[SLOF] [PATCH v2 00/20] Add vTPM support to SLOF

Nikunj A Dadhania nikunj at linux.vnet.ibm.com
Tue Nov 24 17:20:28 AEDT 2015


Stefan Berger <stefanb at us.ibm.com> writes:

> The following series of patches adds TPM support to SLOF.
> In particular it adds the following:
>
> - TPM drivers for hardware interface and CRQ interface
> - TPM initialization
> - TPM logging area and firmware API to transfer it to the OS
>   (measurements are visible in sysfs)
> - Some measurement code (Static Core Root Of Trust)
> - TPM menu (accessible via 't' key during boot if TPM is available)
> - Firmware API extensions following Power Firmware Doc
>   (to make trusted grub work)
>
>
> Having a vTPM attached to a VM provides the following benefits:
>
> - enablement of trusted boot; this allow us to eventually extend the chain 
>   of trust from the hypervisor to the guests
> - enablement of attestation so that one can verify what software is 
>   running on a machine
> - provides TPM functionality to VMs, which includes a standardized 
>   mechanism to store keys and other blobs
>   (Linux trusted keys, GNU TLS's TPM extensions)

A documentation patch, say in lib/libtpm/README will be useful for
future. Should atleast cover following topics:

* What is the TPM?
* Why is it useful?
* What is the use case? (include qemu commandline)
* Difference between Secure Boot and Trusted boot
* Is support for v2.0 planned ?

On the otherhand, can TPM be extended to become something like Secure
boot ?

Currently, we only measure and log the findings, while at some later
point of time in the guest the action to stop the VM can be taken. Can
this preventive step be taken at SLOF automatically without user
intervention ? If not why?

Regards,
Nikunj



More information about the SLOF mailing list