for your review. Just out of curiosity, SF can be a red flag by itself, perhaps because its availability, or we just don't want to rely on external parties other than github? Either way, mirroring the repositories is probably a last step before this series gets merged, right? And it requires one of the open-power organization's owners in github to perform it, right? - Mauro > > > For mbedtls subtree it was used the follow git repository > > https://github.com/ARMmbed/mbedtls tag: mbedtls-2.16.2 > > Probably also a good idea to have an open-power mirror. > > _______________________________________________ > Skiboot mailing list > Skiboot@lists.ozlabs.org > https://lists.ozlabs.org/listinfo/skiboot