sandbox TPM

sandbox TPM

[Heinrich Schuchardt]

The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not
spec compliant.

A TPM emulation as UNIX socket exists with
https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator.

Couldn't the sandbox do the same? I think this is the fastest way to get
a compliant sandbox TPM.

Best regards

Heinrich

Re: sandbox TPM

[Simon Glass]

Hi Heinrich,

On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>
> The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not
> spec compliant.

Do you mean it is incomplete or that it has bugs? If it is incomplete,
what is needed by U-Boot?

>
> A TPM emulation as UNIX socket exists with
> https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator.
>
> Couldn't the sandbox do the same? I think this is the fastest way to get
> a compliant sandbox TPM.

Well we could if we need it. Are you sure it is a good idea? There is
a lot of code there. Are you thinking it would be copied into the
U-Boot tree and kept in sync with a script, perhaps? Presumably the
project would accept changes we need?

Regards,
Simon

Re: sandbox TPM

[Peter Robinson]

On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <sjg@chromium.org> wrote:
>
> Hi Heinrich,
>
> On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
> >
> > The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not
> > spec compliant.
>
> Do you mean it is incomplete or that it has bugs? If it is incomplete,
> what is needed by U-Boot?
>
> >
> > A TPM emulation as UNIX socket exists with
> > https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator.
> >
> > Couldn't the sandbox do the same? I think this is the fastest way to get
> > a compliant sandbox TPM.
>
> Well we could if we need it. Are you sure it is a good idea? There is
> a lot of code there. Are you thinking it would be copied into the
> U-Boot tree and kept in sync with a script, perhaps? Presumably the
> project would accept changes we need?

qemu doesn't copy it in, why can't it just run independently as part
of the CI process? The rust TPM2 bindings do that here:
https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13

Re: sandbox TPM

[Ilias Apalodimas]

On Sun, 29 Aug 2021 at 13:53, Peter Robinson <pbrobinson@gmail.com> wrote:
>
> On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <sjg@chromium.org> wrote:
> >
> > Hi Heinrich,
> >
> > On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
> > >
> > > The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not
> > > spec compliant.
> >
> > Do you mean it is incomplete or that it has bugs? If it is incomplete,
> > what is needed by U-Boot?

> >
> > >
> > > A TPM emulation as UNIX socket exists with
> > > https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator.
> > >
> > > Couldn't the sandbox do the same? I think this is the fastest way to get
> > > a compliant sandbox TPM.
> >
> > Well we could if we need it. Are you sure it is a good idea? There is
> > a lot of code there. Are you thinking it would be copied into the
> > U-Boot tree and kept in sync with a script, perhaps? Presumably the
> > project would accept changes we need?
>
> qemu doesn't copy it in, why can't it just run independently as part
> of the CI process? The rust TPM2 bindings do that here:
> https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13

Keep in mind this is exposed as an MMIIO device. I did send a driver
for it a while back [1].  In case we decide to use this, we can
probably re-use that

[1] https://lore.kernel.org/u-boot/20210707162604.84196-1-ilias.apalodimas@linaro.org/

Regards
/Ilias

Re: sandbox TPM

[Heinrich Schuchardt]

On 8/30/21 8:10 AM, Ilias Apalodimas wrote:
> On Sun, 29 Aug 2021 at 13:53, Peter Robinson <pbrobinson@gmail.com> wrote:
>>
>> On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <sjg@chromium.org> wrote:
>>>
>>> Hi Heinrich,
>>>
>>> On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>>>>
>>>> The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not
>>>> spec compliant.

@Simon
Just have look at the bunch of TPM related error messages generated on
the sandbox:

=> host bind 0 ../sandbox.img
=> load host 0:1 $kernel_addr_r EFI/grub/shimriscv64.efi
755200 bytes read in 5 ms (144 MiB/s)
=> bootefi $kernel_addr_r
Scanning disk mmc2.blk...
No valid Btrfs found
Bad magic number for SquashFS image.
** Unrecognized filesystem type **
Scanning disk mmc1.blk...
No valid Btrfs found
Bad magic number for SquashFS image.
** Unrecognized filesystem type **
Scanning disk mmc0.blk...
No valid Btrfs found
Bad magic number for SquashFS image.
** Unrecognized filesystem type **
Scanning disk host0...
Found 5 disks
Cannot install EFI_TCG2_PROTOCOL <<<<<<<<<<<<<<<<<<<<<<<<<<<
"dfu_alt_info" env variable not defined!
Probably dfu_alt_info not defined
"dfu_alt_info" env variable not defined!
Probably dfu_alt_info not defined
Booting /EFI\grub\shimriscv64.efi
PE image measurement failed <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
.sbat copied to 0x000000002ca7b000
.sbat =
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim

tcg2 measurement fails(0x8000000000000007)  <<<<<<<<<<<<<<<<


>>>
>>> Do you mean it is incomplete or that it has bugs? If it is incomplete,
>>> what is needed by U-Boot?
>
>>>
>>>>
>>>> A TPM emulation as UNIX socket exists with
>>>> https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator.
>>>>
>>>> Couldn't the sandbox do the same? I think this is the fastest way to get
>>>> a compliant sandbox TPM.
>>>
>>> Well we could if we need it. Are you sure it is a good idea? There is
>>> a lot of code there. Are you thinking it would be copied into the
>>> U-Boot tree and kept in sync with a script, perhaps? Presumably the
>>> project would accept changes we need?
>>
>> qemu doesn't copy it in, why can't it just run independently as part
>> of the CI process? The rust TPM2 bindings do that here:
>> https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13
>
> Keep in mind this is exposed as an MMIIO device. I did send a driver
> for it a while back [1].  In case we decide to use this, we can
> probably re-use that
>
> [1] https://lore.kernel.org/u-boot/20210707162604.84196-1-ilias.apalodimas@linaro.org/
>
> Regards
> /Ilias
>

Currently we don't test measured boot. I would prefer the tests to run
on the sandbox and not in QEMU. This makes debugging much easier.

Best regards

Heinrich

Re: sandbox TPM

[Simon Glass]

Hi Heinrich,

On Mon, 30 Aug 2021 at 01:34, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>
>
>
> On 8/30/21 8:10 AM, Ilias Apalodimas wrote:
> > On Sun, 29 Aug 2021 at 13:53, Peter Robinson <pbrobinson@gmail.com> wrote:
> >>
> >> On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <sjg@chromium.org> wrote:
> >>>
> >>> Hi Heinrich,
> >>>
> >>> On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
> >>>>
> >>>> The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not
> >>>> spec compliant.
>
> @Simon
> Just have look at the bunch of TPM related error messages generated on
> the sandbox:
>
> => host bind 0 ../sandbox.img
> => load host 0:1 $kernel_addr_r EFI/grub/shimriscv64.efi
> 755200 bytes read in 5 ms (144 MiB/s)
> => bootefi $kernel_addr_r
> Scanning disk mmc2.blk...
> No valid Btrfs found
> Bad magic number for SquashFS image.
> ** Unrecognized filesystem type **
> Scanning disk mmc1.blk...
> No valid Btrfs found
> Bad magic number for SquashFS image.
> ** Unrecognized filesystem type **
> Scanning disk mmc0.blk...
> No valid Btrfs found
> Bad magic number for SquashFS image.
> ** Unrecognized filesystem type **
> Scanning disk host0...
> Found 5 disks
> Cannot install EFI_TCG2_PROTOCOL <<<<<<<<<<<<<<<<<<<<<<<<<<<
> "dfu_alt_info" env variable not defined!
> Probably dfu_alt_info not defined
> "dfu_alt_info" env variable not defined!
> Probably dfu_alt_info not defined
> Booting /EFI\grub\shimriscv64.efi
> PE image measurement failed <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> .sbat copied to 0x000000002ca7b000
> .sbat =
> sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
> shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
>
> tcg2 measurement fails(0x8000000000000007)  <<<<<<<<<<<<<<<<

OK...then I wonder what it would take to improve the sandbox TPM
driver enough for these to pass? We have to think about cost/benefit
of the amount of code we are bringing in, debugability, etc.

>
>
> >>>
> >>> Do you mean it is incomplete or that it has bugs? If it is incomplete,
> >>> what is needed by U-Boot?
> >
> >>>
> >>>>
> >>>> A TPM emulation as UNIX socket exists with
> >>>> https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator.
> >>>>
> >>>> Couldn't the sandbox do the same? I think this is the fastest way to get
> >>>> a compliant sandbox TPM.
> >>>
> >>> Well we could if we need it. Are you sure it is a good idea? There is
> >>> a lot of code there. Are you thinking it would be copied into the
> >>> U-Boot tree and kept in sync with a script, perhaps? Presumably the
> >>> project would accept changes we need?
> >>
> >> qemu doesn't copy it in, why can't it just run independently as part
> >> of the CI process? The rust TPM2 bindings do that here:
> >> https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13
> >
> > Keep in mind this is exposed as an MMIIO device. I did send a driver
> > for it a while back [1].  In case we decide to use this, we can
> > probably re-use that
> >
> > [1] https://lore.kernel.org/u-boot/20210707162604.84196-1-ilias.apalodimas@linaro.org/
> >
> > Regards
> > /Ilias
> >
>
> Currently we don't test measured boot. I would prefer the tests to run
> on the sandbox and not in QEMU. This makes debugging much easier.

I couldn't agree more; development also.

Regards,
Simon