| Message ID | 20200214183704.14389-1-eric.auger@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | vTPM for aarch64 | expand |
On Fri, 14 Feb 2020 at 19:37, Eric Auger <eric.auger@redhat.com> wrote: > > This series adds the capability to instantiate an MMIO TPM TIS > in ARM virt. > > The existing TPM TIS code is reshuffled into a generic part, > the ISA device and the sysbus device. The last patch allows > the instantiation of the TPM TIS sysbus device in ARM virt. > > The series was tested with the swtpm/libtpms emulator. > Automatic guest LUKS volume unlocking (tpm2) was successful. > EDK2 support is under development [3]. Thanks to Ard > for supporting me when setting up the test environment. > > Best Regards > > Eric > > Testing: > > mkdir /tmp/tpm > swtpm socket \ > --tpm2 \ > -t -d \ > --tpmstate dir=/tmp/tpm \ > --ctrl type=unixio,path=/tmp/swtpm-sock > > qemu command line must be augmented with the following options: > > -chardev socket,id=chrtpm,path=/tmp/swtpm-sock \ > -tpmdev emulator,id=tpm0,chardev=chrtpm \ > -device tpm-tis-device,tpmdev=tpm0 \ > > References: > [1] libtpms: https://github.com/stefanberger/libtpms/wiki > [2] swtpm: https://github.com/stefanberger/swtpm/wiki > [3] [PATCH 0/4] ArmVirtPkg: implement measured boot for ArmVirtQemu > > This series can be found at: > https://github.com/eauger/qemu/tree/v4.2.0-tpm-rfc-v2 > > History: > > RFC v1 -> RFC v2: > - restructure the existing code with common, ISA and sysbus part. > - both ARM and x86 integration were tested. > - acknowledgement: migration has not been tested > > Eric Auger (6): > tpm: rename TPM_TIS into TPM_TIS_ISA > tpm: Use TPMState as a common struct > tpm: Separate tpm_tis common functions from isa code > tpm: Separate TPM_TIS and TPM_TIS_ISA configs > tpm: Add the SysBus TPM TIS device > hw/arm/virt: vTPM support > Many thanks to Eric for his work on this. I have tested this with my EDK2 code and a Linux/arm64 VM booting in DT mode with the tpm-tis driver enabled, and it works as expected. I can observe the firmware taking measurements during boot, and can dump the PCRs from Linux using tpm2_pcrlist. Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Note that the UEFI firmware is itself a consumer of the DT description, so we need the DT related changes regardless of whether the VM boots in DT or ACPI mode. > default-configs/i386-softmmu.mak | 2 +- > hw/arm/Kconfig | 1 + > hw/arm/sysbus-fdt.c | 36 +++++ > hw/arm/virt.c | 7 + > hw/i386/Kconfig | 2 +- > hw/i386/acpi-build.c | 6 +- > hw/tpm/Kconfig | 12 +- > hw/tpm/Makefile.objs | 4 +- > hw/tpm/tpm_tis.h | 91 +++++++++++++ > hw/tpm/{tpm_tis.c => tpm_tis_common.c} | 181 ++----------------------- > hw/tpm/tpm_tis_isa.c | 170 +++++++++++++++++++++++ > hw/tpm/tpm_tis_sysbus.c | 159 ++++++++++++++++++++++ > include/sysemu/tpm.h | 7 +- > tests/qtest/Makefile.include | 4 +- > 14 files changed, 502 insertions(+), 180 deletions(-) > create mode 100644 hw/tpm/tpm_tis.h > rename hw/tpm/{tpm_tis.c => tpm_tis_common.c} (85%) > create mode 100644 hw/tpm/tpm_tis_isa.c > create mode 100644 hw/tpm/tpm_tis_sysbus.c > > -- > 2.20.1 >
Hi Ard, On 2/16/20 5:35 PM, Ard Biesheuvel wrote: > On Fri, 14 Feb 2020 at 19:37, Eric Auger <eric.auger@redhat.com> wrote: >> >> This series adds the capability to instantiate an MMIO TPM TIS >> in ARM virt. >> >> The existing TPM TIS code is reshuffled into a generic part, >> the ISA device and the sysbus device. The last patch allows >> the instantiation of the TPM TIS sysbus device in ARM virt. >> >> The series was tested with the swtpm/libtpms emulator. >> Automatic guest LUKS volume unlocking (tpm2) was successful. >> EDK2 support is under development [3]. Thanks to Ard >> for supporting me when setting up the test environment. >> >> Best Regards >> >> Eric >> >> Testing: >> >> mkdir /tmp/tpm >> swtpm socket \ >> --tpm2 \ >> -t -d \ >> --tpmstate dir=/tmp/tpm \ >> --ctrl type=unixio,path=/tmp/swtpm-sock >> >> qemu command line must be augmented with the following options: >> >> -chardev socket,id=chrtpm,path=/tmp/swtpm-sock \ >> -tpmdev emulator,id=tpm0,chardev=chrtpm \ >> -device tpm-tis-device,tpmdev=tpm0 \ >> >> References: >> [1] libtpms: https://github.com/stefanberger/libtpms/wiki >> [2] swtpm: https://github.com/stefanberger/swtpm/wiki >> [3] [PATCH 0/4] ArmVirtPkg: implement measured boot for ArmVirtQemu >> >> This series can be found at: >> https://github.com/eauger/qemu/tree/v4.2.0-tpm-rfc-v2 >> >> History: >> >> RFC v1 -> RFC v2: >> - restructure the existing code with common, ISA and sysbus part. >> - both ARM and x86 integration were tested. >> - acknowledgement: migration has not been tested >> >> Eric Auger (6): >> tpm: rename TPM_TIS into TPM_TIS_ISA >> tpm: Use TPMState as a common struct >> tpm: Separate tpm_tis common functions from isa code >> tpm: Separate TPM_TIS and TPM_TIS_ISA configs >> tpm: Add the SysBus TPM TIS device >> hw/arm/virt: vTPM support >> > > Many thanks to Eric for his work on this. > > I have tested this with my EDK2 code and a Linux/arm64 VM booting in > DT mode with the tpm-tis driver enabled, and it works as expected. I > can observe the firmware taking measurements during boot, and can dump > the PCRs from Linux using tpm2_pcrlist. > > Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Many thanks for the testing. > > Note that the UEFI firmware is itself a consumer of the DT > description, so we need the DT related changes regardless of whether > the VM boots in DT or ACPI mode. OK thank you for the note. I will add this in my cover letter. Best Regards Eric > > > >> default-configs/i386-softmmu.mak | 2 +- >> hw/arm/Kconfig | 1 + >> hw/arm/sysbus-fdt.c | 36 +++++ >> hw/arm/virt.c | 7 + >> hw/i386/Kconfig | 2 +- >> hw/i386/acpi-build.c | 6 +- >> hw/tpm/Kconfig | 12 +- >> hw/tpm/Makefile.objs | 4 +- >> hw/tpm/tpm_tis.h | 91 +++++++++++++ >> hw/tpm/{tpm_tis.c => tpm_tis_common.c} | 181 ++----------------------- >> hw/tpm/tpm_tis_isa.c | 170 +++++++++++++++++++++++ >> hw/tpm/tpm_tis_sysbus.c | 159 ++++++++++++++++++++++ >> include/sysemu/tpm.h | 7 +- >> tests/qtest/Makefile.include | 4 +- >> 14 files changed, 502 insertions(+), 180 deletions(-) >> create mode 100644 hw/tpm/tpm_tis.h >> rename hw/tpm/{tpm_tis.c => tpm_tis_common.c} (85%) >> create mode 100644 hw/tpm/tpm_tis_isa.c >> create mode 100644 hw/tpm/tpm_tis_sysbus.c >> >> -- >> 2.20.1 >> >
This series adds the capability to instantiate an MMIO TPM TIS in ARM virt. The existing TPM TIS code is reshuffled into a generic part, the ISA device and the sysbus device. The last patch allows the instantiation of the TPM TIS sysbus device in ARM virt. The series was tested with the swtpm/libtpms emulator. Automatic guest LUKS volume unlocking (tpm2) was successful. EDK2 support is under development [3]. Thanks to Ard for supporting me when setting up the test environment. Best Regards Eric Testing: mkdir /tmp/tpm swtpm socket \ --tpm2 \ -t -d \ --tpmstate dir=/tmp/tpm \ --ctrl type=unixio,path=/tmp/swtpm-sock qemu command line must be augmented with the following options: -chardev socket,id=chrtpm,path=/tmp/swtpm-sock \ -tpmdev emulator,id=tpm0,chardev=chrtpm \ -device tpm-tis-device,tpmdev=tpm0 \ References: [1] libtpms: https://github.com/stefanberger/libtpms/wiki [2] swtpm: https://github.com/stefanberger/swtpm/wiki [3] [PATCH 0/4] ArmVirtPkg: implement measured boot for ArmVirtQemu This series can be found at: https://github.com/eauger/qemu/tree/v4.2.0-tpm-rfc-v2 History: RFC v1 -> RFC v2: - restructure the existing code with common, ISA and sysbus part. - both ARM and x86 integration were tested. - acknowledgement: migration has not been tested Eric Auger (6): tpm: rename TPM_TIS into TPM_TIS_ISA tpm: Use TPMState as a common struct tpm: Separate tpm_tis common functions from isa code tpm: Separate TPM_TIS and TPM_TIS_ISA configs tpm: Add the SysBus TPM TIS device hw/arm/virt: vTPM support default-configs/i386-softmmu.mak | 2 +- hw/arm/Kconfig | 1 + hw/arm/sysbus-fdt.c | 36 +++++ hw/arm/virt.c | 7 + hw/i386/Kconfig | 2 +- hw/i386/acpi-build.c | 6 +- hw/tpm/Kconfig | 12 +- hw/tpm/Makefile.objs | 4 +- hw/tpm/tpm_tis.h | 91 +++++++++++++ hw/tpm/{tpm_tis.c => tpm_tis_common.c} | 181 ++----------------------- hw/tpm/tpm_tis_isa.c | 170 +++++++++++++++++++++++ hw/tpm/tpm_tis_sysbus.c | 159 ++++++++++++++++++++++ include/sysemu/tpm.h | 7 +- tests/qtest/Makefile.include | 4 +- 14 files changed, 502 insertions(+), 180 deletions(-) create mode 100644 hw/tpm/tpm_tis.h rename hw/tpm/{tpm_tis.c => tpm_tis_common.c} (85%) create mode 100644 hw/tpm/tpm_tis_isa.c create mode 100644 hw/tpm/tpm_tis_sysbus.c