Bug#1041007: linux-image-6.1.0-0.deb11.7-amd64: Please enable TPM hardware RNG support (CONFIG_HW_RANDOM_TPM)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1041007: linux-image-6.1.0-0.deb11.7-amd64: Please enable TPM hardware RNG support (CONFIG_HW_RANDOM_TPM)
From: jflf_kernel@gmx.com
Date: Thu, 13 Jul 2023 23:10:48 +0200
Message-id: <[🔎] 47283824-62b8-9a04-96b0-cf2e9d99a578@gmx.com>
Reply-to: jflf_kernel@gmx.com, 1041007@bugs.debian.org

Package: src:linux
Version: 6.1.20-2~bpo11+1
Severity: normal
X-Debbugs-Cc: jflf_kernel@gmx.com

Dear Maintainer,

Currently no Debian kernel enables support for TPM hardware RNG. On one of my
systems:

$ uname -a
Linux XXX 6.1.0-0.deb11.7-amd64 #1 SMP PREEMPT_DYNAMIC Debian
6.1.20-2~bpo11+1 (2023-04-23) x86_64 GNU/Linux

$ cat /sys/class/tpm/tpm0/device/description
TPM 2.0 Device

$ ls /dev/tpm*
/dev/tpm0  /dev/tpmrm0

$ sudo tpm2_getrandom 16 | xxd -p
7ba65632453b191385a3989485ac80a3

$ grep HW_RANDOM_TPM /boot/config-$(uname -r)
<nothing>

$ find /lib/modules/$(uname -r) -iname \*tpm\*rng\*
<nothing again>

$ ls /dev/hwrng
ls: cannot access '/dev/hwrng': No such file or directory


I have checked the current bookworm and trixie kernel debs, and they don't
include it either. It should be enabled there too.

I manage multiple older amd64 machines that have discrete TPM chips, but no
RDRAND instruction or any other hardware RNG. Enabling support for the TPM RNG
would provide the kernel with additional entropy earlier in the boot process.

Thank you very much!


-- Package-specific info:
** Version:
Linux version 6.1.0-0.deb11.7-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP PREEMPT_DYNAMIC Debian 6.1.20-2~bpo11+1 (2023-04-23)

** Command line:
BOOT_IMAGE=/boot/vmlinuz-6.1.0-0.deb11.7-amd64 root=UUID=0c206836-a588-4a57-9c6d-92d3f3e20d01 ro quiet nmi_watchdog=0

** Tainted: PUOE (12353)
 * proprietary module was loaded
 * taint requested by userspace application
 * externally-built ("out-of-tree") module was loaded
 * unsigned module was loaded

** Kernel log:
Jul 13 07:19:40 silverpad kernel: ACPI: SSDT 0x00000000D7FFA000 0004B7 (v02 LENOVO Tpm2Tabl 00001000 INTL 20141107)
Jul 13 07:19:40 silverpad kernel: ACPI: TPM2 0x00000000D7FF8000 000034 (v03 LENOVO TP-R0C   00001370 PTEC 00000002)
Jul 13 07:19:40 silverpad kernel: ACPI: Reserving TPM2 table memory at [mem 0xd7ff8000-0xd7ff8033]

** Model information
sys_vendor: LENOVO
product_name: 20GJCTO1WW
product_version: ThinkPad 13
chassis_vendor: LENOVO
chassis_version: None
bios_vendor: LENOVO
bios_version: R0CET49W (1.37 )
board_vendor: LENOVO
board_name: 20GJCTO1WW
board_version: SDK0J40709 WIN

** Loaded modules:
isofs
cdrom
uas
usb_storage
uinput
ctr
ccm
rfcomm
nft_fib_inet
nft_fib_ipv4
nft_fib_ipv6
nft_fib
nft_reject_inet
nf_reject_ipv4
vboxnetadp(OE)
nf_reject_ipv6
vboxnetflt(OE)
nft_reject
nft_ct
nft_chain_nat
nf_nat
nf_conntrack
nf_defrag_ipv6
nf_defrag_ipv4
vboxdrv(OE)
ip_set
nf_tables
nfnetlink
zstd
zstd_compress
cmac
algif_hash
algif_skcipher
zram
af_alg
zsmalloc
bnep
zfs(POE)
zunicode(POE)
zzstd(OE)
zlua(OE)
zavl(POE)
icp(POE)
zcommon(POE)
znvpair(POE)
spl(OE)
hid_logitech
ff_memless
hid_generic
snd_usb_audio
usbhid
snd_usbmidi_lib
snd_rawmidi
hid
snd_seq_device
cdc_ether
usbnet
r8152
mii
btusb
btrtl
btbcm
btintel
btmtk
bluetooth
jitterentropy_rng
uvcvideo
videobuf2_vmalloc
drbg
videobuf2_memops
videobuf2_v4l2
ansi_cprng
videobuf2_common
ecdh_generic
ecc
videodev
crc16
mc
snd_sof_pci_intel_skl
intel_rapl_msr
intel_rapl_common
snd_sof_intel_hda_common
snd_hda_codec_hdmi
x86_pkg_temp_thermal
intel_powerclamp
soundwire_intel
soundwire_generic_allocation
soundwire_cadence
coretemp
snd_sof_intel_hda
crc32_pclmul
snd_sof_pci
snd_sof_xtensa_dsp
snd_sof
snd_sof_utils
soundwire_bus
ghash_clmulni_intel
sha512_ssse3
sha512_generic
snd_soc_skl
snd_soc_hdac_hda
snd_ctl_led
snd_hda_ext_core
snd_soc_sst_ipc
snd_hda_codec_realtek
snd_soc_sst_dsp
snd_soc_acpi_intel_match
snd_soc_acpi
snd_hda_codec_generic
snd_soc_core
snd_compress
iwlmvm
snd_hda_intel
snd_intel_dspcfg
snd_intel_sdw_acpi
snd_hda_codec
intel_xhci_usb_role_switch
roles
snd_hda_core
aesni_intel
mac80211
crypto_simd
snd_hwdep
xhci_pci
cryptd
xhci_hcd
snd_pcm
mei_hdcp
ee1004
nls_ascii
rapl
libarc4
iwlwifi
e1000e
thinkpad_acpi
usbcore
nls_cp437
i2c_i801
mei_me
ptp
snd_timer
nvram
think_lmi
intel_lpss_pci
intel_cstate
platform_profile
vfat
intel_lpss
ledtrig_audio
fat
cfg80211
intel_uncore
intel_wmi_thunderbolt
wmi_bmof
firmware_attributes_class
pps_core
mei
i2c_smbus
usb_common
snd
idma64
intel_pch_thermal
battery
soundcore
rfkill
ac
button
intel_pmc_core
acpi_pad
joydev
sg
msr
sunrpc
ecryptfs
fuse
efi_pstore
configfs
ip_tables
x_tables
xfs
efivarfs
raid10
raid456
async_raid6_recov
async_memcpy
async_pq
async_xor
xor
async_tx
raid6_pq
libcrc32c
crc32c_generic
raid1
raid0
multipath
linear
md_mod
i915
i2c_algo_bit
drm_buddy
drm_display_helper
sd_mod
t10_pi
drm_kms_helper
crc64_rocksoft
crc64
crc_t10dif
cec
crct10dif_generic
rc_core
ahci
crct10dif_pclmul
libahci
ttm
crct10dif_common
libata
drm
crc32c_intel
psmouse
scsi_mod
evdev
serio_raw
scsi_common
video
wmi

-- System Information:
Debian Release: 11.7
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-0.deb11.7-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages linux-image-6.1.0-0.deb11.7-amd64 depends on:
ii  initramfs-tools [linux-initramfs-tool]  0.140
ii  kmod                                    28-1
ii  linux-base                              4.6

Versions of packages linux-image-6.1.0-0.deb11.7-amd64 recommends:
ii  apparmor             2.13.6-10
ii  firmware-linux-free  20200122-1

Versions of packages linux-image-6.1.0-0.deb11.7-amd64 suggests:
pn  debian-kernel-handbook  <none>
ii  grub-efi-amd64          2.06-3~deb11u5
pn  linux-doc-6.1           <none>

Versions of packages linux-image-6.1.0-0.deb11.7-amd64 is related to:
pn  firmware-amd-graphics     <none>
pn  firmware-atheros          <none>
pn  firmware-bnx2             <none>
pn  firmware-bnx2x            <none>
pn  firmware-brcm80211        <none>
pn  firmware-cavium           <none>
pn  firmware-intel-sound      <none>
pn  firmware-intelwimax       <none>
pn  firmware-ipw2x00          <none>
pn  firmware-ivtv             <none>
ii  firmware-iwlwifi          20230210-4~bpo11+1
pn  firmware-libertas         <none>
pn  firmware-linux-nonfree    <none>
ii  firmware-misc-nonfree     20230210-4~bpo11+1
pn  firmware-myricom          <none>
pn  firmware-netxen           <none>
pn  firmware-qlogic           <none>
ii  firmware-realtek          20230210-4~bpo11+1
pn  firmware-samsung          <none>
pn  firmware-siano            <none>
pn  firmware-ti-connectivity  <none>
pn  xen-hypervisor            <none>

-- no debconf information

Reply to:

Follow-Ups:
- Bug#1041007: linux-image-6.1.0-0.deb11.7-amd64: Please enable TPM hardware RNG support (CONFIG_HW_RANDOM_TPM)
  - From: Vincent Blut <vincent.debian@free.fr>

Prev by Date: Re: Debian Kernel version and ABI in respect of #1040901
Next by Date: Bug#1040981: klibc-utils: Segmentation fault while executin klibc binaries in armhf architecture under qemu-user
Previous by thread: Processed: severity of 1040966 is important
Next by thread: Bug#1041007: linux-image-6.1.0-0.deb11.7-amd64: Please enable TPM hardware RNG support (CONFIG_HW_RANDOM_TPM)
Index(es):
- Date
- Thread