From: Ard Biesheuvel <ardb@kernel.org>
To: Eric Auger <eric.auger@redhat.com>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
qemu-arm <qemu-arm@nongnu.org>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Eric Auger" <eric.auger.pro@gmail.com>,
"Laszlo Ersek" <lersek@redhat.com>,
"Stefan Berger" <stefanb@linux.ibm.com>
Subject: Re: [RFC v2 0/6] vTPM for aarch64
Date: Sun, 16 Feb 2020 17:35:40 +0100 [thread overview]
Message-ID: <CAKv+Gu_JsLdLV2JWCoFaw=3MR4DPKxOzE1mv-0h0nUikoGmZ7w@mail.gmail.com> (raw)
In-Reply-To: <20200214183704.14389-1-eric.auger@redhat.com>
On Fri, 14 Feb 2020 at 19:37, Eric Auger <eric.auger@redhat.com> wrote:
>
> This series adds the capability to instantiate an MMIO TPM TIS
> in ARM virt.
>
> The existing TPM TIS code is reshuffled into a generic part,
> the ISA device and the sysbus device. The last patch allows
> the instantiation of the TPM TIS sysbus device in ARM virt.
>
> The series was tested with the swtpm/libtpms emulator.
> Automatic guest LUKS volume unlocking (tpm2) was successful.
> EDK2 support is under development [3]. Thanks to Ard
> for supporting me when setting up the test environment.
>
> Best Regards
>
> Eric
>
> Testing:
>
> mkdir /tmp/tpm
> swtpm socket \
> --tpm2 \
> -t -d \
> --tpmstate dir=/tmp/tpm \
> --ctrl type=unixio,path=/tmp/swtpm-sock
>
> qemu command line must be augmented with the following options:
>
> -chardev socket,id=chrtpm,path=/tmp/swtpm-sock \
> -tpmdev emulator,id=tpm0,chardev=chrtpm \
> -device tpm-tis-device,tpmdev=tpm0 \
>
> References:
> [1] libtpms: https://github.com/stefanberger/libtpms/wiki
> [2] swtpm: https://github.com/stefanberger/swtpm/wiki
> [3] [PATCH 0/4] ArmVirtPkg: implement measured boot for ArmVirtQemu
>
> This series can be found at:
> https://github.com/eauger/qemu/tree/v4.2.0-tpm-rfc-v2
>
> History:
>
> RFC v1 -> RFC v2:
> - restructure the existing code with common, ISA and sysbus part.
> - both ARM and x86 integration were tested.
> - acknowledgement: migration has not been tested
>
> Eric Auger (6):
> tpm: rename TPM_TIS into TPM_TIS_ISA
> tpm: Use TPMState as a common struct
> tpm: Separate tpm_tis common functions from isa code
> tpm: Separate TPM_TIS and TPM_TIS_ISA configs
> tpm: Add the SysBus TPM TIS device
> hw/arm/virt: vTPM support
>
Many thanks to Eric for his work on this.
I have tested this with my EDK2 code and a Linux/arm64 VM booting in
DT mode with the tpm-tis driver enabled, and it works as expected. I
can observe the firmware taking measurements during boot, and can dump
the PCRs from Linux using tpm2_pcrlist.
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Note that the UEFI firmware is itself a consumer of the DT
description, so we need the DT related changes regardless of whether
the VM boots in DT or ACPI mode.
> default-configs/i386-softmmu.mak | 2 +-
> hw/arm/Kconfig | 1 +
> hw/arm/sysbus-fdt.c | 36 +++++
> hw/arm/virt.c | 7 +
> hw/i386/Kconfig | 2 +-
> hw/i386/acpi-build.c | 6 +-
> hw/tpm/Kconfig | 12 +-
> hw/tpm/Makefile.objs | 4 +-
> hw/tpm/tpm_tis.h | 91 +++++++++++++
> hw/tpm/{tpm_tis.c => tpm_tis_common.c} | 181 ++-----------------------
> hw/tpm/tpm_tis_isa.c | 170 +++++++++++++++++++++++
> hw/tpm/tpm_tis_sysbus.c | 159 ++++++++++++++++++++++
> include/sysemu/tpm.h | 7 +-
> tests/qtest/Makefile.include | 4 +-
> 14 files changed, 502 insertions(+), 180 deletions(-)
> create mode 100644 hw/tpm/tpm_tis.h
> rename hw/tpm/{tpm_tis.c => tpm_tis_common.c} (85%)
> create mode 100644 hw/tpm/tpm_tis_isa.c
> create mode 100644 hw/tpm/tpm_tis_sysbus.c
>
> --
> 2.20.1
>
next prev parent reply other threads:[~2020-02-16 17:11 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-14 18:36 [RFC v2 0/6] vTPM for aarch64 Eric Auger
2020-02-14 18:36 ` [RFC v2 1/6] tpm: rename TPM_TIS into TPM_TIS_ISA Eric Auger
2020-02-14 18:55 ` Philippe Mathieu-Daudé
2020-02-25 10:16 ` Auger Eric
2020-02-25 10:22 ` Philippe Mathieu-Daudé
2020-02-25 10:28 ` Auger Eric
2020-02-16 18:14 ` Stefan Berger
2020-02-14 18:37 ` [RFC v2 2/6] tpm: Use TPMState as a common struct Eric Auger
2020-02-14 19:01 ` Philippe Mathieu-Daudé
2020-02-16 18:22 ` Stefan Berger
2020-02-17 9:21 ` Philippe Mathieu-Daudé
2020-02-17 18:01 ` Auger Eric
2020-02-25 10:18 ` Auger Eric
2020-02-14 18:37 ` [RFC v2 3/6] tpm: Separate tpm_tis common functions from isa code Eric Auger
2020-02-16 18:27 ` Stefan Berger
2020-02-14 18:37 ` [RFC v2 4/6] tpm: Separate TPM_TIS and TPM_TIS_ISA configs Eric Auger
2020-02-14 19:03 ` Philippe Mathieu-Daudé
2020-02-25 10:05 ` Auger Eric
2020-02-14 18:37 ` [RFC v2 5/6] tpm: Add the SysBus TPM TIS device Eric Auger
2020-02-16 18:32 ` Stefan Berger
2020-02-17 18:13 ` Auger Eric
2020-02-25 9:18 ` Auger Eric
2020-02-25 9:52 ` Ard Biesheuvel
2020-02-25 10:18 ` Philippe Mathieu-Daudé
2020-02-26 8:38 ` Auger Eric
2020-02-14 18:37 ` [RFC v2 6/6] hw/arm/virt: vTPM support Eric Auger
2020-02-16 18:47 ` Stefan Berger
2020-02-17 18:26 ` Auger Eric
2020-02-16 16:35 ` Ard Biesheuvel [this message]
2020-02-17 18:03 ` [RFC v2 0/6] vTPM for aarch64 Auger Eric
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKv+Gu_JsLdLV2JWCoFaw=3MR4DPKxOzE1mv-0h0nUikoGmZ7w@mail.gmail.com' \
--to=ardb@kernel.org \
--cc=eric.auger.pro@gmail.com \
--cc=eric.auger@redhat.com \
--cc=lersek@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).