Re: [PATCH 2/2] tpm: add backend for mssim

From: Stefan Berger <stefanb@linux.ibm.com>
To: jejb@linux.ibm.com, "Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org, Markus Armbruster <armbru@redhat.com>
Subject: Re: [PATCH 2/2] tpm: add backend for mssim
Date: Fri, 16 Dec 2022 11:08:38 -0500	[thread overview]
Message-ID: <7cd73725-27ff-8500-9d18-b1a284be97be@linux.ibm.com> (raw)
In-Reply-To: <c4203617f5a017c30175ebccde80bdc3d680b615.camel@linux.ibm.com>

On 12/16/22 10:48, James Bottomley wrote:
> On Fri, 2022-12-16 at 09:55 -0500, Stefan Berger wrote:
>>
>>
>> On 12/16/22 09:29, Daniel P. Berrangé wrote:
>>
>>>
>>> All the objections you're raising are related to the current
>>> specifics of the implementation of the mssim remote server.
>>> While valid, this is of no concern to QEMU when deciding whether
>>> to require a migration blocker on the client side. This is 3rd
>>> party remote service that should be considered a black box from
>>> QEMU's POV. It is possible to write a remote server that supports
>>> the mssim network protocol, and has the ability to serialize
>>> its state. Whether such an impl exists today or not is separate.
>>
>> Then let's document the scenarios so someone can repeat them, I think
>> this is just fair. James said he tested state migration scenarios and
>> it works, so let's enable others to do it as well. I am open to
>> someone maintaining just this driver and the dynamics that may
>> develop around it.
> 
> Well, OK, this is what I think would be appropriate ... I'll fold it in
> to the second patch.
> 
> James
> 
> ---
> 
> diff --git a/docs/specs/tpm.rst b/docs/specs/tpm.rst
> index 535912a92b..985d0775a0 100644
> --- a/docs/specs/tpm.rst
> +++ b/docs/specs/tpm.rst
> @@ -270,6 +270,38 @@ available as a module (assuming a TPM 2 is passed through):
>     /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9
>     ...
>   
> +The QEMU TPM Microsoft Simulator Device
> +---------------------------------------
> +
> +The TCG provides a reference implementation for TPM 2.0 written by
> +Microsoft (See `ms-tpm-20-ref`_ on github).  The reference implementation
> +starts a network server and listens for TPM commands on port 2321 and
> +TPM Platform control commands on port 2322, although these can be
> +altered.  The QEMU mssim TPM backend talks to this implementation.  By
> +default it connects to the default ports on localhost:
> +
> +.. code-block:: console
> +
> +  qemu-system-x86_64 <qemu-options> \
> +    -tpmdev mssim,id=tpm0 \
> +    -device tpm-crb,tpmdev=tpm0
> +
> +
> +Although it can also communicate with a remote host, which must be
> +specified as a SocketAddress via json on the command line for each of
> +the command and control ports:
> +
> +.. code-block:: console
> +
> +  qemu-system-x86_64 <qemu-options> \
> +    -tpmdev "{'type':'mssim','id':'tpm0','command':{'type':inet,'host':'remote','port':'2321'},'control':{'type':'inet','host':'remote','port':'2322'}}" \
> +    -device tpm-crb,tpmdev=tpm0
> +
> +
> +The mssim backend supports snapshotting and migration, but the state
> +of the Microsoft Simulator server must be preserved (or the server
> +kept running) outside of QEMU for restore to be successful.

You said you tested it. Can you show how to set it up with command lines? I want to try out at least suspend and resume .

    Stefan

> +
>   The QEMU TPM emulator device
>   ----------------------------
>   
> @@ -526,3 +558,6 @@ the following:
>   
>   .. _SWTPM protocol:
>      https://github.com/stefanberger/swtpm/blob/master/man/man3/swtpm_ioctls.pod
> +
> +.. _ms-tpm-20-ref:
> +   https://github.com/microsoft/ms-tpm-20-ref
> 