Seabios Xen TPM check

Seabios Xen TPM check

[Jason Andryuk]

Hi,

SeaBIOS commit 67643955c746 (make SeaBios compatible with Xen vTPM.)
made tpm_start() exit before calling tpm_startup().  The commit
message has no explanation why this change was made.  Does anyone
remember why it was made?

The code today means SeaBIOS will not populate PCRs when running on
Xen.  If I revert the patch, SeaBIOS populates PCRs as one would
expect.  This is with a QEMU-emulated TPM backed by swtpm in TPM 1.2
mode (qemu & swtpm running in a linux stubdom).

Any insight is appreciated.

Thanks,
Jason

Re: Seabios Xen TPM check

[Stefan Berger]

On 6/11/20 8:36 AM, Jason Andryuk wrote:
> Hi,
>
> SeaBIOS commit 67643955c746 (make SeaBios compatible with Xen vTPM.)
> made tpm_start() exit before calling tpm_startup().  The commit
> message has no explanation why this change was made.  Does anyone
> remember why it was made?
>
> The code today means SeaBIOS will not populate PCRs when running on
> Xen.  If I revert the patch, SeaBIOS populates PCRs as one would
> expect.  This is with a QEMU-emulated TPM backed by swtpm in TPM 1.2
> mode (qemu & swtpm running in a linux stubdom).
>
> Any insight is appreciated.

My guess would be that for some reason the TPM 1.2 was already started 
up through other means and didn't need the SeaBIOS tpm_startup() to run.


>
> Thanks,
> Jason

Re: Seabios Xen TPM check

[Jason Andryuk]

On Thu, Jun 11, 2020 at 10:32 AM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> On 6/11/20 8:36 AM, Jason Andryuk wrote:
> > Hi,
> >
> > SeaBIOS commit 67643955c746 (make SeaBios compatible with Xen vTPM.)
> > made tpm_start() exit before calling tpm_startup().  The commit
> > message has no explanation why this change was made.  Does anyone
> > remember why it was made?
> >
> > The code today means SeaBIOS will not populate PCRs when running on
> > Xen.  If I revert the patch, SeaBIOS populates PCRs as one would
> > expect.  This is with a QEMU-emulated TPM backed by swtpm in TPM 1.2
> > mode (qemu & swtpm running in a linux stubdom).
> >
> > Any insight is appreciated.
>
> My guess would be that for some reason the TPM 1.2 was already started
> up through other means and didn't need the SeaBIOS tpm_startup() to run.

Hmmm, yes.  Thanks, Stefan.  The mini-os vtpm stubdom calls
TPM_Startup and it looks like the Berlios tpm_emulator returns an
error when called twice.

From a little bit of googling, Quan and Emil (added to CC) were
working on an interface from QEMU to the vtpm stubdom, but it looks
like it didn't get merged into upstream QEMU?  It doesn't seem to be
there now.

Anyway, the mini-os vtpm stubdom calls TPM_Startup since a PV guest
doesn't have firmware to make the call.  SeaBIOS could make a
tpm_startup error non-fatal for Xen.  Or better - detect a vtpm
stubdom and only then skip initialization.  vtpm stubdom could also be
changed to skip TPM_Startup for HVM - not sure if that would be
problematic.  That would let SeaBIOS drop the Xen condition.

Regards,
Jason