Integrating swtpm(as a software TPM) with OpenBMC on Qemu
Sandeep Kumar
sandeep.pkumar at tcs.com
Sat May 6 03:36:52 AEST 2023
TCS Confidential
Hi Stefan,
I have these options set in /home/tcs/work/san/openbmc/openbmc_april/openbmc/meta-aspeed/recipes-kernel/linux/linux-aspeed/tpm/tpm2.cfg
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TPM=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TIS_SPI=y
CONFIG_TCG_TIS_I2C=y
CONFIG_SECURITYFS=y
and in /home/tcs/work/san/openbmc/openbmc_april/openbmc/meta-aspeed/recipes-kernel/linux/linux-aspeed.inc I have these,
SRC_URI += " \
file://defconfig \
file://rsa_oem_fitimage_key.key;sha256sum=eeb4ff2ebbfbd97b6254fe6dbaeea41067e54c65176c233ec7b2ab2decf1ddcd \
file://rsa_oem_fitimage_key.crt;sha256sum=45f5a55497cce8040999bf9f3214d471ac7b83ab7acef41c4425a34662e8372e \
${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm/tpm2.scc file://tpm/tpm2.cfg', '', d)} \
${@bb.utils.contains_any('DISTRO_FEATURES', \
'obmc-static-norootfs obmc-ubi-fs', \
'file://ubi/ubi.scc file://ubi/ubi.cfg', '', d)} \
"
Anything else needs to be done to enable TPM ?
Thanks,
Sandeep.
-----Original Message-----
From: Stefan Berger <stefanb at linux.ibm.com>
Sent: Friday, May 5, 2023 9:41 PM
To: Sandeep Kumar <sandeep.pkumar at tcs.com>; Cédric Le Goater <clg at kaod.org>; openbmc at lists.ozlabs.org; Ninad Palsule <ninad at linux.ibm.com>; Joel Stanley <jms at jms.id.au>; Andrew Jeffery <andrew at aj.id.au>
Subject: Re: Integrating swtpm(as a software TPM) with OpenBMC on Qemu
"External email. Open with Caution"
I enable the following kernel build options for OpenBMC Linux kernel:
CONFIG_TCG_TPM=y
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TIS_I2C=y
With swtpm running in another terminal:
while :; do swtpm socket --tpmstate dir=/tmp/mytpm1 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock --tpm2 --log level=20; done
I start qemu built from qemu git master branch tip:
/tmp/qemu-system-arm -machine ast2600-evb -nographic -no-reboot -net nic -net user,hostfwd=:127.0.0.1:5722-:22,hostfwd=:127.0.0.1:5743-:443,hostfwd=udp:127.0.0.1:5723-:623 -drive file=./tmp/deploy/images/evb-ast2600/obmc-phosphor-image-evb-ast2600.static.mtd,format=raw,if=mtd -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-i2c,tpmdev=tpm0,bus=aspeed.i2c.bus.12,address=0x2e
root at evb-ast2600:~# echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device
[ 63.771200] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
[ 63.783927] tpm tpm0: A TPM error (256) occurred attempting the self test
[ 63.784256] tpm tpm0: starting up the TPM manually
[ 63.851474] i2c i2c-12: new_device: Instantiated device tpm_tis_i2c at 0x2e
root at evb-ast2600:~# uname -a
Linux evb-ast2600 6.1.15-580639a-dirty-c56bfb7-00123-gc56bfb70ebfa #1 SMP Thu Apr 6 00:55:09 UTC 2023 armv7l GNU/Linux
root at evb-ast2600:~# grep tpm_tis_i2c /proc/kallsyms 8056318c t tpm_tis_i2c_remove
805631b0 t tpm_tis_i2c_retry_transfer_until_ack
8056323c t tpm_tis_i2c_write_bytes
80563334 t tpm_tis_i2c_verify_crc
805633e0 t tpm_tis_i2c_read_bytes
80563604 t tpm_tis_i2c_probe
80d23964 t tpm_tis_i2c_driver_init
root at evb-ast2600:~# find /sys/class/tpm
/sys/class/tpm
/sys/class/tpm/tpm0
root at evb-ast2600:~# ls -l /dev/tpm*
crw------- 1 root root 10, 224 May 5 16:03 /dev/tpm0
crw------- 1 root root 252, 65536 May 5 16:03 /dev/tpmrm0
root at evb-ast2600:~# find /sys/ | grep pcr
/sys/devices/platform/ahb/ahb:apb/ahb:apb:bus at 1e78a000/1e78a680.i2c-bus/i2c-12/12-002e/tpm/tpm0/pcr-sha1
/sys/devices/platform/ahb/ahb:apb/ahb:apb:bus at 1e78a000/1e78a680.i2c-bus/i2c-12/12-002e/tpm/tpm0/pcr-sha1/17
[... lots more entries also for sha256, sha384, and sha512 ]
It seems to work as expected
On 5/5/23 11:08, Sandeep Kumar wrote:
> TCS Confidential Hi Stefan, Please find below my answers inline.
> Thanks, Sandeep. -----Original Message----- From: Stefan Berger
> <stefanb@ linux. ibm. com> Sent: Friday, May 5, 2023 6: 56 PM To:
> Sandeep Kumar <sandeep. pkumar@ tcs. com>; ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
>
> TCS Confidential
>
>
> Hi Stefan,
>
> Please find below my answers inline.
>
> Thanks,
>
> Sandeep.
>
> -----Original Message-----
> From: Stefan Berger <stefanb at linux.ibm.com>
> Sent: Friday, May 5, 2023 6:56 PM
> To: Sandeep Kumar <sandeep.pkumar at tcs.com>; Cédric Le Goater
> <clg at kaod.org>; openbmc at lists.ozlabs.org; Ninad Palsule
> <ninad at linux.ibm.com>; Joel Stanley <jms at jms.id.au>; Andrew Jeffery
> <andrew at aj.id.au>
> Subject: Re: Integrating swtpm(as a software TPM) with OpenBMC on Qemu
>
> "External email. Open with Caution"
>
> On 5/5/23 01:40, Sandeep Kumar wrote:
>
> > TCS Confidential
>
> >
>
> > Hi Stefan,
>
> >
>
> > Stefan: Is the kernel configured in the same way? Are you using the same kernel version?
>
> > Ans:
>
> > I am using the Kernel version coming with the latest openBMC without any changes.
>
> > Kernel version used : Linux evb-ast2600 6.1.15-580639a #1
> SMP
>
> > Thu Apr 6 00:55:09 UTC 2023 armv71 GNU/Linux
>
> >
>
> > Stefan: What is the output of this? find /sys/class/tpm | grep
> pcr
>
> > Ams: find: /sys/class/tpm: No such file or directory.
>
> >
>
> > Could you please point to the right version of kernel which has all these changes ?
>
> I am not aware of changes in the Linux kernel for TPM I2C and why it would not work in this kernel version.
>
> Does this show any files?
>
> find /sys | grep pcr
>
> *Sandeep: It doesn't show any files. *
>
> *root at evb-ast2600:~# echo tpm_tis_i2c 0x2e >
> /sys/bus/i2c/devices/i2c-12/new_device*
>
> *[ 273.273089] i2c i2c-12: new_device: Instantiated device
> tpm_tis_i2c at 0x2e*
>
> *root at evb-ast2600:~#*
>
> *root at evb-ast2600:~# find /sys | grep pcr*
>
> *root at evb-ast2600:~#*
>
> Do /dev/tpm0 and /dev/tpmrm0 appear after the echo ? What does dmesg show related to tpm (dmesg | grep -i tpm)?
>
> *Sandeep: I don’t see /dev/tpm0 and /dev/tpmrm0 after the echo.
> Output as below, *
>
> **
>
> *root at evb-ast2600:~# echo tpm_tis_i2c 0x2e >
> /sys/bus/i2c/devices/i2c-12/new_device*
>
> *[ 273.273089] i2c i2c-12: new_device: Instantiated device
> tpm_tis_i2c at 0x2e*
>
> *root at evb-ast2600:~#*
>
> *root at evb-ast2600:~# find /sys | grep pcr*
>
> *root at evb-ast2600:~#*
>
> *root at evb-ast2600:~# ls /dev/tpm**
>
> *ls: /dev/tpm*: No such file or directory*
>
> *root at evb-ast2600:~# dmesg | grep -i tpm*
>
> *[ 6.290898] systemd[1]: systemd 253.1^ running in system mode
> (+PAM -AUDIT -SELINUX -APPARMOR -IMA -SMACK +SECCOMP -GCRYPT -GNUTLS
> -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC -KMOD
> -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2
> -BZIP2 -LZ4 -XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP -SYSVINIT
> default-hierarchy=unified)*
>
> *[ 273.273089] i2c i2c-12: new_device: Instantiated device
> tpm_tis_i2c at 0x2e*
>
> *root at evb-ast2600:~#*
>
> Stefan
>
> >
>
> >
>
> > Thanks,
>
> > Sandeep.
>
> >
>
> > -----Original Message-----
>
> > From: Stefan Berger <stefanb at linux.ibm.com
> <mailto:stefanb at linux.ibm.com>>
>
> > Sent: Thursday, May 4, 2023 7:30 PM
>
> > To: Sandeep Kumar <sandeep.pkumar at tcs.com
> <mailto:sandeep.pkumar at tcs.com>>; Cédric Le Goater
>
> > <clg at kaod.org <mailto:clg at kaod.org>>; openbmc at lists.ozlabs.org
> <mailto:openbmc at lists.ozlabs.org>; Ninad Palsule
>
> > <ninad at linux.ibm.com <mailto:ninad at linux.ibm.com>>; Joel Stanley
> <jms at jms.id.au <mailto:jms at jms.id.au>>; Andrew Jeffery
>
> > <andrew at aj.id.au <mailto:andrew at aj.id.au>>
>
> > Subject: Re: Integrating swtpm(as a software TPM) with OpenBMC on
> Qemu
>
> >
>
> > "External email. Open with Caution"
>
> >
>
> >
>
> > On 5/4/23 05:12, Sandeep Kumar wrote:
>
> >> TCS Confidential Hi C, I was able to build and run the image(for
>
> >> evb-ast2600) with swtpm. Few issues observed, If I run with the
>
> >> flash. img provided in your github link(https: //github.
>
> >> com/legoater/qemu-aspeed-boot/tree/master/images) everything ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization.
>
> >> ZjQcmQRYFpfptBannerEnd
>
> >> TCS Confidential
>
> >>
>
> >> Hi C,
>
> >> I was able to build and run the image(for evb-ast2600) with swtpm.
>
> >> Few issues observed,
>
> >>
>
> >> 1. If I run with the flash.img provided in your github link(_https://github.com/legoater/qemu-aspeed-boot/tree/master/images_ <https://github.com/legoater/qemu-aspeed-boot/tree/master/images <https://github.com/legoater/qemu-aspeed-boot/tree/master/images>>) everything works as expected, i.e I get the below output.
>
> >>
>
> >> *# echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device*
>
> >> *[ 182.735902] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1,
> rev-id
>
> >> 1)* *[ 182.773885] i2c i2c-12: new_device: Instantiated device
>
> >> tpm_tis_i2c at 0x2e*
>
> >> *#*
>
> >> *#*
>
> >> *# cat /sys/class/tpm/tpm0/pcr-sha256/0*
>
> >> *B804724EA13F52A9072BA87FE8FDCC497DFC9DF9AA15B9088694639C431688E0*
>
> >> *#*
>
> >> *#*
>
> >>
>
> >> 2. If I run it with the locally built image, I get this error,
>
> >
>
> > Is the kernel configured in the same way? Are you using the same kernel version?
>
> >>
>
> >> *root at evb-ast2600:~# echo tpm_tis_i2c 0x2e >
>
> >> /sys/bus/i2c/devices/i2c-12/new_device*
>
> >> *[ 174.063597] i2c i2c-12: new_device: Instantiated device
>
> >> tpm_tis_i2c at 0x2e*
>
> >
>
> > What is the output of this?
>
> >
>
> > find /sys/class/tpm | grep pcr
>
> >
>
> > Stefan
>
> >
>
> >> *root at evb-ast2600:~# cat /sys/class/tpm/tpm0/pcr-sha256/0*
>
> >> *cat: can't open '/sys/class/tpm/tpm0/pcr-sha256/0': No such file
> or
>
> >> directory*
>
> >> *root at evb-ast2600:~#*
>
> >> *root at evb-ast2600:~#*
>
> >> Please do let me know about what has been done to write the values
>
> >> into “*/sys/class/tpm/tpm0/pcr-sha256/0**” . * Thanks, Sandeep.
>
> >> _____________________________________________
>
> >> *From:* Sandeep Kumar
>
> >> *Sent:* Thursday, April 20, 2023 5:45 PM
>
> >> *To:* Cédric Le Goater <clg at kaod.org <mailto:clg at kaod.org>>;
> openbmc at lists.ozlabs.org <mailto:openbmc at lists.ozlabs.org>;
>
> >> Ninad Palsule <ninad at linux.ibm.com <mailto:ninad at linux.ibm.com>>;
> Joel Stanley <jms at jms.id.au <mailto:jms at jms.id.au>>;
>
> >> Andrew Jeffery <andrew at aj.id.au <mailto:andrew at aj.id.au>>
>
> >> *Subject:* RE: Integrating swtpm(as a software TPM) with OpenBMC
> on
>
> >> Qemu Hi C, How to build this image =>
>
> >> *obmc-phosphor-image.rootfs.wic.qcow2* ? In openBmc build directory we don’t get this image built.
>
> >> Also, remaining image formats used while running on qemu are available in the build directory. i.e fitImage-linux.bin, aspeed-bmc-ibm-rainier.dtb and obmc-phosphor-initramfs.rootfs.cpio.xz .
>
> >> Please advise if we have to build openbmc stack in a different way
>
> >> than the standard procedure. We follow the below steps for build, 1. .
>
> >> setup Romulus 2. bitbake obmc-phosphor-image Thanks, Sandeep.
>
> >> -----Original Message-----
>
> >> From: Sandeep Kumar
>
> >> Sent: Wednesday, April 19, 2023 3:00 PM
>
> >> To: Cédric Le Goater <_clg at kaod.org_ <mailto:clg at kaod.org
> <mailto:_clg at kaod.org_%20%3cmailto:clg at kaod.org>>>;
>
> >> _openbmc at lists.ozlabs.org_ <mailto:_openbmc at lists.ozlabs.org_>
> <mailto:openbmc at lists.ozlabs.org <mailto:openbmc at lists.ozlabs.org>>;
> Ninad
>
> >> Palsule <_ninad at linux.ibm.com_ <mailto:ninad at linux.ibm.com
> <mailto:_ninad at linux.ibm.com_%20%3cmailto:ninad at linux.ibm.com>>>; Joel
>
> >> Stanley <_jms at jms.id.au_ <mailto:jms at jms.id.au
> <mailto:_jms at jms.id.au_%20%3cmailto:jms at jms.id.au>>>; Andrew Jeffery
>
> >> <_andrew at aj.id.au_ <mailto:andrew at aj.id.au
> <mailto:_andrew at aj.id.au_%20%3cmailto:andrew at aj.id.au>>>
>
> >> Subject: RE: Integrating swtpm(as a software TPM) with OpenBMC on
>
> >> Qemu Hi C, Got it working. Looks like slirp is no longer supported
> on
>
> >> ubnutu 18.04. have upgraded to a newer version and is working now.
>
> >> Thanks,
>
> >> Sandeep.
>
> >> -----Original Message-----
>
> >> From: Cédric Le Goater <clg at kaod.org <mailto:clg at kaod.org
> <mailto:clg at kaod.org%20%3cmailto:clg at kaod.org>>>
>
> >> Sent: Wednesday, April 19, 2023 2:26 PM
>
> >> To: Sandeep Kumar <sandeep.pkumar at tcs.com
>
> >> <mailto:sandeep.pkumar at tcs.com <mailto:sandeep.pkumar at tcs.com>>>;
> openbmc at lists.ozlabs.org <mailto:openbmc at lists.ozlabs.org>
>
> >> <mailto:openbmc at lists.ozlabs.org
> <mailto:openbmc at lists.ozlabs.org>>; Ninad Palsule <ninad at linux.ibm.com
>
> >> <mailto:ninad at linux.ibm.com <mailto:ninad at linux.ibm.com>>>; Joel
> Stanley <jms at jms.id.au
>
> >> <mailto:jms at jms.id.au <mailto:jms at jms.id.au>>>; Andrew Jeffery
> <andrew at aj.id.au
>
> >> <mailto:andrew at aj.id.au <mailto:andrew at aj.id.au>>>
>
> >> Subject: Re: Integrating swtpm(as a software TPM) with OpenBMC on
>
> >> Qemu "External email. Open with Caution"
>
> >> Hello Sandeep
>
> >> On 4/18/23 09:45, Sandeep Kumar wrote:
>
> >>> TCS Confidential
>
> >>>
>
> >>> Hi C,
>
> >>> Built the qemu from your branch. Few issues, *$ ./qemu-system-arm
> -m
>
> >>> 256 -M romulus-bmc -nographic -drive
>
> >>> file=./obmc-phosphor-image-romulus.static.mtd,format=raw,if=mtd
> -net
>
> >>> nic -net
>
> >>>
> user,hostfwd=:127.0.0.1:2222-:22,hostfwd=:127.0.0.1:4443-:443,hostfw
>
> >>> d
>
> >>> =
>
> >>> tcp:127.0.0.1:8880-:80,hostfwd=tcp:127.0.0.1:2200-:2200,hostfwd=udp:
>
> >>> 1
>
> >>> 2
>
> >>> 7.0.0.1:6623-:623,hostfwd=udp:127.0.0.1:6664-:664,hostname=qemu*
>
> >>> *qemu-system-arm: -net
>
> >>>
> user,hostfwd=:127.0.0.1:2222-:22,hostfwd=:127.0.0.1:4443-:443,hostfw
>
> >>> d
>
> >>> =
>
> >>> tcp:127.0.0.1:8880-:80,hostfwd=tcp:127.0.0.1:2200-:2200,hostfwd=udp:
>
> >>> 1
>
> >>> 2
>
> >>> 7.0.0.1:6623-:623,hostfwd=udp:127.0.0.1:6664-:664,hostname=qemu:
>
> >>> network backend 'user' is not compiled into this binary* I didn’t
>
> >>> enable the slirp package I guess. So enabled it while running
>
> >>> configure, *$ ../configure --enable-slirp*
>
> >>> *........*
>
> >>> *Run-time dependency slirp found: NO (tried pkgconfig)*
>
> >>> *../meson.build:681:2: ERROR: Dependency "slirp" not found, tried
>
> >>> pkgconfig* *A full log can be found at
>
> >>>
> /home/tcs/work/sandeep/measured_boot/ibm_qemu/qemu/build/meson-logs/
>
> >>> m
>
> >>> e
>
> >>> son-log.txt*
>
> >>> *NOTICE: You are using Python 3.6 which is EOL. Starting with
>
> >>> v0.62.0, Meson will require Python 3.7 or newer*
>
> >>> *ERROR: meson setup failed*
>
> >>> I have already installed slirp locally, but still getting the above error.
>
> >> Did you install the libslirp-dev or libslirp-devel package ?
>
> >> C.
>
> >>
>
> >> TCS Confidential
>
> >>
>
> >> =====-----=====-----=====
>
> >> Notice: The information contained in this e-mail message and/or
>
> >> attachments to it may contain confidential or privileged information.
>
> >> If you are not the intended recipient, any dissemination, use,
>
> >> review, distribution, printing or copying of the information
>
> >> contained in this e-mail message and/or attachments to it are
>
> >> strictly prohibited. If you have received this communication in
>
> >> error, please notify us by reply e-mail or telephone and
> immediately
>
> >> and permanently delete the message and any attachments. Thank you
>
> >>
>
> >
>
> > TCS Confidential
>
>
> TCS Confidential
>
TCS Confidential
More information about the openbmc
mailing list