[SLOF] [PATCH v4 00/33] Add vTPM support to SLOF

Alexey Kardashevskiy aik at ozlabs.ru
Thu Dec 19 10:05:30 AEDT 2019 

Hey,

It's been a while since the last attempt :) 33 is a lot! Comments below...

On 12/12/2019 07:26, Stefan Berger wrote:
> I am reposting this series of patches for adding vTPM support
> to SLOF. The series has grown over time due to addition of
> vTPM 2.0 support. The vTPM (1.2 & 2) SLOF code leans on the code I

Where these versions are from? PAPR (I did not look deep though) or something else? Do we have to/want to implement
anything but v2.0? What other pieces need SLOF to support v1.2 - grub, linux, qemu, aix, freebsd?


> upstreamed to SeaBIOS and where Kevin O'Connor (cc'ed) has also made
> changes to and given me permission to contribute the combined code to
> SLOF under the BSD license. One goal is to keep the two code bases in
> sync as much as possible.
> 
> I expect that PAPR vTPM support will become available in QEMU 5.0.

01/33 refers to tpm-next+spapr.v3 and there is a newer v6 and now you say it is qemu 5.0, which statement is correct?

01/33 refers to libtpms/swtpm - are these standard libraries/tools available from distros (my ubuntu 18.04 does not have
libtpms). Does qemu v5.0 depend on these? Or these can be added as submodules? Do we need both libraries? It must be
documented then somewhere so you do not have to document it in 01/33. A few command line examples (one for qemu and one
for swtpm) in the cover letter should be enough.

In general, it is too many small patches and later patches change what earlier patch in the series did, such as 26/33,
31/33, please avoid that - it might represent how you developed those but it is useless when bisecting.

Either add commit logs into 29/33, 30/33, 31/33, 33/33, or (better) merge them in one patch.

Also please organize the series as:
1. prerequisites (03/33, 28/33,...)
2. vtpm v1.2 driver (if we still need it)
3. vtpm v2.0 (avoid reorganising code from the previous step)
4. implement menu item

btw do we really want the menu? Can this (whatever the menu does) be done by the QEMU command line, some properties of
the new tpm-spapr device? Thanks,


> 
> The following series of patches adds TPM support to SLOF.
> In particular it adds the following:
> 
> - TPM drivers for hardware interface and CRQ interface
> - TPM initialization
> - TPM logging area and firmware API to transfer it to the OS
>   (measurements are visible in sysfs)
> - Some measurement code (Static Core Root Of Trust)
> - TPM menu (accessible via 't' key during boot if TPM is available)
> - Firmware API extensions following Power Firmware Doc
>   (to make trusted grub work)
> - TPM 2.0 support (logs are written in little endian format for TPM 2.0)
> 
> Having a vTPM attached to a VM provides the following benefits:
> 
> - enablement of trusted boot; this allow us to eventually extend the chain 
>   of trust from the hypervisor to the guests
> - enablement of attestation so that one can verify what software is 
>   running on a machine
> - provides TPM functionality to VMs, which includes a standardized 
>   mechanism to store keys and other blobs
>   (Linux trusted keys, GNU TLS's TPM extensions)
> 
> Necessarily, some of its parts are written in Forth, many are written
> in 'C'. The extensions are known to work with QEMU for ppc64 running Linux.
> 
> v3->v4:
>   - Added TPM 2.0 support
> 
> v2->v3:
>   - Addressed Thomas Huth's comments.
>   - Rearranged patches and merged some patches.
>   - Followed some of the changes made by K. O'Connor (SeaBIOS).
> 
> v1->v2:
>   - Addressed Nikunj's comments
>   - Since last post in August I added 3 more patches to the end of the series
>     and one in 13th place.
> 
> Stefan Berger (33):
>   tpm: Add a TPM driver implementation
>   tpm: Add TPM initialization support
>   tpm: Add sha1 implementation
>   tpm: Add initial support for logging
>   tpm: Extend firmware API
>   tpm: Return value of actual log in sml-get-handover-size
>   tpm: Add sml related nodes to vdevice/vtpm node
>   tpm: Implement measurements of the master boot record
>   tpm: Add support for controlling the states of the TPM
>   tpm: Add support for a TPM menu to control the state of the TPM
>   tpm: Measure the static core root of trust for measurements
>   tpm: Add TPM firmware API call get-maximum-cmd-size
>   tpm: Add TPM firmware API call pass-through-to-tpm
>   tpm: Add TPM firmware API call get-state
>   tpm: Add TPM firmware API call get-failure-reason
>   tpm: Add TPM firmware API call reformat-sml-to-efi-alignment
>   tpm: Set the driver in pseudo failure state after handover
>   tpm: Add function to for getting version of TPM
>   tpm: Implement log related 32 bit endian conversion functions
>   tpm2: prepare tpmhw_transmit for TPM2 commands
>   tpm2: support TPM2 in tpm_set_failure
>   tpm2: Implement tpm20_startup()
>   tpm2: implement 2nd part of tpm20_start()
>   tpm2: Rework the logging and implement tpm20_extend()
>   tpm2: refactor tpm_unassert_physical_presence for TPM2
>   tpm2: Prefix functions with tpm12_ and adapt for TPM 2 case
>   tpm2: Implement tpm20_process_cfg, tpm20_clear, and tpm20_clearcontrol
>   slof: Implement SLOF_get_keystroke
>   tpm2: Implement TPM 2 menu with choice to clear the TPM 2
>   tpm2: implement tpm20_prepboot
>   tpm2: Use a table to convert the hash to the buffer size it needs.
>   tpm2: Implement TPM 2.0 menu item to activate and deactivte PCR banks
>   tpm2: Include vio-vtpm-cdriver.fs if IBM,vtpm20 is specified
> 
>  board-qemu/Makefile                 |    2 +-
>  board-qemu/slof/Makefile            |   13 +-
>  board-qemu/slof/OF.fs               |    3 +
>  board-qemu/slof/tree.fs             |    6 +
>  board-qemu/slof/vio-vtpm-cdriver.fs |  184 +++
>  board-qemu/slof/vtpm-sml.fs         |  387 ++++++
>  include/helpers.h                   |    4 +
>  lib/Makefile                        |    2 +-
>  lib/libtpm/Makefile                 |   50 +
>  lib/libtpm/Readme                   |   95 ++
>  lib/libtpm/sha1.c                   |  197 +++
>  lib/libtpm/sha1.h                   |   20 +
>  lib/libtpm/tcgbios.c                | 1932 +++++++++++++++++++++++++++
>  lib/libtpm/tcgbios.h                |   54 +
>  lib/libtpm/tcgbios_int.h            |  404 ++++++
>  lib/libtpm/tpm.code                 |  234 ++++
>  lib/libtpm/tpm.in                   |   36 +
>  lib/libtpm/tpm_drivers.c            |  501 +++++++
>  lib/libtpm/tpm_drivers.h            |  104 ++
>  slof/fs/packages/disk-label.fs      |   10 +-
>  slof/fs/start-up.fs                 |   16 +
>  slof/helpers.c                      |   17 +
>  22 files changed, 4265 insertions(+), 6 deletions(-)
>  create mode 100644 board-qemu/slof/vio-vtpm-cdriver.fs
>  create mode 100644 board-qemu/slof/vtpm-sml.fs
>  create mode 100644 lib/libtpm/Makefile
>  create mode 100644 lib/libtpm/Readme
>  create mode 100644 lib/libtpm/sha1.c
>  create mode 100644 lib/libtpm/sha1.h
>  create mode 100644 lib/libtpm/tcgbios.c
>  create mode 100644 lib/libtpm/tcgbios.h
>  create mode 100644 lib/libtpm/tcgbios_int.h
>  create mode 100644 lib/libtpm/tpm.code
>  create mode 100644 lib/libtpm/tpm.in
>  create mode 100644 lib/libtpm/tpm_drivers.c
>  create mode 100644 lib/libtpm/tpm_drivers.h
> 

-- 
Alexey

More information about the SLOF mailing list