* sandbox TPM @ 2021-08-28 12:18 Heinrich Schuchardt 2021-08-28 21:19 ` Simon Glass 0 siblings, 1 reply; 6+ messages in thread From: Heinrich Schuchardt @ 2021-08-28 12:18 UTC (permalink / raw) To: Simon Glass, Ilias Apalodimas; +Cc: U-Boot Mailing List The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not spec compliant. A TPM emulation as UNIX socket exists with https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator. Couldn't the sandbox do the same? I think this is the fastest way to get a compliant sandbox TPM. Best regards Heinrich ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: sandbox TPM 2021-08-28 12:18 sandbox TPM Heinrich Schuchardt @ 2021-08-28 21:19 ` Simon Glass 2021-08-29 10:53 ` Peter Robinson 0 siblings, 1 reply; 6+ messages in thread From: Simon Glass @ 2021-08-28 21:19 UTC (permalink / raw) To: Heinrich Schuchardt; +Cc: Ilias Apalodimas, U-Boot Mailing List Hi Heinrich, On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not > spec compliant. Do you mean it is incomplete or that it has bugs? If it is incomplete, what is needed by U-Boot? > > A TPM emulation as UNIX socket exists with > https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator. > > Couldn't the sandbox do the same? I think this is the fastest way to get > a compliant sandbox TPM. Well we could if we need it. Are you sure it is a good idea? There is a lot of code there. Are you thinking it would be copied into the U-Boot tree and kept in sync with a script, perhaps? Presumably the project would accept changes we need? Regards, Simon ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: sandbox TPM 2021-08-28 21:19 ` Simon Glass @ 2021-08-29 10:53 ` Peter Robinson 2021-08-30 6:10 ` Ilias Apalodimas 0 siblings, 1 reply; 6+ messages in thread From: Peter Robinson @ 2021-08-29 10:53 UTC (permalink / raw) To: Simon Glass; +Cc: Heinrich Schuchardt, Ilias Apalodimas, U-Boot Mailing List On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <sjg@chromium.org> wrote: > > Hi Heinrich, > > On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > > > The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not > > spec compliant. > > Do you mean it is incomplete or that it has bugs? If it is incomplete, > what is needed by U-Boot? > > > > > A TPM emulation as UNIX socket exists with > > https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator. > > > > Couldn't the sandbox do the same? I think this is the fastest way to get > > a compliant sandbox TPM. > > Well we could if we need it. Are you sure it is a good idea? There is > a lot of code there. Are you thinking it would be copied into the > U-Boot tree and kept in sync with a script, perhaps? Presumably the > project would accept changes we need? qemu doesn't copy it in, why can't it just run independently as part of the CI process? The rust TPM2 bindings do that here: https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: sandbox TPM 2021-08-29 10:53 ` Peter Robinson @ 2021-08-30 6:10 ` Ilias Apalodimas 2021-08-30 7:34 ` Heinrich Schuchardt 0 siblings, 1 reply; 6+ messages in thread From: Ilias Apalodimas @ 2021-08-30 6:10 UTC (permalink / raw) To: Peter Robinson; +Cc: Simon Glass, Heinrich Schuchardt, U-Boot Mailing List On Sun, 29 Aug 2021 at 13:53, Peter Robinson <pbrobinson@gmail.com> wrote: > > On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <sjg@chromium.org> wrote: > > > > Hi Heinrich, > > > > On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > > > > > The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not > > > spec compliant. > > > > Do you mean it is incomplete or that it has bugs? If it is incomplete, > > what is needed by U-Boot? > > > > > > > > A TPM emulation as UNIX socket exists with > > > https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator. > > > > > > Couldn't the sandbox do the same? I think this is the fastest way to get > > > a compliant sandbox TPM. > > > > Well we could if we need it. Are you sure it is a good idea? There is > > a lot of code there. Are you thinking it would be copied into the > > U-Boot tree and kept in sync with a script, perhaps? Presumably the > > project would accept changes we need? > > qemu doesn't copy it in, why can't it just run independently as part > of the CI process? The rust TPM2 bindings do that here: > https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13 Keep in mind this is exposed as an MMIIO device. I did send a driver for it a while back [1]. In case we decide to use this, we can probably re-use that [1] https://lore.kernel.org/u-boot/20210707162604.84196-1-ilias.apalodimas@linaro.org/ Regards /Ilias ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: sandbox TPM 2021-08-30 6:10 ` Ilias Apalodimas @ 2021-08-30 7:34 ` Heinrich Schuchardt 2021-09-02 16:41 ` Simon Glass 0 siblings, 1 reply; 6+ messages in thread From: Heinrich Schuchardt @ 2021-08-30 7:34 UTC (permalink / raw) To: Ilias Apalodimas; +Cc: Simon Glass, U-Boot Mailing List, Peter Robinson On 8/30/21 8:10 AM, Ilias Apalodimas wrote: > On Sun, 29 Aug 2021 at 13:53, Peter Robinson <pbrobinson@gmail.com> wrote: >> >> On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <sjg@chromium.org> wrote: >>> >>> Hi Heinrich, >>> >>> On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: >>>> >>>> The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not >>>> spec compliant. @Simon Just have look at the bunch of TPM related error messages generated on the sandbox: => host bind 0 ../sandbox.img => load host 0:1 $kernel_addr_r EFI/grub/shimriscv64.efi 755200 bytes read in 5 ms (144 MiB/s) => bootefi $kernel_addr_r Scanning disk mmc2.blk... No valid Btrfs found Bad magic number for SquashFS image. ** Unrecognized filesystem type ** Scanning disk mmc1.blk... No valid Btrfs found Bad magic number for SquashFS image. ** Unrecognized filesystem type ** Scanning disk mmc0.blk... No valid Btrfs found Bad magic number for SquashFS image. ** Unrecognized filesystem type ** Scanning disk host0... Found 5 disks Cannot install EFI_TCG2_PROTOCOL <<<<<<<<<<<<<<<<<<<<<<<<<<< "dfu_alt_info" env variable not defined! Probably dfu_alt_info not defined "dfu_alt_info" env variable not defined! Probably dfu_alt_info not defined Booting /EFI\grub\shimriscv64.efi PE image measurement failed <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< .sbat copied to 0x000000002ca7b000 .sbat = sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim tcg2 measurement fails(0x8000000000000007) <<<<<<<<<<<<<<<< >>> >>> Do you mean it is incomplete or that it has bugs? If it is incomplete, >>> what is needed by U-Boot? > >>> >>>> >>>> A TPM emulation as UNIX socket exists with >>>> https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator. >>>> >>>> Couldn't the sandbox do the same? I think this is the fastest way to get >>>> a compliant sandbox TPM. >>> >>> Well we could if we need it. Are you sure it is a good idea? There is >>> a lot of code there. Are you thinking it would be copied into the >>> U-Boot tree and kept in sync with a script, perhaps? Presumably the >>> project would accept changes we need? >> >> qemu doesn't copy it in, why can't it just run independently as part >> of the CI process? The rust TPM2 bindings do that here: >> https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13 > > Keep in mind this is exposed as an MMIIO device. I did send a driver > for it a while back [1]. In case we decide to use this, we can > probably re-use that > > [1] https://lore.kernel.org/u-boot/20210707162604.84196-1-ilias.apalodimas@linaro.org/ > > Regards > /Ilias > Currently we don't test measured boot. I would prefer the tests to run on the sandbox and not in QEMU. This makes debugging much easier. Best regards Heinrich ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: sandbox TPM 2021-08-30 7:34 ` Heinrich Schuchardt @ 2021-09-02 16:41 ` Simon Glass 0 siblings, 0 replies; 6+ messages in thread From: Simon Glass @ 2021-09-02 16:41 UTC (permalink / raw) To: Heinrich Schuchardt; +Cc: Ilias Apalodimas, U-Boot Mailing List, Peter Robinson Hi Heinrich, On Mon, 30 Aug 2021 at 01:34, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > > > On 8/30/21 8:10 AM, Ilias Apalodimas wrote: > > On Sun, 29 Aug 2021 at 13:53, Peter Robinson <pbrobinson@gmail.com> wrote: > >> > >> On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <sjg@chromium.org> wrote: > >>> > >>> Hi Heinrich, > >>> > >>> On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > >>>> > >>>> The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not > >>>> spec compliant. > > @Simon > Just have look at the bunch of TPM related error messages generated on > the sandbox: > > => host bind 0 ../sandbox.img > => load host 0:1 $kernel_addr_r EFI/grub/shimriscv64.efi > 755200 bytes read in 5 ms (144 MiB/s) > => bootefi $kernel_addr_r > Scanning disk mmc2.blk... > No valid Btrfs found > Bad magic number for SquashFS image. > ** Unrecognized filesystem type ** > Scanning disk mmc1.blk... > No valid Btrfs found > Bad magic number for SquashFS image. > ** Unrecognized filesystem type ** > Scanning disk mmc0.blk... > No valid Btrfs found > Bad magic number for SquashFS image. > ** Unrecognized filesystem type ** > Scanning disk host0... > Found 5 disks > Cannot install EFI_TCG2_PROTOCOL <<<<<<<<<<<<<<<<<<<<<<<<<<< > "dfu_alt_info" env variable not defined! > Probably dfu_alt_info not defined > "dfu_alt_info" env variable not defined! > Probably dfu_alt_info not defined > Booting /EFI\grub\shimriscv64.efi > PE image measurement failed <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > .sbat copied to 0x000000002ca7b000 > .sbat = > sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md > shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim > > tcg2 measurement fails(0x8000000000000007) <<<<<<<<<<<<<<<< OK...then I wonder what it would take to improve the sandbox TPM driver enough for these to pass? We have to think about cost/benefit of the amount of code we are bringing in, debugability, etc. > > > >>> > >>> Do you mean it is incomplete or that it has bugs? If it is incomplete, > >>> what is needed by U-Boot? > > > >>> > >>>> > >>>> A TPM emulation as UNIX socket exists with > >>>> https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator. > >>>> > >>>> Couldn't the sandbox do the same? I think this is the fastest way to get > >>>> a compliant sandbox TPM. > >>> > >>> Well we could if we need it. Are you sure it is a good idea? There is > >>> a lot of code there. Are you thinking it would be copied into the > >>> U-Boot tree and kept in sync with a script, perhaps? Presumably the > >>> project would accept changes we need? > >> > >> qemu doesn't copy it in, why can't it just run independently as part > >> of the CI process? The rust TPM2 bindings do that here: > >> https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13 > > > > Keep in mind this is exposed as an MMIIO device. I did send a driver > > for it a while back [1]. In case we decide to use this, we can > > probably re-use that > > > > [1] https://lore.kernel.org/u-boot/20210707162604.84196-1-ilias.apalodimas@linaro.org/ > > > > Regards > > /Ilias > > > > Currently we don't test measured boot. I would prefer the tests to run > on the sandbox and not in QEMU. This makes debugging much easier. I couldn't agree more; development also. Regards, Simon ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-09-02 16:41 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-08-28 12:18 sandbox TPM Heinrich Schuchardt 2021-08-28 21:19 ` Simon Glass 2021-08-29 10:53 ` Peter Robinson 2021-08-30 6:10 ` Ilias Apalodimas 2021-08-30 7:34 ` Heinrich Schuchardt 2021-09-02 16:41 ` Simon Glass
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.