[SLOF] [PATCH 00/16] Add vTPM support to SLOF

Stefan Berger stefanb at us.ibm.com
Fri Aug 14 10:22:17 AEST 2015

David Gibson <david at gibson.dropbear.id.au> wrote on 08/11/2015 10:13:45 

> From: David Gibson <david at gibson.dropbear.id.au>
> To: Stefan Berger <stefanb at linux.vnet.ibm.com>
> Cc: slof at lists.ozlabs.org, nikunj at linux.vnet.ibm.com, 
> aik at au1.ibm.com, pmac at au1.ibm.com, Tim Block/Rochester/IBM at IBMUS, 
> Stefan Berger/Watson/IBM at IBMUS, Hon c Lo/Poughkeepsie/IBM at IBMUS, 
> George Wilson/Austin/IBM at IBMUS, Dimitrios Pendarakis/Watson/
> IBM at IBMUS, Joy Latten/Austin/IBM at IBMUS
> Date: 08/11/2015 10:41 PM
> Subject: Re: [SLOF] [PATCH 00/16] Add vTPM support to SLOF
> On Mon, Aug 10, 2015 at 06:55:10AM -0400, Stefan Berger wrote:
> > The following series of patches adds TPM support to SLOF.
> > In particular it adds the following:
> > 
> > - TPM drivers for hardware interface and CRQ interface
> > - TPM initialization
> > - TPM logging area and firmware API to transfer it to the OS
> >   (measurements are visible in sysfs)
> > - Some measurement code (Static Core Root Of Trust)
> > - TPM menu (accessible via 't' key during boot if TPM is available)
> > - Firmware API extensions following Power Firmware Doc
> >   (to make trusted grub work)
> > 
> > Necessarily, some of its parts are written in Forth, many are written
> > in 'C'. The extensions are known to work with QEMU for ppc64 running 
> > 
> > Patches 4-6 will eventually need to be merged to avoid compiler 
> > related to unused functions.
> So, your cover letter seems to be missing the single most important
> bit of information:  why is this useful?

The firmware extensions are necessary for initializing the TPM, 
a core root of trust for measurements, etc, which is required for systems 
an attached TPM. The same is then true for systems with an attached vTPM.

Otherwise having a vTPM attached to a VM provides the following benefits:

- enablement of trusted boot; this allow us to eventually extend the chain 
of trust from the hypervisor to the guests
- enablement of attestation so that one can verify what software is 
running on a machine
- provides TPM functionality to VMs, which includes a standardized 
mechanism to store keys and other blobs
  (Linux trusted keys, GNU TLS's TPM extensions)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/slof/attachments/20150813/9f9e03a2/attachment.html>

More information about the SLOF mailing list