From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:33253)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanb@linux.vnet.ibm.com>) id 1T77RA-00080t-LN
	for qemu-devel@nongnu.org; Thu, 30 Aug 2012 12:17:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanb@linux.vnet.ibm.com>) id 1T77R6-0004ut-E2
	for qemu-devel@nongnu.org; Thu, 30 Aug 2012 12:17:44 -0400
Received: from e8.ny.us.ibm.com ([32.97.182.138]:58706)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanb@linux.vnet.ibm.com>) id 1T77R6-0004uk-9i
	for qemu-devel@nongnu.org; Thu, 30 Aug 2012 12:17:40 -0400
Received: from /spool/local
	by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <stefanb@linux.vnet.ibm.com>;
	Thu, 30 Aug 2012 12:17:38 -0400
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236])
	by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 9A545C90044
	for <qemu-devel@nongnu.org>; Thu, 30 Aug 2012 12:17:33 -0400 (EDT)
Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170])
	by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q7UGHWAk107694
	for <qemu-devel@nongnu.org>; Thu, 30 Aug 2012 12:17:32 -0400
Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1])
	by d03av04.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP
	id q7UGHRlv010091
	for <qemu-devel@nongnu.org>; Thu, 30 Aug 2012 10:17:27 -0600
Received: from [9.2.141.150] (k-d941e-10.watson.ibm.com [9.2.141.150])
	by d03av04.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id
	q7UGHQu4010010
	for <qemu-devel@nongnu.org>; Thu, 30 Aug 2012 10:17:26 -0600
Message-ID: <503F9215.6090106@linux.vnet.ibm.com>
Date: Thu, 30 Aug 2012 12:17:25 -0400
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <50336381.8040009@scytl.com> <50368D0B.7060402@linux.vnet.ibm.com>
	<503E11AA.2010709@linux.vnet.ibm.com> <503F76F6.2030801@scytl.com>
	<503F7DD3.5080602@linux.vnet.ibm.com> <503F897F.4000306@scytl.com>
In-Reply-To: <503F897F.4000306@scytl.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [Qemu-devel] Is is possible to virtualise or share the TPM?
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

On 08/30/2012 11:40 AM, Jordi Cucurull Juan wrote:
> Do you refer to the patches that add TPM support to the SeaBIOS?

Sorry for the confusion. What I meant is that the patches adding support 
for a private vTPM for each QEMU VM are 'behind' those adding support 
for the passthrough device model. There are SeaBIOS patches as well 
adding support for TPM, but those are different.

> If this is the case, this is just a completely virtual TPM without any 
> link with the TPM of the physical machine, right?

The SeaBIOS patches don't do that. They just add TPM BIOS support for 
TPM initialization, ACPI tables etc.
To add a completely virtual TPM to QEMU a completely different device 
model is necessary than the one I have recently posted.

    Stefan

>
> Jordi.
>
>
> On 08/30/2012 04:50 PM, Stefan Berger wrote:
>> On 08/30/2012 10:21 AM, Jordi Cucurull Juan wrote:
>>> Dear Stefan,
>>>
>>> What does it mean that the patches with the VTPM functionality exist 
>>> but they are behind the regular ones? Does it mean that they are not 
>>> currently updated? That they have less priority?
>>
>> It means that in my patch queue they are 'behind' the ones I posted 
>> over the last few months.
>>
>>   Stefan
>>
>>
>>>
>>> Best regards,
>>> Jordi.
>>>
>>>
>>>
>>> On 08/29/2012 02:57 PM, Stefan Berger wrote:
>>>> On 08/23/2012 04:05 PM, Corey Bryant wrote:
>>>>>
>>>>>
>>>>> On 08/21/2012 06:31 AM, Jordi Cucurull Juan wrote:
>>>>>> Dear all,
>>>>>>
>>>>>> After applying the TPM patches to QEMU, I was wondering if it is
>>>>>> possible to simultaneously use the TPM in more than one virtual 
>>>>>> machine,
>>>>>> i.e. virtualisation of the TPM.
>>>>>>
>>>>>> According to the paper "Stefan Berger, Ramón Cáceres, Kenneth A.
>>>>>> Goldman, Ronald Perez, Reiner Sailer, Leendert van Doorn. vTPM:
>>>>>> Virtualizing the Trusted Platform Module" this seems to be 
>>>>>> possible in
>>>>>> Xen. Is not possible in QEMU?
>>>>>>
>>>>>> Thanks!
>>>>>> Jordi.
>>>>>>
>>>>>>
>>>>>
>>>>> I don't think the pass-through driver supports use by multiple 
>>>>> VMs. Stefan Berger should be able to answer better so I'm adding 
>>>>> him to the thread.
>>>>>
>>>>
>>>> The pass-through driver cannot provide access for multiple VMs to 
>>>> the single hardware TPM on the host. The usage model and the 
>>>> statefulness of the TPM (SRK password, owner password, keys) 
>>>> basically prevent/complicate this. The implementation for Xen was 
>>>> indep. of the Qemu code base today and there we used a software 
>>>> implementation of the TPM that provided a private TPm instance to 
>>>> each VM. I have patches for this for Qemu but due to an IRC chat in 
>>>> Sept. 2011 they are 'behind' the pass-through driver patches.
>>>>
>>>>    Stefan
>>>>
>>>
>>>
>>
>>
>>
>
>
>