QUEMU and TPM2 device emulation

QUEMU and TPM2 device emulation

[Roberts, William C]

Has anyone ever setup a QUEMU instance with a virtualized TPM? I need to try and replicate an issue with the in-kernel Resource manager. My goal is to use the integrated QUEMU support
To bring up an emulated TPM device and it's associated RM node @ /dev/tpmrm0.

I am looking at:
https://android.googlesource.com/platform/external/qemu/+/emu-master-dev/docs/specs/tpm.txt

Which shows this command:

qemu-system-x86_64 -display sdl -enable-kvm \
  -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
  -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
  -tpmdev emulator,id=tpm0,chardev=chrtpm \
  -device tpm-tis,tpmdev=tpm0 test.img

<snip>
#> dmesg | grep -i tpm
[    0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1)

I have a few questions around this that I cannot seem to dig up any documentation on:
1. How to specify TPM2.0 device? The project https://github.com/stefanberger/swtpm/wiki seems to indicate it would be supported.

2. Does anyone know the minimum QUEMU version for this support? I looked in the CHANGELOG here, https://wiki.qemu.org/ChangeLog from version 2.8 to 5.2 and never saw anything
Call out TPM 2.0 specifically.

3. Does anyone have or know of better documentation to set this up? If their isn't better documentation, should we (read I) create it? This seems like a pretty handy feature.

Thanks,
Bill

[tpm2] QUEMU and TPM2 device emulation

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 1375 bytes --]

Has anyone ever setup a QUEMU instance with a virtualized TPM? I need to try and replicate an issue with the in-kernel Resource manager. My goal is to use the integrated QUEMU support
To bring up an emulated TPM device and it's associated RM node @ /dev/tpmrm0.

I am looking at:
https://android.googlesource.com/platform/external/qemu/+/emu-master-dev/docs/specs/tpm.txt

Which shows this command:

qemu-system-x86_64 -display sdl -enable-kvm \
  -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
  -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
  -tpmdev emulator,id=tpm0,chardev=chrtpm \
  -device tpm-tis,tpmdev=tpm0 test.img

<snip>
#> dmesg | grep -i tpm
[    0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1)

I have a few questions around this that I cannot seem to dig up any documentation on:
1. How to specify TPM2.0 device? The project https://github.com/stefanberger/swtpm/wiki seems to indicate it would be supported.

2. Does anyone know the minimum QUEMU version for this support? I looked in the CHANGELOG here, https://wiki.qemu.org/ChangeLog from version 2.8 to 5.2 and never saw anything
Call out TPM 2.0 specifically.

3. Does anyone have or know of better documentation to set this up? If their isn't better documentation, should we (read I) create it? This seems like a pretty handy feature.

Thanks,
Bill

Re: QUEMU and TPM2 device emulation

[Serge E. Hallyn]

On Wed, Oct 14, 2020 at 03:27:53PM +0000, Roberts, William C wrote:
> Has anyone ever setup a QUEMU instance with a virtualized TPM? I need to try and replicate an issue with the in-kernel Resource manager. My goal is to use the integrated QUEMU support
> To bring up an emulated TPM device and it's associated RM node @ /dev/tpmrm0.
> 
> I am looking at:
> https://android.googlesource.com/platform/external/qemu/+/emu-master-dev/docs/specs/tpm.txt
> 
> Which shows this command:
> 
> qemu-system-x86_64 -display sdl -enable-kvm \
>   -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
>   -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
>   -tpmdev emulator,id=tpm0,chardev=chrtpm \
>   -device tpm-tis,tpmdev=tpm0 test.img
> 
> <snip>
> #> dmesg | grep -i tpm
> [    0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1)
> 
> I have a few questions around this that I cannot seem to dig up any documentation on:
> 1. How to specify TPM2.0 device? The project https://github.com/stefanberger/swtpm/wiki seems to indicate it would be supported.
> 
> 2. Does anyone know the minimum QUEMU version for this support? I looked in the CHANGELOG here, https://wiki.qemu.org/ChangeLog from version 2.8 to 5.2 and never saw anything
> Call out TPM 2.0 specifically.

2.11 should suffice.

> 3. Does anyone have or know of better documentation to set this up? If their isn't better documentation, should we (read I) create it? This seems like a pretty handy feature.

I'm not sure how relevant this is any more, but I did this about two years ago
and documented it at https://s3hh.wordpress.com/2018/06/03/tpm-2-0-in-qemu/

Scott and/or Ryan (added to cc:) may have done it more recently.

RE: QUEMU and TPM2 device emulation

[Roberts, William C]

> -----Original Message-----
> From: Serge E. Hallyn <serge@hallyn.com>
> Sent: Wednesday, October 14, 2020 10:58 AM
> To: Roberts, William C <william.c.roberts@intel.com>
> Cc: tpm2@lists.01.org; ryaharpe@cisco.com; scmoser@cisco.com; linux-
> integrity@vger.kernel.org
> Subject: Re: QUEMU and TPM2 device emulation
> 
> On Wed, Oct 14, 2020 at 03:27:53PM +0000, Roberts, William C wrote:
> > Has anyone ever setup a QUEMU instance with a virtualized TPM? I need
> > to try and replicate an issue with the in-kernel Resource manager. My goal is to
> use the integrated QUEMU support To bring up an emulated TPM device and it's
> associated RM node @ /dev/tpmrm0.
> >
> > I am looking at:
> > https://android.googlesource.com/platform/external/qemu/+/emu-master-d
> > ev/docs/specs/tpm.txt
> >
> > Which shows this command:
> >
> > qemu-system-x86_64 -display sdl -enable-kvm \
> >   -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
> >   -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
> >   -tpmdev emulator,id=tpm0,chardev=chrtpm \
> >   -device tpm-tis,tpmdev=tpm0 test.img
> >
> > <snip>
> > #> dmesg | grep -i tpm
> > [    0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1)
> >
> > I have a few questions around this that I cannot seem to dig up any
> documentation on:
> > 1. How to specify TPM2.0 device? The project
> https://github.com/stefanberger/swtpm/wiki seems to indicate it would be
> supported.
> >
> > 2. Does anyone know the minimum QUEMU version for this support? I
> > looked in the CHANGELOG here, https://wiki.qemu.org/ChangeLog from
> version 2.8 to 5.2 and never saw anything Call out TPM 2.0 specifically.
> 
> 2.11 should suffice.
> 
> > 3. Does anyone have or know of better documentation to set this up? If their
> isn't better documentation, should we (read I) create it? This seems like a pretty
> handy feature.
> 
> I'm not sure how relevant this is any more, but I did this about two years ago and
> documented it at https://s3hh.wordpress.com/2018/06/03/tpm-2-0-in-qemu/

Thanks, yeah I stumbled into this, it was super helpful. I got it working and posted back
With my commands.

[tpm2] Re: QUEMU and TPM2 device emulation

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 2203 bytes --]



> -----Original Message-----
> From: Serge E. Hallyn <serge(a)hallyn.com>
> Sent: Wednesday, October 14, 2020 10:58 AM
> To: Roberts, William C <william.c.roberts(a)intel.com>
> Cc: tpm2(a)lists.01.org; ryaharpe(a)cisco.com; scmoser(a)cisco.com; linux-
> integrity(a)vger.kernel.org
> Subject: Re: QUEMU and TPM2 device emulation
> 
> On Wed, Oct 14, 2020 at 03:27:53PM +0000, Roberts, William C wrote:
> > Has anyone ever setup a QUEMU instance with a virtualized TPM? I need
> > to try and replicate an issue with the in-kernel Resource manager. My goal is to
> use the integrated QUEMU support To bring up an emulated TPM device and it's
> associated RM node @ /dev/tpmrm0.
> >
> > I am looking at:
> > https://android.googlesource.com/platform/external/qemu/+/emu-master-d
> > ev/docs/specs/tpm.txt
> >
> > Which shows this command:
> >
> > qemu-system-x86_64 -display sdl -enable-kvm \
> >   -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
> >   -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
> >   -tpmdev emulator,id=tpm0,chardev=chrtpm \
> >   -device tpm-tis,tpmdev=tpm0 test.img
> >
> > <snip>
> > #> dmesg | grep -i tpm
> > [    0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1)
> >
> > I have a few questions around this that I cannot seem to dig up any
> documentation on:
> > 1. How to specify TPM2.0 device? The project
> https://github.com/stefanberger/swtpm/wiki seems to indicate it would be
> supported.
> >
> > 2. Does anyone know the minimum QUEMU version for this support? I
> > looked in the CHANGELOG here, https://wiki.qemu.org/ChangeLog from
> version 2.8 to 5.2 and never saw anything Call out TPM 2.0 specifically.
> 
> 2.11 should suffice.
> 
> > 3. Does anyone have or know of better documentation to set this up? If their
> isn't better documentation, should we (read I) create it? This seems like a pretty
> handy feature.
> 
> I'm not sure how relevant this is any more, but I did this about two years ago and
> documented it at https://s3hh.wordpress.com/2018/06/03/tpm-2-0-in-qemu/

Thanks, yeah I stumbled into this, it was super helpful. I got it working and posted back
With my commands.

Re: QUEMU and TPM2 device emulation

[James Bottomley]

On Wed, 2020-10-14 at 15:27 +0000, Roberts, William C wrote:
> Has anyone ever setup a QUEMU instance with a virtualized TPM? I need
> to try and replicate an issue with the in-kernel Resource manager. My
> goal is to use the integrated QUEMU support
> To bring up an emulated TPM device and it's associated RM node @
> /dev/tpmrm0.
> 
> I am looking at:
> https://android.googlesource.com/platform/external/qemu/+/emu-master-dev/docs/specs/tpm.txt
> 
> Which shows this command:
> 
> qemu-system-x86_64 -display sdl -enable-kvm \
>   -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
>   -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
>   -tpmdev emulator,id=tpm0,chardev=chrtpm \
>   -device tpm-tis,tpmdev=tpm0 test.img
> 
> <snip>
> #> dmesg | grep -i tpm
> [    0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1)
> 
> I have a few questions around this that I cannot seem to dig up any
> documentation on:
> 1. How to specify TPM2.0 device? The project 
> https://github.com/stefanberger/swtpm/wiki seems to indicate it would
> be supported.

All QEMU is doing is passing through a socket to something as a TPM. 
Either TPM 1.2 or 2.0 could be on the end of that socket, so what
really matters is what's at the other end of /tmp/mytpm1/swtpm-sock. 
If you change that to be TPM 2.0 then QEMU will see it.

James

RE: QUEMU and TPM2 device emulation

[Roberts, William C]

> -----Original Message-----
> From: James Bottomley <James.Bottomley@HansenPartnership.com>
> Sent: Wednesday, October 14, 2020 11:32 AM
> To: Roberts, William C <william.c.roberts@intel.com>; tpm2@lists.01.org; linux-
> integrity@vger.kernel.org
> Subject: Re: QUEMU and TPM2 device emulation
> 
> On Wed, 2020-10-14 at 15:27 +0000, Roberts, William C wrote:
> > Has anyone ever setup a QUEMU instance with a virtualized TPM? I need
> > to try and replicate an issue with the in-kernel Resource manager. My
> > goal is to use the integrated QUEMU support To bring up an emulated
> > TPM device and it's associated RM node @ /dev/tpmrm0.
> >
> > I am looking at:
> > https://android.googlesource.com/platform/external/qemu/+/emu-master-d
> > ev/docs/specs/tpm.txt
> >
> > Which shows this command:
> >
> > qemu-system-x86_64 -display sdl -enable-kvm \
> >   -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
> >   -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
> >   -tpmdev emulator,id=tpm0,chardev=chrtpm \
> >   -device tpm-tis,tpmdev=tpm0 test.img
> >
> > <snip>
> > #> dmesg | grep -i tpm
> > [    0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1)
> >
> > I have a few questions around this that I cannot seem to dig up any
> > documentation on:
> > 1. How to specify TPM2.0 device? The project
> > https://github.com/stefanberger/swtpm/wiki seems to indicate it would
> > be supported.
> 
> All QEMU is doing is passing through a socket to something as a TPM.
> Either TPM 1.2 or 2.0 could be on the end of that socket, so what really matters is
> what's at the other end of /tmp/mytpm1/swtpm-sock.
> If you change that to be TPM 2.0 then QEMU will see it.

Thanks James, once I started fiddling with it, it started to make sense. You need to start the swtpm component
with the option --tpm2, then pass through everything else in qemu the same way, as you point out.

Ill post my commands for anyone else who may stumble into this on their quest:

## Start TPM Emulator

Note that one needs the --tpm2 option to start a TPM2.0 emulator.

mkdir /tmp/mytpm1
swtpm socket --tpmstate dir=/tmp/mytpm1 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock --log level=20 --tpm2

## Boot the VM
qemu-system-x86_64 -hda ~/qemu-images/ubuntu-20.04-amd64.img -boot d -m 2048 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0

[tpm2] Re: QUEMU and TPM2 device emulation

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 2487 bytes --]



> -----Original Message-----
> From: James Bottomley <James.Bottomley(a)HansenPartnership.com>
> Sent: Wednesday, October 14, 2020 11:32 AM
> To: Roberts, William C <william.c.roberts(a)intel.com>; tpm2(a)lists.01.org; linux-
> integrity(a)vger.kernel.org
> Subject: Re: QUEMU and TPM2 device emulation
> 
> On Wed, 2020-10-14 at 15:27 +0000, Roberts, William C wrote:
> > Has anyone ever setup a QUEMU instance with a virtualized TPM? I need
> > to try and replicate an issue with the in-kernel Resource manager. My
> > goal is to use the integrated QUEMU support To bring up an emulated
> > TPM device and it's associated RM node @ /dev/tpmrm0.
> >
> > I am looking at:
> > https://android.googlesource.com/platform/external/qemu/+/emu-master-d
> > ev/docs/specs/tpm.txt
> >
> > Which shows this command:
> >
> > qemu-system-x86_64 -display sdl -enable-kvm \
> >   -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
> >   -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
> >   -tpmdev emulator,id=tpm0,chardev=chrtpm \
> >   -device tpm-tis,tpmdev=tpm0 test.img
> >
> > <snip>
> > #> dmesg | grep -i tpm
> > [    0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1)
> >
> > I have a few questions around this that I cannot seem to dig up any
> > documentation on:
> > 1. How to specify TPM2.0 device? The project
> > https://github.com/stefanberger/swtpm/wiki seems to indicate it would
> > be supported.
> 
> All QEMU is doing is passing through a socket to something as a TPM.
> Either TPM 1.2 or 2.0 could be on the end of that socket, so what really matters is
> what's at the other end of /tmp/mytpm1/swtpm-sock.
> If you change that to be TPM 2.0 then QEMU will see it.

Thanks James, once I started fiddling with it, it started to make sense. You need to start the swtpm component
with the option --tpm2, then pass through everything else in qemu the same way, as you point out.

Ill post my commands for anyone else who may stumble into this on their quest:

## Start TPM Emulator

Note that one needs the --tpm2 option to start a TPM2.0 emulator.

mkdir /tmp/mytpm1
swtpm socket --tpmstate dir=/tmp/mytpm1 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock --log level=20 --tpm2

## Boot the VM
qemu-system-x86_64 -hda ~/qemu-images/ubuntu-20.04-amd64.img -boot d -m 2048 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0