Integrating swtpm(as a software TPM) with OpenBMC on Qemu
Stefan Berger
stefanb at linux.ibm.com
Sat May 6 06:38:18 AEST 2023
On 5/5/23 13:36, Sandeep Kumar wrote:
> TCS Confidential
>
> Hi Stefan,
>
> I have these options set in /home/tcs/work/san/openbmc/openbmc_april/openbmc/meta-aspeed/recipes-kernel/linux/linux-aspeed/tpm/tpm2.cfg
>
> CONFIG_HW_RANDOM=y
> CONFIG_HW_RANDOM_TPM=y
> CONFIG_TCG_TPM=y
> CONFIG_TCG_TIS_CORE=y
> CONFIG_TCG_TIS=y
> CONFIG_TCG_TIS_SPI=y
> CONFIG_TCG_TIS_I2C=y
> CONFIG_SECURITYFS=y
I added 'MACHINE_FEATURES:append = " tpm2"' and this works for me.
As long as these symbols are built into the kernel it should work:
> root at evb-ast2600:~# grep tpm_tis_i2c /proc/kallsyms
> 8056318c t tpm_tis_i2c_remove
> 805631b0 t tpm_tis_i2c_retry_transfer_until_ack
> 8056323c t tpm_tis_i2c_write_bytes
> 80563334 t tpm_tis_i2c_verify_crc
> 805633e0 t tpm_tis_i2c_read_bytes
> 80563604 t tpm_tis_i2c_probe
> 80d23964 t tpm_tis_i2c_driver_init
>
> and in /home/tcs/work/san/openbmc/openbmc_april/openbmc/meta-aspeed/recipes-kernel/linux/linux-aspeed.inc I have these,
>
> SRC_URI += " \
> file://defconfig \
> file://rsa_oem_fitimage_key.key;sha256sum=eeb4ff2ebbfbd97b6254fe6dbaeea41067e54c65176c233ec7b2ab2decf1ddcd \
> file://rsa_oem_fitimage_key.crt;sha256sum=45f5a55497cce8040999bf9f3214d471ac7b83ab7acef41c4425a34662e8372e \
> ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm/tpm2.scc file://tpm/tpm2.cfg', '', d)} \
> ${@bb.utils.contains_any('DISTRO_FEATURES', \
> 'obmc-static-norootfs obmc-ubi-fs', \
> 'file://ubi/ubi.scc file://ubi/ubi.cfg', '', d)} \
> "
>
> Anything else needs to be done to enable TPM ?
Apart from having to use the latest QEMU with the TPM TIS I2C support (from git repo) I don't know of anything else.
Stefan
>
> Thanks,
> Sandeep.
>
> -----Original Message-----
> From: Stefan Berger <stefanb at linux.ibm.com>
> Sent: Friday, May 5, 2023 9:41 PM
> To: Sandeep Kumar <sandeep.pkumar at tcs.com>; Cédric Le Goater <clg at kaod.org>; openbmc at lists.ozlabs.org; Ninad Palsule <ninad at linux.ibm.com>; Joel Stanley <jms at jms.id.au>; Andrew Jeffery <andrew at aj.id.au>
> Subject: Re: Integrating swtpm(as a software TPM) with OpenBMC on Qemu
>
> "External email. Open with Caution"
>
> I enable the following kernel build options for OpenBMC Linux kernel:
>
> CONFIG_TCG_TPM=y
> CONFIG_TCG_TIS_CORE=y
> CONFIG_TCG_TIS=y
> CONFIG_TCG_TIS_I2C=y
>
> With swtpm running in another terminal:
>
> while :; do swtpm socket --tpmstate dir=/tmp/mytpm1 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock --tpm2 --log level=20; done
>
> I start qemu built from qemu git master branch tip:
>
> /tmp/qemu-system-arm -machine ast2600-evb -nographic -no-reboot -net nic -net user,hostfwd=:127.0.0.1:5722-:22,hostfwd=:127.0.0.1:5743-:443,hostfwd=udp:127.0.0.1:5723-:623 -drive file=./tmp/deploy/images/evb-ast2600/obmc-phosphor-image-evb-ast2600.static.mtd,format=raw,if=mtd -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-i2c,tpmdev=tpm0,bus=aspeed.i2c.bus.12,address=0x2e
>
> root at evb-ast2600:~# echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device
> [ 63.771200] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
> [ 63.783927] tpm tpm0: A TPM error (256) occurred attempting the self test
> [ 63.784256] tpm tpm0: starting up the TPM manually
> [ 63.851474] i2c i2c-12: new_device: Instantiated device tpm_tis_i2c at 0x2e
>
> root at evb-ast2600:~# uname -a
> Linux evb-ast2600 6.1.15-580639a-dirty-c56bfb7-00123-gc56bfb70ebfa #1 SMP Thu Apr 6 00:55:09 UTC 2023 armv7l GNU/Linux
>
> root at evb-ast2600:~# grep tpm_tis_i2c /proc/kallsyms> 8056318c t tpm_tis_i2c_remove
> 805631b0 t tpm_tis_i2c_retry_transfer_until_ack
> 8056323c t tpm_tis_i2c_write_bytes
> 80563334 t tpm_tis_i2c_verify_crc
> 805633e0 t tpm_tis_i2c_read_bytes
> 80563604 t tpm_tis_i2c_probe
> 80d23964 t tpm_tis_i2c_driver_init
>
> root at evb-ast2600:~# find /sys/class/tpm
> /sys/class/tpm
> /sys/class/tpm/tpm0
>
> root at evb-ast2600:~# ls -l /dev/tpm*
> crw------- 1 root root 10, 224 May 5 16:03 /dev/tpm0
> crw------- 1 root root 252, 65536 May 5 16:03 /dev/tpmrm0
>
> root at evb-ast2600:~# find /sys/ | grep pcr
> /sys/devices/platform/ahb/ahb:apb/ahb:apb:bus at 1e78a000/1e78a680.i2c-bus/i2c-12/12-002e/tpm/tpm0/pcr-sha1
> /sys/devices/platform/ahb/ahb:apb/ahb:apb:bus at 1e78a000/1e78a680.i2c-bus/i2c-12/12-002e/tpm/tpm0/pcr-sha1/17
> [... lots more entries also for sha256, sha384, and sha512 ]
>
>
>
>
> It seems to work as expected
>
> On 5/5/23 11:08, Sandeep Kumar wrote:
>> TCS Confidential Hi Stefan, Please find below my answers inline.
>> Thanks, Sandeep. -----Original Message----- From: Stefan Berger
>> <stefanb@ linux. ibm. com> Sent: Friday, May 5, 2023 6: 56 PM To:
>> Sandeep Kumar <sandeep. pkumar@ tcs. com>; ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization.
>> ZjQcmQRYFpfptBannerEnd
>>
>> TCS Confidential
>>
>>
>> Hi Stefan,
>>
>> Please find below my answers inline.
>>
>> Thanks,
>>
>> Sandeep.
>>
>> -----Original Message-----
>> From: Stefan Berger <stefanb at linux.ibm.com>
>> Sent: Friday, May 5, 2023 6:56 PM
>> To: Sandeep Kumar <sandeep.pkumar at tcs.com>; Cédric Le Goater
>> <clg at kaod.org>; openbmc at lists.ozlabs.org; Ninad Palsule
>> <ninad at linux.ibm.com>; Joel Stanley <jms at jms.id.au>; Andrew Jeffery
>> <andrew at aj.id.au>
>> Subject: Re: Integrating swtpm(as a software TPM) with OpenBMC on Qemu
>>
>> "External email. Open with Caution"
>>
>> On 5/5/23 01:40, Sandeep Kumar wrote:
>>
>> > TCS Confidential
>>
>> >
>>
>> > Hi Stefan,
>>
>> >
>>
>> > Stefan: Is the kernel configured in the same way? Are you using the same kernel version?
>>
>> > Ans:
>>
>> > I am using the Kernel version coming with the latest openBMC without any changes.
>>
>> > Kernel version used : Linux evb-ast2600 6.1.15-580639a #1
>> SMP
>>
>> > Thu Apr 6 00:55:09 UTC 2023 armv71 GNU/Linux
>>
>> >
>>
>> > Stefan: What is the output of this? find /sys/class/tpm | grep
>> pcr
>>
>> > Ams: find: /sys/class/tpm: No such file or directory.
>>
>> >
>>
>> > Could you please point to the right version of kernel which has all these changes ?
>>
>> I am not aware of changes in the Linux kernel for TPM I2C and why it would not work in this kernel version.
>>
>> Does this show any files?
>>
>> find /sys | grep pcr
>>
>> *Sandeep: It doesn't show any files. *
>>
>> *root at evb-ast2600:~# echo tpm_tis_i2c 0x2e >
>> /sys/bus/i2c/devices/i2c-12/new_device*
>>
>> *[ 273.273089] i2c i2c-12: new_device: Instantiated device
>> tpm_tis_i2c at 0x2e*
>>
>> *root at evb-ast2600:~#*
>>
>> *root at evb-ast2600:~# find /sys | grep pcr*
>>
>> *root at evb-ast2600:~#*
>>
>> Do /dev/tpm0 and /dev/tpmrm0 appear after the echo ? What does dmesg show related to tpm (dmesg | grep -i tpm)?
>>
>> *Sandeep: I don’t see /dev/tpm0 and /dev/tpmrm0 after the echo.
>> Output as below, *
>>
>> **
>>
>> *root at evb-ast2600:~# echo tpm_tis_i2c 0x2e >
>> /sys/bus/i2c/devices/i2c-12/new_device*
>>
>> *[ 273.273089] i2c i2c-12: new_device: Instantiated device
>> tpm_tis_i2c at 0x2e*
>>
>> *root at evb-ast2600:~#*
>>
>> *root at evb-ast2600:~# find /sys | grep pcr*
>>
>> *root at evb-ast2600:~#*
>>
>> *root at evb-ast2600:~# ls /dev/tpm**
>>
>> *ls: /dev/tpm*: No such file or directory*
>>
>> *root at evb-ast2600:~# dmesg | grep -i tpm*
>>
>> *[ 6.290898] systemd[1]: systemd 253.1^ running in system mode
>> (+PAM -AUDIT -SELINUX -APPARMOR -IMA -SMACK +SECCOMP -GCRYPT -GNUTLS
>> -OPENSSL -ACL +BLKID -CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC -KMOD
>> -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2
>> -BZIP2 -LZ4 -XZ -ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP -SYSVINIT
>> default-hierarchy=unified)*
>>
>> *[ 273.273089] i2c i2c-12: new_device: Instantiated device
>> tpm_tis_i2c at 0x2e*
>>
>> *root at evb-ast2600:~#*
>>
>> Stefan
>>
>> >
>>
>> >
>>
>> > Thanks,
>>
>> > Sandeep.
>>
>> >
>>
>> > -----Original Message-----
>>
>> > From: Stefan Berger <stefanb at linux.ibm.com
>> <mailto:stefanb at linux.ibm.com>>
>>
>> > Sent: Thursday, May 4, 2023 7:30 PM
>>
>> > To: Sandeep Kumar <sandeep.pkumar at tcs.com
>> <mailto:sandeep.pkumar at tcs.com>>; Cédric Le Goater
>>
>> > <clg at kaod.org <mailto:clg at kaod.org>>; openbmc at lists.ozlabs.org
>> <mailto:openbmc at lists.ozlabs.org>; Ninad Palsule
>>
>> > <ninad at linux.ibm.com <mailto:ninad at linux.ibm.com>>; Joel Stanley
>> <jms at jms.id.au <mailto:jms at jms.id.au>>; Andrew Jeffery
>>
>> > <andrew at aj.id.au <mailto:andrew at aj.id.au>>
>>
>> > Subject: Re: Integrating swtpm(as a software TPM) with OpenBMC on
>> Qemu
>>
>> >
>>
>> > "External email. Open with Caution"
>>
>> >
>>
>> >
>>
>> > On 5/4/23 05:12, Sandeep Kumar wrote:
>>
>> >> TCS Confidential Hi C, I was able to build and run the image(for
>>
>> >> evb-ast2600) with swtpm. Few issues observed, If I run with the
>>
>> >> flash. img provided in your github link(https: //github.
>>
>> >> com/legoater/qemu-aspeed-boot/tree/master/images) everything ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization.
>>
>> >> ZjQcmQRYFpfptBannerEnd
>>
>> >> TCS Confidential
>>
>> >>
>>
>> >> Hi C,
>>
>> >> I was able to build and run the image(for evb-ast2600) with swtpm.
>>
>> >> Few issues observed,
>>
>> >>
>>
>> >> 1. If I run with the flash.img provided in your github link(_https://github.com/legoater/qemu-aspeed-boot/tree/master/images_ <https://github.com/legoater/qemu-aspeed-boot/tree/master/images <https://github.com/legoater/qemu-aspeed-boot/tree/master/images>>) everything works as expected, i.e I get the below output.
>>
>> >>
>>
>> >> *# echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device*
>>
>> >> *[ 182.735902] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1,
>> rev-id
>>
>> >> 1)* *[ 182.773885] i2c i2c-12: new_device: Instantiated device
>>
>> >> tpm_tis_i2c at 0x2e*
>>
>> >> *#*
>>
>> >> *#*
>>
>> >> *# cat /sys/class/tpm/tpm0/pcr-sha256/0*
>>
>> >> *B804724EA13F52A9072BA87FE8FDCC497DFC9DF9AA15B9088694639C431688E0*
>>
>> >> *#*
>>
>> >> *#*
>>
>> >>
>>
>> >> 2. If I run it with the locally built image, I get this error,
>>
>> >
>>
>> > Is the kernel configured in the same way? Are you using the same kernel version?
>>
>> >>
>>
>> >> *root at evb-ast2600:~# echo tpm_tis_i2c 0x2e >
>>
>> >> /sys/bus/i2c/devices/i2c-12/new_device*
>>
>> >> *[ 174.063597] i2c i2c-12: new_device: Instantiated device
>>
>> >> tpm_tis_i2c at 0x2e*
>>
>> >
>>
>> > What is the output of this?
>>
>> >
>>
>> > find /sys/class/tpm | grep pcr
>>
>> >
>>
>> > Stefan
>>
>> >
>>
>> >> *root at evb-ast2600:~# cat /sys/class/tpm/tpm0/pcr-sha256/0*
>>
>> >> *cat: can't open '/sys/class/tpm/tpm0/pcr-sha256/0': No such file
>> or
>>
>> >> directory*
>>
>> >> *root at evb-ast2600:~#*
>>
>> >> *root at evb-ast2600:~#*
>>
>> >> Please do let me know about what has been done to write the values
>>
>> >> into “*/sys/class/tpm/tpm0/pcr-sha256/0**” . * Thanks, Sandeep.
>>
>> >> _____________________________________________
>>
>> >> *From:* Sandeep Kumar
>>
>> >> *Sent:* Thursday, April 20, 2023 5:45 PM
>>
>> >> *To:* Cédric Le Goater <clg at kaod.org <mailto:clg at kaod.org>>;
>> openbmc at lists.ozlabs.org <mailto:openbmc at lists.ozlabs.org>;
>>
>> >> Ninad Palsule <ninad at linux.ibm.com <mailto:ninad at linux.ibm.com>>;
>> Joel Stanley <jms at jms.id.au <mailto:jms at jms.id.au>>;
>>
>> >> Andrew Jeffery <andrew at aj.id.au <mailto:andrew at aj.id.au>>
>>
>> >> *Subject:* RE: Integrating swtpm(as a software TPM) with OpenBMC
>> on
>>
>> >> Qemu Hi C, How to build this image =>
>>
>> >> *obmc-phosphor-image.rootfs.wic.qcow2* ? In openBmc build directory we don’t get this image built.
>>
>> >> Also, remaining image formats used while running on qemu are available in the build directory. i.e fitImage-linux.bin, aspeed-bmc-ibm-rainier.dtb and obmc-phosphor-initramfs.rootfs.cpio.xz .
>>
>> >> Please advise if we have to build openbmc stack in a different way
>>
>> >> than the standard procedure. We follow the below steps for build, 1. .
>>
>> >> setup Romulus 2. bitbake obmc-phosphor-image Thanks, Sandeep.
>>
>> >> -----Original Message-----
>>
>> >> From: Sandeep Kumar
>>
>> >> Sent: Wednesday, April 19, 2023 3:00 PM
>>
>> >> To: Cédric Le Goater <_clg at kaod.org_ <mailto:clg at kaod.org
>> <mailto:_clg at kaod.org_%20%3cmailto:clg at kaod.org>>>;
>>
>> >> _openbmc at lists.ozlabs.org_ <mailto:_openbmc at lists.ozlabs.org_>
>> <mailto:openbmc at lists.ozlabs.org <mailto:openbmc at lists.ozlabs.org>>;
>> Ninad
>>
>> >> Palsule <_ninad at linux.ibm.com_ <mailto:ninad at linux.ibm.com
>> <mailto:_ninad at linux.ibm.com_%20%3cmailto:ninad at linux.ibm.com>>>; Joel
>>
>> >> Stanley <_jms at jms.id.au_ <mailto:jms at jms.id.au
>> <mailto:_jms at jms.id.au_%20%3cmailto:jms at jms.id.au>>>; Andrew Jeffery
>>
>> >> <_andrew at aj.id.au_ <mailto:andrew at aj.id.au
>> <mailto:_andrew at aj.id.au_%20%3cmailto:andrew at aj.id.au>>>
>>
>> >> Subject: RE: Integrating swtpm(as a software TPM) with OpenBMC on
>>
>> >> Qemu Hi C, Got it working. Looks like slirp is no longer supported
>> on
>>
>> >> ubnutu 18.04. have upgraded to a newer version and is working now.
>>
>> >> Thanks,
>>
>> >> Sandeep.
>>
>> >> -----Original Message-----
>>
>> >> From: Cédric Le Goater <clg at kaod.org <mailto:clg at kaod.org
>> <mailto:clg at kaod.org%20%3cmailto:clg at kaod.org>>>
>>
>> >> Sent: Wednesday, April 19, 2023 2:26 PM
>>
>> >> To: Sandeep Kumar <sandeep.pkumar at tcs.com
>>
>> >> <mailto:sandeep.pkumar at tcs.com <mailto:sandeep.pkumar at tcs.com>>>;
>> openbmc at lists.ozlabs.org <mailto:openbmc at lists.ozlabs.org>
>>
>> >> <mailto:openbmc at lists.ozlabs.org
>> <mailto:openbmc at lists.ozlabs.org>>; Ninad Palsule <ninad at linux.ibm.com
>>
>> >> <mailto:ninad at linux.ibm.com <mailto:ninad at linux.ibm.com>>>; Joel
>> Stanley <jms at jms.id.au
>>
>> >> <mailto:jms at jms.id.au <mailto:jms at jms.id.au>>>; Andrew Jeffery
>> <andrew at aj.id.au
>>
>> >> <mailto:andrew at aj.id.au <mailto:andrew at aj.id.au>>>
>>
>> >> Subject: Re: Integrating swtpm(as a software TPM) with OpenBMC on
>>
>> >> Qemu "External email. Open with Caution"
>>
>> >> Hello Sandeep
>>
>> >> On 4/18/23 09:45, Sandeep Kumar wrote:
>>
>> >>> TCS Confidential
>>
>> >>>
>>
>> >>> Hi C,
>>
>> >>> Built the qemu from your branch. Few issues, *$ ./qemu-system-arm
>> -m
>>
>> >>> 256 -M romulus-bmc -nographic -drive
>>
>> >>> file=./obmc-phosphor-image-romulus.static.mtd,format=raw,if=mtd
>> -net
>>
>> >>> nic -net
>>
>> >>>
>> user,hostfwd=:127.0.0.1:2222-:22,hostfwd=:127.0.0.1:4443-:443,hostfw
>>
>> >>> d
>>
>> >>> =
>>
>> >>> tcp:127.0.0.1:8880-:80,hostfwd=tcp:127.0.0.1:2200-:2200,hostfwd=udp:
>>
>> >>> 1
>>
>> >>> 2
>>
>> >>> 7.0.0.1:6623-:623,hostfwd=udp:127.0.0.1:6664-:664,hostname=qemu*
>>
>> >>> *qemu-system-arm: -net
>>
>> >>>
>> user,hostfwd=:127.0.0.1:2222-:22,hostfwd=:127.0.0.1:4443-:443,hostfw
>>
>> >>> d
>>
>> >>> =
>>
>> >>> tcp:127.0.0.1:8880-:80,hostfwd=tcp:127.0.0.1:2200-:2200,hostfwd=udp:
>>
>> >>> 1
>>
>> >>> 2
>>
>> >>> 7.0.0.1:6623-:623,hostfwd=udp:127.0.0.1:6664-:664,hostname=qemu:
>>
>> >>> network backend 'user' is not compiled into this binary* I didn’t
>>
>> >>> enable the slirp package I guess. So enabled it while running
>>
>> >>> configure, *$ ../configure --enable-slirp*
>>
>> >>> *........*
>>
>> >>> *Run-time dependency slirp found: NO (tried pkgconfig)*
>>
>> >>> *../meson.build:681:2: ERROR: Dependency "slirp" not found, tried
>>
>> >>> pkgconfig* *A full log can be found at
>>
>> >>>
>> /home/tcs/work/sandeep/measured_boot/ibm_qemu/qemu/build/meson-logs/
>>
>> >>> m
>>
>> >>> e
>>
>> >>> son-log.txt*
>>
>> >>> *NOTICE: You are using Python 3.6 which is EOL. Starting with
>>
>> >>> v0.62.0, Meson will require Python 3.7 or newer*
>>
>> >>> *ERROR: meson setup failed*
>>
>> >>> I have already installed slirp locally, but still getting the above error.
>>
>> >> Did you install the libslirp-dev or libslirp-devel package ?
>>
>> >> C.
>>
>> >>
>>
>> >> TCS Confidential
>>
>> >>
>>
>> >> =====-----=====-----=====
>>
>> >> Notice: The information contained in this e-mail message and/or
>>
>> >> attachments to it may contain confidential or privileged information.
>>
>> >> If you are not the intended recipient, any dissemination, use,
>>
>> >> review, distribution, printing or copying of the information
>>
>> >> contained in this e-mail message and/or attachments to it are
>>
>> >> strictly prohibited. If you have received this communication in
>>
>> >> error, please notify us by reply e-mail or telephone and
>> immediately
>>
>> >> and permanently delete the message and any attachments. Thank you
>>
>> >>
>>
>> >
>>
>> > TCS Confidential
>>
>>
>> TCS Confidential
>>
>
> TCS Confidential
More information about the openbmc
mailing list