From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53452) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z7Nz4-0004ep-8V for qemu-devel@nongnu.org; Tue, 23 Jun 2015 09:11:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Z7Nyz-0005ui-L5 for qemu-devel@nongnu.org; Tue, 23 Jun 2015 09:11:26 -0400 Received: from mx1.redhat.com ([209.132.183.28]:58179) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z7Nyz-0005ua-Cs for qemu-devel@nongnu.org; Tue, 23 Jun 2015 09:11:21 -0400 Date: Tue, 23 Jun 2015 15:11:18 +0200 From: "Michael S. Tsirkin" Message-ID: <20150623131118.GA12341@redhat.com> References: <1433762257-1752411-1-git-send-email-stefanb@linux.vnet.ibm.com> <20150623052613.GA7860@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [Qemu-devel] [PATCH v4 0/4] Extend TPM support with a QEMU-external TPM List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Berger Cc: qemu-devel@nongnu.org, quan.xu@intel.com, Stefan Berger On Tue, Jun 23, 2015 at 08:07:16AM -0400, Stefan Berger wrote: > "Michael S. Tsirkin" wrote on 06/23/2015 01:26:13 AM: > > > From: "Michael S. Tsirkin" > > To: Stefan Berger > > Cc: qemu-devel@nongnu.org, quan.xu@intel.com, Stefan Berger/Watson/IBM@IBMUS > > Date: 06/23/2015 01:26 AM > > Subject: Re: [PATCH v4 0/4] Extend TPM support with a QEMU-external TPM > > > > On Mon, Jun 08, 2015 at 07:17:33AM -0400, Stefan Berger wrote: > > > The following series of patches extends TPM support with an > > > external TPM that offers a Linux CUSE (character device in userspace) > > > interface. This TPM lets each VM access its own private vTPM. > > > The CUSE TPM supports suspend/resume and migration. Much > > > out-of-band functionality necessary to control the CUSE TPM is > > > implemented using ioctls. > > > > I was hoping this can get a wider discussion, but apparently no one > > noticed this. > > > > This needs some thought: how do we decide which ioctls we support? > > The ioctls the patches are currently using support all necessary aspects for > controlling that > external TPM following interaction with the TPM TIS emulation (tpm_tis.c) and > virtual machine migration. [Excluding support for DRTM] > > There's an ioctl that returns a bitfield of supported features. The patches use > the ioctl > to determine whether enough features are supported to for example support > migration. > A supported feature then means supporting its corresponding ioctl and > associated data structure. > > > It's easier with kernel since we know distros ship it, but > > will they do so with this tpm? We do want to reuse system components > > I haven't packaged the swtpm for Fedora (for example) yet. I wanted to delay > the tagging of version 0.1 > of swtpm until the code that's using it is in QEMU. > Yes, and it's a bit of a chicken and egg problem. Aren't there other uses besides QEMU? > > but we don't want random parts of QEMU delegated to a random > > out of tree module. > > It's hopefully not that random. There's nothing comparable out there. Just > having the TPM passthrough > isn't useful. Usefulness comes with the CUSE TPM driver and external CUSE TPM, > since this provides a > private and fully functional TPM to each QEMU VM. > > > > > Couldn't you re-use in-kernel interfaces for the CUSE module? > > The CUSE TPM uses the ioctl's for out-of-band control. The out-of-band control > happens on a different > level than what is out there in the kernel right now, since we are implementing > a layer that is > typically implemented in hardware. Otherwise I am not sure what re-use of > in-kernel interfaces you > are referring to. > I don't really know :( I was just trying to help. If you could reuse an existing interface that is already supported by some system, it would be easier. > > Then existing pass-through in QEMU would more or less just work with it - > > merely open a different chardev. > > Having implemented 10+ ioctls for out-of-band control shows a necessity for > out-of-band control. > It is not enough to support a read()/write() interface where we can send TPM > request through. > > Stefan It was just a thought. I was looking for an interface that's useful outside VM. > > > > > > > Stefan Berger (4): > > > Provide support for the CUSE TPM > > > Introduce condition to notify waiters of completed command > > > Introduce condition in TPM backend for notification > > > Add support for VM suspend/resume for TPM TIS > > > > > > hmp.c | 6 + > > > hw/tpm/tpm_int.h | 4 + > > > hw/tpm/tpm_ioctl.h | 209 ++++++++++++++++++++++ > > > hw/tpm/tpm_passthrough.c | 409 ++++++++++++++++++++++++++++++ > > +++++++++++-- > > > hw/tpm/tpm_tis.c | 151 +++++++++++++++- > > > hw/tpm/tpm_tis.h | 2 + > > > hw/tpm/tpm_util.c | 223 +++++++++++++++++++++++ > > > hw/tpm/tpm_util.h | 7 + > > > include/sysemu/tpm_backend.h | 12 ++ > > > qapi-schema.json | 18 +- > > > qemu-options.hx | 21 ++- > > > qmp-commands.hx | 2 +- > > > tpm.c | 11 +- > > > 13 files changed, 1056 insertions(+), 19 deletions(-) > > > create mode 100644 hw/tpm/tpm_ioctl.h > > > > > > -- > > > 1.9.3 > >