* [PATCH v9 0/2] tpm2: Make TPM2 logs accessible for non-UEFI firmware
@ 2020-07-06 18:19 Stefan Berger
2020-07-06 18:19 ` [PATCH v9 1/2] acpi: Extend TPM2 ACPI table with missing log fields Stefan Berger
2020-07-06 18:19 ` [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table Stefan Berger
0 siblings, 2 replies; 19+ messages in thread
From: Stefan Berger @ 2020-07-06 18:19 UTC (permalink / raw)
To: linux-integrity, linux-kernel, jarkko.sakkinen, linux-acpi,
linux-security-module
Cc: Stefan Berger
From: Stefan Berger <stefanb@linux.ibm.com>
This series of patches adds an optional extensions for the TPM2 ACPI table
with additional fields found in the TPM2 TCG ACPI specification (reference
is in the patch) that allow access to the log's address and its size. We
then modify the code that so far only enables access to a TPM 1.2's log for
a TPM2 as well. This then enables access to the TPM2's log on non-UEFI
system that for example run SeaBIOS.
Stefan
v8->v9:
- Renamed variable
v7->v8:
- Added empty line.
v6->v7:
- Added empty lines and R-b.
v5->v6:
- Moved extensions of TPM2 table into acpi_tpm2_phy.
v4->v5:
- Added R-bs and A-bs.
v3->v4:
- Repost as one series
v2->v3:
- Split the series into two separate patches
- Added comments to ACPI table fields
- Added check for null pointer to log area and zero log size
v1->v2:
- Repost of the series
Stefan Berger (2):
acpi: Extend TPM2 ACPI table with missing log fields
tpm: Add support for event log pointer found in TPM2 ACPI table
drivers/char/tpm/eventlog/acpi.c | 63 +++++++++++++++++++++-----------
include/acpi/actbl3.h | 7 ++++
2 files changed, 49 insertions(+), 21 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH v9 1/2] acpi: Extend TPM2 ACPI table with missing log fields
2020-07-06 18:19 [PATCH v9 0/2] tpm2: Make TPM2 logs accessible for non-UEFI firmware Stefan Berger
@ 2020-07-06 18:19 ` Stefan Berger
2020-07-06 22:02 ` Jerry Snitselaar
2020-07-06 18:19 ` [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table Stefan Berger
1 sibling, 1 reply; 19+ messages in thread
From: Stefan Berger @ 2020-07-06 18:19 UTC (permalink / raw)
To: linux-integrity, linux-kernel, jarkko.sakkinen, linux-acpi,
linux-security-module
Cc: Stefan Berger, Rafael J . Wysocki
From: Stefan Berger <stefanb@linux.ibm.com>
Recent extensions of the TPM2 ACPI table added 3 more fields
including 12 bytes of start method specific parameters and Log Area
Minimum Length (u32) and Log Area Start Address (u64). So, we define
a new structure acpi_tpm2_phy that holds these optional new fields.
The new fields allow non-UEFI systems to access the TPM2's log.
The specification that has the new fields is the following:
TCG ACPI Specification
Family "1.2" and "2.0"
Version 1.2, Revision 8
https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Cc: linux-acpi@vger.kernel.org
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
include/acpi/actbl3.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/include/acpi/actbl3.h b/include/acpi/actbl3.h
index b0b163b9efc6..bdcac69fa6bd 100644
--- a/include/acpi/actbl3.h
+++ b/include/acpi/actbl3.h
@@ -415,6 +415,13 @@ struct acpi_table_tpm2 {
/* Platform-specific data follows */
};
+/* Optional trailer for revision 4 holding platform-specific data */
+struct acpi_tpm2_phy {
+ u8 start_method_specific[12];
+ u32 log_area_minimum_length;
+ u64 log_area_start_address;
+};
+
/* Values for start_method above */
#define ACPI_TPM2_NOT_ALLOWED 0
--
2.26.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-06 18:19 [PATCH v9 0/2] tpm2: Make TPM2 logs accessible for non-UEFI firmware Stefan Berger
2020-07-06 18:19 ` [PATCH v9 1/2] acpi: Extend TPM2 ACPI table with missing log fields Stefan Berger
@ 2020-07-06 18:19 ` Stefan Berger
2020-07-06 22:04 ` Jerry Snitselaar
2020-07-06 23:09 ` Jarkko Sakkinen
1 sibling, 2 replies; 19+ messages in thread
From: Stefan Berger @ 2020-07-06 18:19 UTC (permalink / raw)
To: linux-integrity, linux-kernel, jarkko.sakkinen, linux-acpi,
linux-security-module
Cc: Stefan Berger
From: Stefan Berger <stefanb@linux.ibm.com>
In case a TPM2 is attached, search for a TPM2 ACPI table when trying
to get the event log from ACPI. If one is found, use it to get the
start and length of the log area. This allows non-UEFI systems, such
as SeaBIOS, to pass an event log when using a TPM2.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
drivers/char/tpm/eventlog/acpi.c | 63 +++++++++++++++++++++-----------
1 file changed, 42 insertions(+), 21 deletions(-)
diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c
index 63ada5e53f13..3633ed70f48f 100644
--- a/drivers/char/tpm/eventlog/acpi.c
+++ b/drivers/char/tpm/eventlog/acpi.c
@@ -49,9 +49,9 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
void __iomem *virt;
u64 len, start;
struct tpm_bios_log *log;
-
- if (chip->flags & TPM_CHIP_FLAG_TPM2)
- return -ENODEV;
+ struct acpi_table_tpm2 *tbl;
+ struct acpi_tpm2_phy *tpm2_phy;
+ int format;
log = &chip->log;
@@ -61,23 +61,44 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
if (!chip->acpi_dev_handle)
return -ENODEV;
- /* Find TCPA entry in RSDT (ACPI_LOGICAL_ADDRESSING) */
- status = acpi_get_table(ACPI_SIG_TCPA, 1,
- (struct acpi_table_header **)&buff);
-
- if (ACPI_FAILURE(status))
- return -ENODEV;
-
- switch(buff->platform_class) {
- case BIOS_SERVER:
- len = buff->server.log_max_len;
- start = buff->server.log_start_addr;
- break;
- case BIOS_CLIENT:
- default:
- len = buff->client.log_max_len;
- start = buff->client.log_start_addr;
- break;
+ if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+ status = acpi_get_table("TPM2", 1,
+ (struct acpi_table_header **)&tbl);
+ if (ACPI_FAILURE(status))
+ return -ENODEV;
+
+ if (tbl->header.length <
+ sizeof(*tbl) + sizeof(struct acpi_tpm2_phy))
+ return -ENODEV;
+
+ tpm2_phy = (void *)tbl + sizeof(*tbl);
+ len = tpm2_phy->log_area_minimum_length;
+
+ start = tpm2_phy->log_area_start_address;
+ if (!start || !len)
+ return -ENODEV;
+
+ format = EFI_TCG2_EVENT_LOG_FORMAT_TCG_2;
+ } else {
+ /* Find TCPA entry in RSDT (ACPI_LOGICAL_ADDRESSING) */
+ status = acpi_get_table(ACPI_SIG_TCPA, 1,
+ (struct acpi_table_header **)&buff);
+ if (ACPI_FAILURE(status))
+ return -ENODEV;
+
+ switch (buff->platform_class) {
+ case BIOS_SERVER:
+ len = buff->server.log_max_len;
+ start = buff->server.log_start_addr;
+ break;
+ case BIOS_CLIENT:
+ default:
+ len = buff->client.log_max_len;
+ start = buff->client.log_start_addr;
+ break;
+ }
+
+ format = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2;
}
if (!len) {
dev_warn(&chip->dev, "%s: TCPA log area empty\n", __func__);
@@ -98,7 +119,7 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
memcpy_fromio(log->bios_event_log, virt, len);
acpi_os_unmap_iomem(virt, len);
- return EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2;
+ return format;
err:
kfree(log->bios_event_log);
--
2.26.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH v9 1/2] acpi: Extend TPM2 ACPI table with missing log fields
2020-07-06 18:19 ` [PATCH v9 1/2] acpi: Extend TPM2 ACPI table with missing log fields Stefan Berger
@ 2020-07-06 22:02 ` Jerry Snitselaar
0 siblings, 0 replies; 19+ messages in thread
From: Jerry Snitselaar @ 2020-07-06 22:02 UTC (permalink / raw)
To: Stefan Berger
Cc: linux-integrity, linux-kernel, jarkko.sakkinen, linux-acpi,
linux-security-module, Stefan Berger, Rafael J . Wysocki
Stefan Berger @ 2020-07-06 11:19 MST:
> From: Stefan Berger <stefanb@linux.ibm.com>
>
> Recent extensions of the TPM2 ACPI table added 3 more fields
> including 12 bytes of start method specific parameters and Log Area
> Minimum Length (u32) and Log Area Start Address (u64). So, we define
> a new structure acpi_tpm2_phy that holds these optional new fields.
> The new fields allow non-UEFI systems to access the TPM2's log.
>
> The specification that has the new fields is the following:
> TCG ACPI Specification
> Family "1.2" and "2.0"
> Version 1.2, Revision 8
>
> https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Cc: linux-acpi@vger.kernel.org
> Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
> ---
> include/acpi/actbl3.h | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/include/acpi/actbl3.h b/include/acpi/actbl3.h
> index b0b163b9efc6..bdcac69fa6bd 100644
> --- a/include/acpi/actbl3.h
> +++ b/include/acpi/actbl3.h
> @@ -415,6 +415,13 @@ struct acpi_table_tpm2 {
> /* Platform-specific data follows */
> };
>
> +/* Optional trailer for revision 4 holding platform-specific data */
> +struct acpi_tpm2_phy {
> + u8 start_method_specific[12];
> + u32 log_area_minimum_length;
> + u64 log_area_start_address;
> +};
> +
> /* Values for start_method above */
>
> #define ACPI_TPM2_NOT_ALLOWED 0
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-06 18:19 ` [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table Stefan Berger
@ 2020-07-06 22:04 ` Jerry Snitselaar
2020-07-06 23:09 ` Jarkko Sakkinen
1 sibling, 0 replies; 19+ messages in thread
From: Jerry Snitselaar @ 2020-07-06 22:04 UTC (permalink / raw)
To: Stefan Berger
Cc: linux-integrity, linux-kernel, jarkko.sakkinen, linux-acpi,
linux-security-module, Stefan Berger
Stefan Berger @ 2020-07-06 11:19 MST:
> From: Stefan Berger <stefanb@linux.ibm.com>
>
> In case a TPM2 is attached, search for a TPM2 ACPI table when trying
> to get the event log from ACPI. If one is found, use it to get the
> start and length of the log area. This allows non-UEFI systems, such
> as SeaBIOS, to pass an event log when using a TPM2.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
> ---
> drivers/char/tpm/eventlog/acpi.c | 63 +++++++++++++++++++++-----------
> 1 file changed, 42 insertions(+), 21 deletions(-)
>
> diff --git a/drivers/char/tpm/eventlog/acpi.c b/drivers/char/tpm/eventlog/acpi.c
> index 63ada5e53f13..3633ed70f48f 100644
> --- a/drivers/char/tpm/eventlog/acpi.c
> +++ b/drivers/char/tpm/eventlog/acpi.c
> @@ -49,9 +49,9 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
> void __iomem *virt;
> u64 len, start;
> struct tpm_bios_log *log;
> -
> - if (chip->flags & TPM_CHIP_FLAG_TPM2)
> - return -ENODEV;
> + struct acpi_table_tpm2 *tbl;
> + struct acpi_tpm2_phy *tpm2_phy;
> + int format;
>
> log = &chip->log;
>
> @@ -61,23 +61,44 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
> if (!chip->acpi_dev_handle)
> return -ENODEV;
>
> - /* Find TCPA entry in RSDT (ACPI_LOGICAL_ADDRESSING) */
> - status = acpi_get_table(ACPI_SIG_TCPA, 1,
> - (struct acpi_table_header **)&buff);
> -
> - if (ACPI_FAILURE(status))
> - return -ENODEV;
> -
> - switch(buff->platform_class) {
> - case BIOS_SERVER:
> - len = buff->server.log_max_len;
> - start = buff->server.log_start_addr;
> - break;
> - case BIOS_CLIENT:
> - default:
> - len = buff->client.log_max_len;
> - start = buff->client.log_start_addr;
> - break;
> + if (chip->flags & TPM_CHIP_FLAG_TPM2) {
> + status = acpi_get_table("TPM2", 1,
> + (struct acpi_table_header **)&tbl);
> + if (ACPI_FAILURE(status))
> + return -ENODEV;
> +
> + if (tbl->header.length <
> + sizeof(*tbl) + sizeof(struct acpi_tpm2_phy))
> + return -ENODEV;
> +
> + tpm2_phy = (void *)tbl + sizeof(*tbl);
> + len = tpm2_phy->log_area_minimum_length;
> +
> + start = tpm2_phy->log_area_start_address;
> + if (!start || !len)
> + return -ENODEV;
> +
> + format = EFI_TCG2_EVENT_LOG_FORMAT_TCG_2;
> + } else {
> + /* Find TCPA entry in RSDT (ACPI_LOGICAL_ADDRESSING) */
> + status = acpi_get_table(ACPI_SIG_TCPA, 1,
> + (struct acpi_table_header **)&buff);
> + if (ACPI_FAILURE(status))
> + return -ENODEV;
> +
> + switch (buff->platform_class) {
> + case BIOS_SERVER:
> + len = buff->server.log_max_len;
> + start = buff->server.log_start_addr;
> + break;
> + case BIOS_CLIENT:
> + default:
> + len = buff->client.log_max_len;
> + start = buff->client.log_start_addr;
> + break;
> + }
> +
> + format = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2;
> }
> if (!len) {
> dev_warn(&chip->dev, "%s: TCPA log area empty\n", __func__);
> @@ -98,7 +119,7 @@ int tpm_read_log_acpi(struct tpm_chip *chip)
> memcpy_fromio(log->bios_event_log, virt, len);
>
> acpi_os_unmap_iomem(virt, len);
> - return EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2;
> + return format;
>
> err:
> kfree(log->bios_event_log);
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-06 18:19 ` [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table Stefan Berger
2020-07-06 22:04 ` Jerry Snitselaar
@ 2020-07-06 23:09 ` Jarkko Sakkinen
2020-07-06 23:12 ` Jarkko Sakkinen
` (2 more replies)
1 sibling, 3 replies; 19+ messages in thread
From: Jarkko Sakkinen @ 2020-07-06 23:09 UTC (permalink / raw)
To: Stefan Berger
Cc: linux-integrity, linux-kernel, linux-acpi, linux-security-module,
Stefan Berger
On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
>
> In case a TPM2 is attached, search for a TPM2 ACPI table when trying
> to get the event log from ACPI. If one is found, use it to get the
> start and length of the log area. This allows non-UEFI systems, such
> as SeaBIOS, to pass an event log when using a TPM2.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
way to test this?
I'm anyway more worried about breaking existing TPM 1.2 functionality
and that requires only QEMU without extras.
/Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-06 23:09 ` Jarkko Sakkinen
@ 2020-07-06 23:12 ` Jarkko Sakkinen
2020-07-06 23:55 ` Stefan Berger
2020-07-06 23:57 ` Jerry Snitselaar
2 siblings, 0 replies; 19+ messages in thread
From: Jarkko Sakkinen @ 2020-07-06 23:12 UTC (permalink / raw)
To: Stefan Berger
Cc: linux-integrity, linux-kernel, linux-acpi, linux-security-module,
Stefan Berger
On Tue, Jul 07, 2020 at 02:09:18AM +0300, Jarkko Sakkinen wrote:
> On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
> > From: Stefan Berger <stefanb@linux.ibm.com>
> >
> > In case a TPM2 is attached, search for a TPM2 ACPI table when trying
> > to get the event log from ACPI. If one is found, use it to get the
> > start and length of the log area. This allows non-UEFI systems, such
> > as SeaBIOS, to pass an event log when using a TPM2.
> >
> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>
> Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
> way to test this?
>
> I'm anyway more worried about breaking existing TPM 1.2 functionality
> and that requires only QEMU without extras.
BTW, you should cc your patches to all M- and R-entries in the
MAINTAINERS file. Please, resend this patch set version. You can add
acquired reviewed-by and tested-by tags (e.g. Jerry's) and use this tag
for the patch set: "RESEND,PATCH v9".
/Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-06 23:09 ` Jarkko Sakkinen
2020-07-06 23:12 ` Jarkko Sakkinen
@ 2020-07-06 23:55 ` Stefan Berger
2020-07-07 2:24 ` Jarkko Sakkinen
2020-07-06 23:57 ` Jerry Snitselaar
2 siblings, 1 reply; 19+ messages in thread
From: Stefan Berger @ 2020-07-06 23:55 UTC (permalink / raw)
To: Jarkko Sakkinen, Stefan Berger
Cc: linux-integrity, linux-kernel, linux-acpi, linux-security-module
On 7/6/20 7:09 PM, Jarkko Sakkinen wrote:
> On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
>> From: Stefan Berger <stefanb@linux.ibm.com>
>>
>> In case a TPM2 is attached, search for a TPM2 ACPI table when trying
>> to get the event log from ACPI. If one is found, use it to get the
>> start and length of the log area. This allows non-UEFI systems, such
>> as SeaBIOS, to pass an event log when using a TPM2.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
> way to test this?
Yes.
>
> I'm anyway more worried about breaking existing TPM 1.2 functionality
> and that requires only QEMU without extras.
>
> /Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-06 23:09 ` Jarkko Sakkinen
2020-07-06 23:12 ` Jarkko Sakkinen
2020-07-06 23:55 ` Stefan Berger
@ 2020-07-06 23:57 ` Jerry Snitselaar
2020-07-07 2:24 ` Jarkko Sakkinen
2 siblings, 1 reply; 19+ messages in thread
From: Jerry Snitselaar @ 2020-07-06 23:57 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module, Stefan Berger
Jarkko Sakkinen @ 2020-07-06 16:09 MST:
> On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
>> From: Stefan Berger <stefanb@linux.ibm.com>
>>
>> In case a TPM2 is attached, search for a TPM2 ACPI table when trying
>> to get the event log from ACPI. If one is found, use it to get the
>> start and length of the log area. This allows non-UEFI systems, such
>> as SeaBIOS, to pass an event log when using a TPM2.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>
> Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
> way to test this?
>
> I'm anyway more worried about breaking existing TPM 1.2 functionality
> and that requires only QEMU without extras.
>
> /Jarkko
The 1.2 bits should be functionally the same as before, right?
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-06 23:55 ` Stefan Berger
@ 2020-07-07 2:24 ` Jarkko Sakkinen
2020-07-07 3:08 ` Stefan Berger
0 siblings, 1 reply; 19+ messages in thread
From: Jarkko Sakkinen @ 2020-07-07 2:24 UTC (permalink / raw)
To: Stefan Berger
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module
On Mon, Jul 06, 2020 at 07:55:26PM -0400, Stefan Berger wrote:
> On 7/6/20 7:09 PM, Jarkko Sakkinen wrote:
> > On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
> > > From: Stefan Berger <stefanb@linux.ibm.com>
> > >
> > > In case a TPM2 is attached, search for a TPM2 ACPI table when trying
> > > to get the event log from ACPI. If one is found, use it to get the
> > > start and length of the log area. This allows non-UEFI systems, such
> > > as SeaBIOS, to pass an event log when using a TPM2.
> > >
> > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
> > way to test this?
>
>
> Yes.
Is the emulator bundled with QEMU or does it have to be installed
separately?
/Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-06 23:57 ` Jerry Snitselaar
@ 2020-07-07 2:24 ` Jarkko Sakkinen
0 siblings, 0 replies; 19+ messages in thread
From: Jarkko Sakkinen @ 2020-07-07 2:24 UTC (permalink / raw)
To: Jerry Snitselaar
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module, Stefan Berger
On Mon, Jul 06, 2020 at 04:57:28PM -0700, Jerry Snitselaar wrote:
>
> Jarkko Sakkinen @ 2020-07-06 16:09 MST:
>
> > On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
> >> From: Stefan Berger <stefanb@linux.ibm.com>
> >>
> >> In case a TPM2 is attached, search for a TPM2 ACPI table when trying
> >> to get the event log from ACPI. If one is found, use it to get the
> >> start and length of the log area. This allows non-UEFI systems, such
> >> as SeaBIOS, to pass an event log when using a TPM2.
> >>
> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >
> > Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
> > way to test this?
> >
> > I'm anyway more worried about breaking existing TPM 1.2 functionality
> > and that requires only QEMU without extras.
> >
> > /Jarkko
>
> The 1.2 bits should be functionally the same as before, right?
Yes. You should be able to read event log with TPM 1.2 as before.
/Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-07 2:24 ` Jarkko Sakkinen
@ 2020-07-07 3:08 ` Stefan Berger
2020-07-07 4:03 ` Jarkko Sakkinen
0 siblings, 1 reply; 19+ messages in thread
From: Stefan Berger @ 2020-07-07 3:08 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module
On 7/6/20 10:24 PM, Jarkko Sakkinen wrote:
> On Mon, Jul 06, 2020 at 07:55:26PM -0400, Stefan Berger wrote:
>> On 7/6/20 7:09 PM, Jarkko Sakkinen wrote:
>>> On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
>>>> From: Stefan Berger <stefanb@linux.ibm.com>
>>>>
>>>> In case a TPM2 is attached, search for a TPM2 ACPI table when trying
>>>> to get the event log from ACPI. If one is found, use it to get the
>>>> start and length of the log area. This allows non-UEFI systems, such
>>>> as SeaBIOS, to pass an event log when using a TPM2.
>>>>
>>>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>> Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
>>> way to test this?
>>
>> Yes.
> Is the emulator bundled with QEMU or does it have to be installed
> separately?
It has to be installed separately. On Fedora 31 it would just be a `sudo
dnf -y install swtpm-tools` and you should be good to go with libvirt /
virt-manager.
>
> /Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-07 3:08 ` Stefan Berger
@ 2020-07-07 4:03 ` Jarkko Sakkinen
2020-07-07 4:09 ` Stefan Berger
0 siblings, 1 reply; 19+ messages in thread
From: Jarkko Sakkinen @ 2020-07-07 4:03 UTC (permalink / raw)
To: Stefan Berger
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module
On Mon, Jul 06, 2020 at 11:08:12PM -0400, Stefan Berger wrote:
> On 7/6/20 10:24 PM, Jarkko Sakkinen wrote:
> > On Mon, Jul 06, 2020 at 07:55:26PM -0400, Stefan Berger wrote:
> > > On 7/6/20 7:09 PM, Jarkko Sakkinen wrote:
> > > > On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
> > > > > From: Stefan Berger <stefanb@linux.ibm.com>
> > > > >
> > > > > In case a TPM2 is attached, search for a TPM2 ACPI table when trying
> > > > > to get the event log from ACPI. If one is found, use it to get the
> > > > > start and length of the log area. This allows non-UEFI systems, such
> > > > > as SeaBIOS, to pass an event log when using a TPM2.
> > > > >
> > > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
> > > > way to test this?
> > >
> > > Yes.
> > Is the emulator bundled with QEMU or does it have to be installed
> > separately?
>
> It has to be installed separately. On Fedora 31 it would just be a `sudo dnf
> -y install swtpm-tools` and you should be good to go with libvirt /
> virt-manager.
Is there some packaging for Debian/Ubuntu available?
/Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-07 4:03 ` Jarkko Sakkinen
@ 2020-07-07 4:09 ` Stefan Berger
2020-07-08 14:07 ` Jarkko Sakkinen
0 siblings, 1 reply; 19+ messages in thread
From: Stefan Berger @ 2020-07-07 4:09 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module
On 7/7/20 12:03 AM, Jarkko Sakkinen wrote:
> On Mon, Jul 06, 2020 at 11:08:12PM -0400, Stefan Berger wrote:
>> On 7/6/20 10:24 PM, Jarkko Sakkinen wrote:
>>> On Mon, Jul 06, 2020 at 07:55:26PM -0400, Stefan Berger wrote:
>>>> On 7/6/20 7:09 PM, Jarkko Sakkinen wrote:
>>>>> On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
>>>>>> From: Stefan Berger <stefanb@linux.ibm.com>
>>>>>>
>>>>>> In case a TPM2 is attached, search for a TPM2 ACPI table when trying
>>>>>> to get the event log from ACPI. If one is found, use it to get the
>>>>>> start and length of the log area. This allows non-UEFI systems, such
>>>>>> as SeaBIOS, to pass an event log when using a TPM2.
>>>>>>
>>>>>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>>>> Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
>>>>> way to test this?
>>>> Yes.
>>> Is the emulator bundled with QEMU or does it have to be installed
>>> separately?
>> It has to be installed separately. On Fedora 31 it would just be a `sudo dnf
>> -y install swtpm-tools` and you should be good to go with libvirt /
>> virt-manager.
> Is there some packaging for Debian/Ubuntu available?
So far may not be available yet. I had *experimented* with a PPA once:
https://launchpad.net/~stefanberger/+archive/ubuntu/swtpm-focal
> /Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-07 4:09 ` Stefan Berger
@ 2020-07-08 14:07 ` Jarkko Sakkinen
2020-07-08 14:17 ` Stefan Berger
0 siblings, 1 reply; 19+ messages in thread
From: Jarkko Sakkinen @ 2020-07-08 14:07 UTC (permalink / raw)
To: Stefan Berger
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module
On Tue, Jul 07, 2020 at 12:09:11AM -0400, Stefan Berger wrote:
> On 7/7/20 12:03 AM, Jarkko Sakkinen wrote:
> > On Mon, Jul 06, 2020 at 11:08:12PM -0400, Stefan Berger wrote:
> > > On 7/6/20 10:24 PM, Jarkko Sakkinen wrote:
> > > > On Mon, Jul 06, 2020 at 07:55:26PM -0400, Stefan Berger wrote:
> > > > > On 7/6/20 7:09 PM, Jarkko Sakkinen wrote:
> > > > > > On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
> > > > > > > From: Stefan Berger <stefanb@linux.ibm.com>
> > > > > > >
> > > > > > > In case a TPM2 is attached, search for a TPM2 ACPI table when trying
> > > > > > > to get the event log from ACPI. If one is found, use it to get the
> > > > > > > start and length of the log area. This allows non-UEFI systems, such
> > > > > > > as SeaBIOS, to pass an event log when using a TPM2.
> > > > > > >
> > > > > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > > > Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
> > > > > > way to test this?
> > > > > Yes.
> > > > Is the emulator bundled with QEMU or does it have to be installed
> > > > separately?
> > > It has to be installed separately. On Fedora 31 it would just be a `sudo dnf
> > > -y install swtpm-tools` and you should be good to go with libvirt /
> > > virt-manager.
> > Is there some packaging for Debian/Ubuntu available?
>
>
> So far may not be available yet. I had *experimented* with a PPA once:
> https://launchpad.net/~stefanberger/+archive/ubuntu/swtpm-focal
There is a snap available:
name: swtpm-mvo
summary: Libtpms-based TPM emulator
publisher: Michael Vogt (mvo)
store-url: https://snapcraft.io/swtpm-mvo
license: unset
description: |
Libtpms-based TPM emulator with socket, character device, and Linux
CUSE interface.
commands:
- swtpm-mvo.swtpm
services:
swtpm-mvo.swtpm-sock: simple, enabled, active
snap-id: HNl1TwHRBk3OtXQ8OriRB93FDZ6vman7
tracking: latest/edge
refresh-date: today at 02:05 EEST
channels:
latest/stable: –
latest/candidate: –
latest/beta: 0.1.0 2019-07-26 (11) 3MB -
latest/edge: 0.1.0 2020-07-08 (75) 3MB -
installed: 0.1.0 (74) 3MB -
This is the version information:
❯ swtpm-mvo.swtpm --version
TPM emulator version 0.4.0, Copyright (c) 2014 IBM Corp.
However, if I try to run the first example from [*], I get:
❯ swtpm-mvo.swtpm socket --tpmstate dir=/tmp/mytpm1 \
--ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
--log level=20
swtpm: Could not open UnixIO socket: No such file or directory
[*] https://www.qemu.org/docs/master/specs/tpm.html
/Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-08 14:07 ` Jarkko Sakkinen
@ 2020-07-08 14:17 ` Stefan Berger
2020-07-14 11:20 ` Jarkko Sakkinen
0 siblings, 1 reply; 19+ messages in thread
From: Stefan Berger @ 2020-07-08 14:17 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module
On 7/8/20 10:07 AM, Jarkko Sakkinen wrote:
> On Tue, Jul 07, 2020 at 12:09:11AM -0400, Stefan Berger wrote:
>> On 7/7/20 12:03 AM, Jarkko Sakkinen wrote:
>>> On Mon, Jul 06, 2020 at 11:08:12PM -0400, Stefan Berger wrote:
>>>> On 7/6/20 10:24 PM, Jarkko Sakkinen wrote:
>>>>> On Mon, Jul 06, 2020 at 07:55:26PM -0400, Stefan Berger wrote:
>>>>>> On 7/6/20 7:09 PM, Jarkko Sakkinen wrote:
>>>>>>> On Mon, Jul 06, 2020 at 02:19:53PM -0400, Stefan Berger wrote:
>>>>>>>> From: Stefan Berger <stefanb@linux.ibm.com>
>>>>>>>>
>>>>>>>> In case a TPM2 is attached, search for a TPM2 ACPI table when trying
>>>>>>>> to get the event log from ACPI. If one is found, use it to get the
>>>>>>>> start and length of the log area. This allows non-UEFI systems, such
>>>>>>>> as SeaBIOS, to pass an event log when using a TPM2.
>>>>>>>>
>>>>>>>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>>>>>> Do you think that QEMU with TPM 1.2 emulator turned on would be a viable
>>>>>>> way to test this?
>>>>>> Yes.
>>>>> Is the emulator bundled with QEMU or does it have to be installed
>>>>> separately?
>>>> It has to be installed separately. On Fedora 31 it would just be a `sudo dnf
>>>> -y install swtpm-tools` and you should be good to go with libvirt /
>>>> virt-manager.
>>> Is there some packaging for Debian/Ubuntu available?
>>
>> So far may not be available yet. I had *experimented* with a PPA once:
>> https://launchpad.net/~stefanberger/+archive/ubuntu/swtpm-focal
> There is a snap available:
>
> name: swtpm-mvo
> summary: Libtpms-based TPM emulator
> publisher: Michael Vogt (mvo)
> store-url: https://snapcraft.io/swtpm-mvo
> license: unset
> description: |
> Libtpms-based TPM emulator with socket, character device, and Linux
> CUSE interface.
> commands:
> - swtpm-mvo.swtpm
> services:
> swtpm-mvo.swtpm-sock: simple, enabled, active
> snap-id: HNl1TwHRBk3OtXQ8OriRB93FDZ6vman7
> tracking: latest/edge
> refresh-date: today at 02:05 EEST
> channels:
> latest/stable: –
> latest/candidate: –
> latest/beta: 0.1.0 2019-07-26 (11) 3MB -
> latest/edge: 0.1.0 2020-07-08 (75) 3MB -
> installed: 0.1.0 (74) 3MB -
>
> This is the version information:
>
> ❯ swtpm-mvo.swtpm --version
> TPM emulator version 0.4.0, Copyright (c) 2014 IBM Corp.
>
> However, if I try to run the first example from [*], I get:
>
> ❯ swtpm-mvo.swtpm socket --tpmstate dir=/tmp/mytpm1 \
> --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
> --log level=20
> swtpm: Could not open UnixIO socket: No such file or directory
Did you create the directory '/tmp/mytpm1' ?
> [*] https://www.qemu.org/docs/master/specs/tpm.html
>
> /Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-08 14:17 ` Stefan Berger
@ 2020-07-14 11:20 ` Jarkko Sakkinen
2020-07-14 12:09 ` Stefan Berger
0 siblings, 1 reply; 19+ messages in thread
From: Jarkko Sakkinen @ 2020-07-14 11:20 UTC (permalink / raw)
To: Stefan Berger
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module
On Wed, Jul 08, 2020 at 10:17:17AM -0400, Stefan Berger wrote:
> > ❯ swtpm-mvo.swtpm socket --tpmstate dir=/tmp/mytpm1 \
> > --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
> > --log level=20
> > swtpm: Could not open UnixIO socket: No such file or directory
>
>
> Did you create the directory '/tmp/mytpm1' ?
Yes. It's the socket file that it is complain because it does
not exist beforehand.
/Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-14 11:20 ` Jarkko Sakkinen
@ 2020-07-14 12:09 ` Stefan Berger
2020-07-16 17:26 ` Jarkko Sakkinen
0 siblings, 1 reply; 19+ messages in thread
From: Stefan Berger @ 2020-07-14 12:09 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module
On 7/14/20 7:20 AM, Jarkko Sakkinen wrote:
> On Wed, Jul 08, 2020 at 10:17:17AM -0400, Stefan Berger wrote:
>>> ❯ swtpm-mvo.swtpm socket --tpmstate dir=/tmp/mytpm1 \
>>> --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
>>> --log level=20
>>> swtpm: Could not open UnixIO socket: No such file or directory
>>
>> Did you create the directory '/tmp/mytpm1' ?
> Yes. It's the socket file that it is complain because it does
> not exist beforehand.
The socket file is created by the swtpm program.
>
> /Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table
2020-07-14 12:09 ` Stefan Berger
@ 2020-07-16 17:26 ` Jarkko Sakkinen
0 siblings, 0 replies; 19+ messages in thread
From: Jarkko Sakkinen @ 2020-07-16 17:26 UTC (permalink / raw)
To: Stefan Berger
Cc: Stefan Berger, linux-integrity, linux-kernel, linux-acpi,
linux-security-module
On Tue, Jul 14, 2020 at 08:09:03AM -0400, Stefan Berger wrote:
> On 7/14/20 7:20 AM, Jarkko Sakkinen wrote:
> > On Wed, Jul 08, 2020 at 10:17:17AM -0400, Stefan Berger wrote:
> > > > ❯ swtpm-mvo.swtpm socket --tpmstate dir=/tmp/mytpm1 \
> > > > --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
> > > > --log level=20
> > > > swtpm: Could not open UnixIO socket: No such file or directory
> > >
> > > Did you create the directory '/tmp/mytpm1' ?
> > Yes. It's the socket file that it is complain because it does
> > not exist beforehand.
>
>
> The socket file is created by the swtpm program.
I got this tested with real hardware, i.e. tested that TPM 1.2 works.
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
/Jarkko
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2020-07-16 17:27 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-06 18:19 [PATCH v9 0/2] tpm2: Make TPM2 logs accessible for non-UEFI firmware Stefan Berger
2020-07-06 18:19 ` [PATCH v9 1/2] acpi: Extend TPM2 ACPI table with missing log fields Stefan Berger
2020-07-06 22:02 ` Jerry Snitselaar
2020-07-06 18:19 ` [PATCH v9 2/2] tpm: Add support for event log pointer found in TPM2 ACPI table Stefan Berger
2020-07-06 22:04 ` Jerry Snitselaar
2020-07-06 23:09 ` Jarkko Sakkinen
2020-07-06 23:12 ` Jarkko Sakkinen
2020-07-06 23:55 ` Stefan Berger
2020-07-07 2:24 ` Jarkko Sakkinen
2020-07-07 3:08 ` Stefan Berger
2020-07-07 4:03 ` Jarkko Sakkinen
2020-07-07 4:09 ` Stefan Berger
2020-07-08 14:07 ` Jarkko Sakkinen
2020-07-08 14:17 ` Stefan Berger
2020-07-14 11:20 ` Jarkko Sakkinen
2020-07-14 12:09 ` Stefan Berger
2020-07-16 17:26 ` Jarkko Sakkinen
2020-07-06 23:57 ` Jerry Snitselaar
2020-07-07 2:24 ` Jarkko Sakkinen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).