[SLOF] [PATCH v4 00/33] Add vTPM support to SLOF

Stefan Berger stefanb at linux.vnet.ibm.com
Thu Dec 12 07:26:55 AEDT 2019 

I am reposting this series of patches for adding vTPM support
to SLOF. The series has grown over time due to addition of
vTPM 2.0 support. The vTPM (1.2 & 2) SLOF code leans on the code I
upstreamed to SeaBIOS and where Kevin O'Connor (cc'ed) has also made
changes to and given me permission to contribute the combined code to
SLOF under the BSD license. One goal is to keep the two code bases in
sync as much as possible.

I expect that PAPR vTPM support will become available in QEMU 5.0.

The following series of patches adds TPM support to SLOF.
In particular it adds the following:

- TPM drivers for hardware interface and CRQ interface
- TPM initialization
- TPM logging area and firmware API to transfer it to the OS
  (measurements are visible in sysfs)
- Some measurement code (Static Core Root Of Trust)
- TPM menu (accessible via 't' key during boot if TPM is available)
- Firmware API extensions following Power Firmware Doc
  (to make trusted grub work)
- TPM 2.0 support (logs are written in little endian format for TPM 2.0)

Having a vTPM attached to a VM provides the following benefits:

- enablement of trusted boot; this allow us to eventually extend the chain 
  of trust from the hypervisor to the guests
- enablement of attestation so that one can verify what software is 
  running on a machine
- provides TPM functionality to VMs, which includes a standardized 
  mechanism to store keys and other blobs
  (Linux trusted keys, GNU TLS's TPM extensions)

Necessarily, some of its parts are written in Forth, many are written
in 'C'. The extensions are known to work with QEMU for ppc64 running Linux.

v3->v4:
  - Added TPM 2.0 support

v2->v3:
  - Addressed Thomas Huth's comments.
  - Rearranged patches and merged some patches.
  - Followed some of the changes made by K. O'Connor (SeaBIOS).

v1->v2:
  - Addressed Nikunj's comments
  - Since last post in August I added 3 more patches to the end of the series
    and one in 13th place.

Stefan Berger (33):
  tpm: Add a TPM driver implementation
  tpm: Add TPM initialization support
  tpm: Add sha1 implementation
  tpm: Add initial support for logging
  tpm: Extend firmware API
  tpm: Return value of actual log in sml-get-handover-size
  tpm: Add sml related nodes to vdevice/vtpm node
  tpm: Implement measurements of the master boot record
  tpm: Add support for controlling the states of the TPM
  tpm: Add support for a TPM menu to control the state of the TPM
  tpm: Measure the static core root of trust for measurements
  tpm: Add TPM firmware API call get-maximum-cmd-size
  tpm: Add TPM firmware API call pass-through-to-tpm
  tpm: Add TPM firmware API call get-state
  tpm: Add TPM firmware API call get-failure-reason
  tpm: Add TPM firmware API call reformat-sml-to-efi-alignment
  tpm: Set the driver in pseudo failure state after handover
  tpm: Add function to for getting version of TPM
  tpm: Implement log related 32 bit endian conversion functions
  tpm2: prepare tpmhw_transmit for TPM2 commands
  tpm2: support TPM2 in tpm_set_failure
  tpm2: Implement tpm20_startup()
  tpm2: implement 2nd part of tpm20_start()
  tpm2: Rework the logging and implement tpm20_extend()
  tpm2: refactor tpm_unassert_physical_presence for TPM2
  tpm2: Prefix functions with tpm12_ and adapt for TPM 2 case
  tpm2: Implement tpm20_process_cfg, tpm20_clear, and tpm20_clearcontrol
  slof: Implement SLOF_get_keystroke
  tpm2: Implement TPM 2 menu with choice to clear the TPM 2
  tpm2: implement tpm20_prepboot
  tpm2: Use a table to convert the hash to the buffer size it needs.
  tpm2: Implement TPM 2.0 menu item to activate and deactivte PCR banks
  tpm2: Include vio-vtpm-cdriver.fs if IBM,vtpm20 is specified

 board-qemu/Makefile                 |    2 +-
 board-qemu/slof/Makefile            |   13 +-
 board-qemu/slof/OF.fs               |    3 +
 board-qemu/slof/tree.fs             |    6 +
 board-qemu/slof/vio-vtpm-cdriver.fs |  184 +++
 board-qemu/slof/vtpm-sml.fs         |  387 ++++++
 include/helpers.h                   |    4 +
 lib/Makefile                        |    2 +-
 lib/libtpm/Makefile                 |   50 +
 lib/libtpm/Readme                   |   95 ++
 lib/libtpm/sha1.c                   |  197 +++
 lib/libtpm/sha1.h                   |   20 +
 lib/libtpm/tcgbios.c                | 1932 +++++++++++++++++++++++++++
 lib/libtpm/tcgbios.h                |   54 +
 lib/libtpm/tcgbios_int.h            |  404 ++++++
 lib/libtpm/tpm.code                 |  234 ++++
 lib/libtpm/tpm.in                   |   36 +
 lib/libtpm/tpm_drivers.c            |  501 +++++++
 lib/libtpm/tpm_drivers.h            |  104 ++
 slof/fs/packages/disk-label.fs      |   10 +-
 slof/fs/start-up.fs                 |   16 +
 slof/helpers.c                      |   17 +
 22 files changed, 4265 insertions(+), 6 deletions(-)
 create mode 100644 board-qemu/slof/vio-vtpm-cdriver.fs
 create mode 100644 board-qemu/slof/vtpm-sml.fs
 create mode 100644 lib/libtpm/Makefile
 create mode 100644 lib/libtpm/Readme
 create mode 100644 lib/libtpm/sha1.c
 create mode 100644 lib/libtpm/sha1.h
 create mode 100644 lib/libtpm/tcgbios.c
 create mode 100644 lib/libtpm/tcgbios.h
 create mode 100644 lib/libtpm/tcgbios_int.h
 create mode 100644 lib/libtpm/tpm.code
 create mode 100644 lib/libtpm/tpm.in
 create mode 100644 lib/libtpm/tpm_drivers.c
 create mode 100644 lib/libtpm/tpm_drivers.h

-- 
2.17.1

More information about the SLOF mailing list