Re: [RFC v2 7/7] hw/tpm: Increase TPM TIS max buffer size to 8192

[Stefan Berger <stefanb@linux.ibm.com>]

On 4/1/26 9:43 AM, Stefan Berger wrote:
> 
> 
> On 4/1/26 1:44 AM, Arun Menon wrote:
>> Hi Stefan,
>>
>> Thank you for looking into this and providing with the additional
>> patches to handle TIS interface.
>>
>> On Tue, Mar 31, 2026 at 03:31:43PM -0400, Stefan Berger wrote:
>>>
>>>
>>> On 3/20/26 2:57 PM, Stefan Berger wrote:
>>>>
>>>>
>>>> On 3/19/26 9:53 AM, Arun Menon wrote:
>>>>> - Double the size from 4096 to 8192 so that we can have bigger buffer
>>>>>     enabling support for PQC algorithms in the TPM TIS interface.
>>>>> - v185 of TCG TPM rolls out PQC algorithm support. [1]
>>>>>
>>>>> [1] section 46 https://members.trustedcomputinggroup.org/wg/TCG/
>>>>> document/previewpdf/45151
>>>>>
>>>>> Signed-off-by: Arun Menon <armenon@redhat.com>
>>>>> ---
>>>>>    hw/tpm/tpm_tis.h | 2 +-
>>>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/hw/tpm/tpm_tis.h b/hw/tpm/tpm_tis.h
>>>>> index 184632ff66..0df35d5a54 100644
>>>>> --- a/hw/tpm/tpm_tis.h
>>>>> +++ b/hw/tpm/tpm_tis.h
>>>>> @@ -33,7 +33,7 @@
>>>>>    #define TPM_TIS_IS_VALID_LOCTY(x)   ((x) < TPM_TIS_NUM_LOCALITIES)
>>>>> -#define TPM_TIS_BUFFER_MAX          4096
>>>>> +#define TPM_TIS_BUFFER_MAX          8192
>>>>
>>>> Unfortunately TIS uses a fixed-size buffer that would now become 
>>>> bigger:
>>>>
>>>> typedef struct TPMState {
>>>>       MemoryRegion mmio;
>>>>
>>>>       unsigned char buffer[TPM_TIS_BUFFER_MAX];  <-- now 8192; 
>>>> before 4096
>>>>
>>>>
>>>> static const VMStateDescription vmstate_tpm_tis_isa = {
>>>>       .name = "tpm-tis",
>>>>       .version_id = 0,
>>>>       .pre_save  = tpm_tis_pre_save_isa,
>>>>       .fields = (const VMStateField[]) {
>>>>           VMSTATE_BUFFER(state.buffer, TPMStateISA),    <-- now 8192;
>>>> before 4096
>>>
>>> This will have to become VMSTATE_PARTIAL_BUFFER and the rest is saved 
>>> with
>>> VMSTATE_BUFFER_START_MIDDLE if necessary.
>>>
>>>>           VMSTATE_UINT16(state.rw_offset, TPMStateISA),
>>>>
>>>> Problem would be if an older version of the TIS (with size 4096) then
>>>> receives this 8192 buffer, we would (probably) get a buffer overflow.
>>>
>>> I created 2 more patches for the TIS. It's now also in my branch here:
>>>
>>> https://github.com/stefanberger/qemu-tpm/commits/crb-chunking/
>>
>> Looks good to me.
>>
>>>
>>> Both TIS and CRB can now transfer >4096 bytes packets.
>>>
>>>>
>>>>
>>>>
>>>>>    typedef enum {
>>>>>        TPM_TIS_STATE_IDLE = 0,
>>>>
>>>>
>>>
>>
>> Is it okay if I incorporate your commits, including the tests and
>> profile enabling support into my next revision of this series?
> 
> Yes, that's okay. Unfortunately the test will not work for most people 
> right now. The default-v2 profile is available via swtpm in git master 
> but it doesn't support ML-DSA since libtpms code with PQC is not public, 
> yet...

I added a 2nd search criterion for the profile content to check whether 
'ml-dsa' is supported. Fixed the style mistakes. Pushed. You can take 
them from there now.


> 
>>
>>
>>
>> Regards,
>> Arun Menon
>>
> 
>