Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix TPM Issues in Kernel 6.12.49 LTS#5303

Merged
eriknordmark merged 2 commits into
lf-edge:masterfrom
shjala:fix.tpm.reset.protection.bug
Oct 14, 2025
Merged

Fix TPM Issues in Kernel 6.12.49 LTS#5303
eriknordmark merged 2 commits into
lf-edge:masterfrom
shjala:fix.tpm.reset.protection.bug

Conversation

@shjala

@shjala shjala commented Oct 13, 2025
edited
Loading

Copy link
Copy Markdown
Member

Description

Fixes two issues :

1- Update apparmor profile and allow vtpm to read null_name (for TPM reset protection)
2- Do not call ValidateKernelNullPrimary in TpmSign because TpmSign is called before the key needed to certify null key is created.

PR dependencies

This should go before #5287

How to test and validate this PR

Will be tested as part of #5287

Changelog notes

Fix TPM reset protection and vTPM access: skip null primary check in TpmSign and allow vTPM to read null_name.

Checklist

  • I've provided a proper description
  • I've added the proper documentation
  • I've tested my PR on amd64 device
  • I've tested my PR on arm64 device
  • I've written the test verification instructions
  • I've set the proper labels to this PR

And the last but not least:

  • I've checked the boxes above, or I've provided a good reason why I didn't
    check them.

Please, check the boxes above after submitting the PR in interactive mode.

shjala added 2 commits October 13, 2025 15:12
@shjala
evetpm: do not check for tpm reset protection on TpmSign
8f2d492 
TpmSign is called early, before all the TPM keys are created, so if we
call ValidateKernelNullPrimary here, it always fails to certify the
null primary key because the certifying key is not created yet.

Signed-off-by: Shahriyar Jalayeri <[email protected]>
@shjala
apparmor : allow vtpm to read null_name
202b137 
Allow vtpm to read null_name (for TPM reset protection), ceiling value
for listen(2) and transparent hugepage size (go memory allocator).

Signed-off-by: Shahriyar Jalayeri <[email protected]>
@shjala shjala requested a review from rucoder as a code owner October 13, 2025 15:57
@github-actions github-actions Bot requested a review from eriknordmark October 13, 2025 15:58
@shjala shjala marked this pull request as draft October 13, 2025 15:58
@shjala shjala added the bug Something isn't working label Oct 13, 2025
@shjala

shjala commented Oct 13, 2025
edited
Loading

Copy link
Copy Markdown
Member Author

@rene my original commit ended up in 15.12.0-rc1 and 15.11.0, should I backport this fix to 15 then?

eriknordmark
eriknordmark approved these changes Oct 13, 2025
View reviewed changes

@eriknordmark eriknordmark left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rene

rene commented Oct 14, 2025

Copy link
Copy Markdown
Contributor

@rene my original commit ended up in 15.12.0-rc1 and 15.11.0, should I backport this fix to 15 then?

@shjala , 15.11.0 is just a bi-weekly build and current master will become 15.12.0-rc2, later on we will need to push a 15.12-stable branch, so I think we are good, no need to backport....

rene
rene approved these changes Oct 14, 2025
View reviewed changes

@rene rene left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rene rene marked this pull request as ready for review October 14, 2025 14:21
@eriknordmark eriknordmark merged commit a6c4a8e into lf-edge:master Oct 14, 2025
45 of 46 checks passed
@rucoder rucoder mentioned this pull request Oct 14, 2025
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rene rene rene approved these changes

@eriknordmark eriknordmark eriknordmark approved these changes

@rucoder rucoder Awaiting requested review from rucoder rucoder is a code owner

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shjala @rene @eriknordmark