The Iridium SLB9670 TPM2 is an evaluation board designed for the RaspberryPi 2/3 - and the driver for this is already in the bionic/raspi2 aka core18 kernel tree however this also requires a device-tree overlay which is not present in the core18 kernel tree AND even if it was, a change would be needed to the
/boot/uboot/config.txt bootloader configuration to enable this to be loaded.
When this overlay is loaded, the SPI interface is then claimed by the TPM2 SPI driver and so even if the TPM2 device is not present, this stops the SPI interface being used by other drivers, and so it is not suitable for this to be enabled for all users of Ubuntu Core on the Raspberry Pi.
However, device tree overlays can be dynamically loaded on-the-fly, so I have developed a snap application which ships with the required device tree overlay and some simple scripting to dynamically load this, along with the required kernel module
tpm_tis_spi as a snap one-shot daemon.
We already provide the
kernel-module-control interface to allow snaps to load modules.
The problem I am facing is that there is no snap interface which exposes the required configfs path within sysfs to allow the device tree overlay to be loaded - so currently AppArmor is blocking access to this, and as a result the snap must be a devmode snap.
To enable this to be strictly confined, either this path needs to be added to an existing interface (perhaps
kernel-module-control ?) or a new interface (
device-tree-control ?) is needed to support this use-case. The other option I had considered, but discarded, was some interface which allowed to edit
/boot/uboot/config.txt to list the new overlay AND to allow writing of the shipped device-tree overlay to
/boot/uboot/overlays however this is likely to be clumsy (rewriting conf files) and gives too much authority to the snap to cause other problems by changing the general bootloader configuration.