| Message ID | 20220927122146.2787854-1-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | docs: Update TPM documentation for usage of a TPM 2 | expand |
On Tue, Sep 27, 2022 at 4:21 PM Stefan Berger <stefanb@linux.ibm.com> wrote: > > Update the TPM documentation for usage of a TPM 2 rather than a TPM 1.2. > Adjust the command lines and expected outputs inside the VM accordingly. > Update the command line to start a TPM 2 with swtpm. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > --- > docs/specs/tpm.rst | 44 ++++++++++++++++++++++++-------------------- > 1 file changed, 24 insertions(+), 20 deletions(-) > > diff --git a/docs/specs/tpm.rst b/docs/specs/tpm.rst > index 3be190343a..535912a92b 100644 > --- a/docs/specs/tpm.rst > +++ b/docs/specs/tpm.rst > @@ -250,24 +250,25 @@ hardware TPM ``/dev/tpm0``: > > The following commands should result in similar output inside the VM > with a Linux kernel that either has the TPM TIS driver built-in or > -available as a module: > +available as a module (assuming a TPM 2 is passed through): > > .. code-block:: console > > # dmesg | grep -i tpm > - [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) > - > - # dmesg | grep TCPA > - [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ > - BXPCTCPA 0000001 BXPC 00000001) > + [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ > + BXPC 0000001 BXPC 00000001) > > # ls -l /dev/tpm* > - crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 > + crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 > + crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 > > - # find /sys/devices/ | grep pcrs$ | xargs cat > - PCR-00: 35 4E 3B CE 23 9F 38 59 ... > + Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: > + # find /sys/devices/ -type f | grep pcr-sha > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 > ... > - PCR-23: 00 00 00 00 00 00 00 00 ... > > The QEMU TPM emulator device > ---------------------------- > @@ -304,6 +305,7 @@ a socket interface. They do not need to be run as root. > mkdir /tmp/mytpm1 > swtpm socket --tpmstate dir=/tmp/mytpm1 \ > --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ > + --tpm2 \ > --log level=20 > > Command line to start QEMU with the TPM emulator device communicating > @@ -365,19 +367,20 @@ available as a module: > .. code-block:: console > > # dmesg | grep -i tpm > - [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) > - > - # dmesg | grep TCPA > - [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ > - BXPCTCPA 0000001 BXPC 00000001) > + [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ > + BXPC 0000001 BXPC 00000001) > > # ls -l /dev/tpm* > - crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 > + crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 > + crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 > > - # find /sys/devices/ | grep pcrs$ | xargs cat > - PCR-00: 35 4E 3B CE 23 9F 38 59 ... > + Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: > + # find /sys/devices/ -type f | grep pcr-sha > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 > ... > - PCR-23: 00 00 00 00 00 00 00 00 ... > > Migration with the TPM emulator > =============================== > @@ -398,7 +401,8 @@ In a 1st terminal start an instance of a swtpm using the following command: > mkdir /tmp/mytpm1 > swtpm socket --tpmstate dir=/tmp/mytpm1 \ > --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ > - --log level=20 --tpm2 > + --tpm2 \ > + --log level=20 > > In a 2nd terminal start the VM: > > -- > 2.37.2 >
Le 27/09/2022 à 14:21, Stefan Berger a écrit : > Update the TPM documentation for usage of a TPM 2 rather than a TPM 1.2. > Adjust the command lines and expected outputs inside the VM accordingly. > Update the command line to start a TPM 2 with swtpm. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > docs/specs/tpm.rst | 44 ++++++++++++++++++++++++-------------------- > 1 file changed, 24 insertions(+), 20 deletions(-) > > diff --git a/docs/specs/tpm.rst b/docs/specs/tpm.rst > index 3be190343a..535912a92b 100644 > --- a/docs/specs/tpm.rst > +++ b/docs/specs/tpm.rst > @@ -250,24 +250,25 @@ hardware TPM ``/dev/tpm0``: > > The following commands should result in similar output inside the VM > with a Linux kernel that either has the TPM TIS driver built-in or > -available as a module: > +available as a module (assuming a TPM 2 is passed through): > > .. code-block:: console > > # dmesg | grep -i tpm > - [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) > - > - # dmesg | grep TCPA > - [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ > - BXPCTCPA 0000001 BXPC 00000001) > + [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ > + BXPC 0000001 BXPC 00000001) > > # ls -l /dev/tpm* > - crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 > + crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 > + crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 > > - # find /sys/devices/ | grep pcrs$ | xargs cat > - PCR-00: 35 4E 3B CE 23 9F 38 59 ... > + Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: > + # find /sys/devices/ -type f | grep pcr-sha > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 > ... > - PCR-23: 00 00 00 00 00 00 00 00 ... > > The QEMU TPM emulator device > ---------------------------- > @@ -304,6 +305,7 @@ a socket interface. They do not need to be run as root. > mkdir /tmp/mytpm1 > swtpm socket --tpmstate dir=/tmp/mytpm1 \ > --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ > + --tpm2 \ > --log level=20 > > Command line to start QEMU with the TPM emulator device communicating > @@ -365,19 +367,20 @@ available as a module: > .. code-block:: console > > # dmesg | grep -i tpm > - [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) > - > - # dmesg | grep TCPA > - [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ > - BXPCTCPA 0000001 BXPC 00000001) > + [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ > + BXPC 0000001 BXPC 00000001) > > # ls -l /dev/tpm* > - crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 > + crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 > + crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 > > - # find /sys/devices/ | grep pcrs$ | xargs cat > - PCR-00: 35 4E 3B CE 23 9F 38 59 ... > + Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: > + # find /sys/devices/ -type f | grep pcr-sha > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 > ... > - PCR-23: 00 00 00 00 00 00 00 00 ... > > Migration with the TPM emulator > =============================== > @@ -398,7 +401,8 @@ In a 1st terminal start an instance of a swtpm using the following command: > mkdir /tmp/mytpm1 > swtpm socket --tpmstate dir=/tmp/mytpm1 \ > --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ > - --log level=20 --tpm2 > + --tpm2 \ > + --log level=20 > > In a 2nd terminal start the VM: > Applied to my trivial-patches branch. Thanks, Laurent
diff --git a/docs/specs/tpm.rst b/docs/specs/tpm.rst index 3be190343a..535912a92b 100644 --- a/docs/specs/tpm.rst +++ b/docs/specs/tpm.rst @@ -250,24 +250,25 @@ hardware TPM ``/dev/tpm0``: The following commands should result in similar output inside the VM with a Linux kernel that either has the TPM TIS driver built-in or -available as a module: +available as a module (assuming a TPM 2 is passed through): .. code-block:: console # dmesg | grep -i tpm - [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) - - # dmesg | grep TCPA - [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ - BXPCTCPA 0000001 BXPC 00000001) + [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ + BXPC 0000001 BXPC 00000001) # ls -l /dev/tpm* - crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 + crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 + crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 - # find /sys/devices/ | grep pcrs$ | xargs cat - PCR-00: 35 4E 3B CE 23 9F 38 59 ... + Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: + # find /sys/devices/ -type f | grep pcr-sha + ... + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 + ... + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 ... - PCR-23: 00 00 00 00 00 00 00 00 ... The QEMU TPM emulator device ---------------------------- @@ -304,6 +305,7 @@ a socket interface. They do not need to be run as root. mkdir /tmp/mytpm1 swtpm socket --tpmstate dir=/tmp/mytpm1 \ --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ + --tpm2 \ --log level=20 Command line to start QEMU with the TPM emulator device communicating @@ -365,19 +367,20 @@ available as a module: .. code-block:: console # dmesg | grep -i tpm - [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) - - # dmesg | grep TCPA - [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ - BXPCTCPA 0000001 BXPC 00000001) + [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ + BXPC 0000001 BXPC 00000001) # ls -l /dev/tpm* - crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 + crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 + crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 - # find /sys/devices/ | grep pcrs$ | xargs cat - PCR-00: 35 4E 3B CE 23 9F 38 59 ... + Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: + # find /sys/devices/ -type f | grep pcr-sha + ... + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 + ... + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 ... - PCR-23: 00 00 00 00 00 00 00 00 ... Migration with the TPM emulator =============================== @@ -398,7 +401,8 @@ In a 1st terminal start an instance of a swtpm using the following command: mkdir /tmp/mytpm1 swtpm socket --tpmstate dir=/tmp/mytpm1 \ --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ - --log level=20 --tpm2 + --tpm2 \ + --log level=20 In a 2nd terminal start the VM:
Update the TPM documentation for usage of a TPM 2 rather than a TPM 1.2. Adjust the command lines and expected outputs inside the VM accordingly. Update the command line to start a TPM 2 with swtpm. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- docs/specs/tpm.rst | 44 ++++++++++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 20 deletions(-)