From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:33654)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanb@linux.vnet.ibm.com>) id 1T77SH-0000MQ-FK
	for qemu-devel@nongnu.org; Thu, 30 Aug 2012 12:18:57 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanb@linux.vnet.ibm.com>) id 1T77SF-00058l-Se
	for qemu-devel@nongnu.org; Thu, 30 Aug 2012 12:18:53 -0400
Received: from e37.co.us.ibm.com ([32.97.110.158]:41178)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanb@linux.vnet.ibm.com>) id 1T77SF-00058c-Lr
	for qemu-devel@nongnu.org; Thu, 30 Aug 2012 12:18:51 -0400
Received: from /spool/local
	by e37.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <stefanb@linux.vnet.ibm.com>;
	Thu, 30 Aug 2012 10:18:50 -0600
Received: from d03relay03.boulder.ibm.com (d03relay03.boulder.ibm.com
	[9.17.195.228])
	by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 7E236C40004
	for <qemu-devel@nongnu.org>; Thu, 30 Aug 2012 10:18:12 -0600 (MDT)
Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170])
	by d03relay03.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q7UGICEo080572
	for <qemu-devel@nongnu.org>; Thu, 30 Aug 2012 10:18:12 -0600
Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1])
	by d03av04.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP
	id q7UGI81b015480
	for <qemu-devel@nongnu.org>; Thu, 30 Aug 2012 10:18:08 -0600
Message-ID: <503F923E.80604@linux.vnet.ibm.com>
Date: Thu, 30 Aug 2012 12:18:06 -0400
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <50336381.8040009@scytl.com> <50368D0B.7060402@linux.vnet.ibm.com>
	<503E11AA.2010709@linux.vnet.ibm.com> <503F76F6.2030801@scytl.com>
	<503F7DD3.5080602@linux.vnet.ibm.com> <503F897F.4000306@scytl.com>
In-Reply-To: <503F897F.4000306@scytl.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [Qemu-devel] Is is possible to virtualise or share the TPM?
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jordi Cucurull Juan <jordi.cucurull@scytl.com>
Cc: yoder1@us.ibm.com, Corey Bryant <coreyb@linux.vnet.ibm.com>, qemu-devel <qemu-devel@nongnu.org>

On 08/30/2012 11:40 AM, Jordi Cucurull Juan wrote:
> Do you refer to the patches that add TPM support to the SeaBIOS?

Sorry for the confusion. What I meant is that the patches adding support 
for a private vTPM for each QEMU VM are 'behind' those adding support 
for the passthrough device model. There are SeaBIOS patches as well 
adding support for TPM, but those are different.

>
> If this is the case, this is just a completely virtual TPM without any 
> link with the TPM of the physical machine, right?
>
The SeaBIOS patches don't do that. They just add TPM BIOS support for 
TPM initialization, ACPI tables etc.
To add a completely virtual TPM to QEMU a completely different device 
model is necessary than the one I have recently posted.

    Stefan

> Jordi.
>
>
> On 08/30/2012 04:50 PM, Stefan Berger wrote:
>> On 08/30/2012 10:21 AM, Jordi Cucurull Juan wrote:
>>> Dear Stefan,
>>>
>>> What does it mean that the patches with the VTPM functionality exist 
>>> but they are behind the regular ones? Does it mean that they are not 
>>> currently updated? That they have less priority?
>>
>> It means that in my patch queue they are 'behind' the ones I posted 
>> over the last few months.
>>
>>   Stefan
>>
>>
>>>
>>> Best regards,
>>> Jordi.
>>>
>>>
>>>
>>> On 08/29/2012 02:57 PM, Stefan Berger wrote:
>>>> On 08/23/2012 04:05 PM, Corey Bryant wrote:
>>>>>
>>>>>
>>>>> On 08/21/2012 06:31 AM, Jordi Cucurull Juan wrote:
>>>>>> Dear all,
>>>>>>
>>>>>> After applying the TPM patches to QEMU, I was wondering if it is
>>>>>> possible to simultaneously use the TPM in more than one virtual 
>>>>>> machine,
>>>>>> i.e. virtualisation of the TPM.
>>>>>>
>>>>>> According to the paper "Stefan Berger, Ramón Cáceres, Kenneth A.
>>>>>> Goldman, Ronald Perez, Reiner Sailer, Leendert van Doorn. vTPM:
>>>>>> Virtualizing the Trusted Platform Module" this seems to be 
>>>>>> possible in
>>>>>> Xen. Is not possible in QEMU?
>>>>>>
>>>>>> Thanks!
>>>>>> Jordi.
>>>>>>
>>>>>>
>>>>>
>>>>> I don't think the pass-through driver supports use by multiple 
>>>>> VMs. Stefan Berger should be able to answer better so I'm adding 
>>>>> him to the thread.
>>>>>
>>>>
>>>> The pass-through driver cannot provide access for multiple VMs to 
>>>> the single hardware TPM on the host. The usage model and the 
>>>> statefulness of the TPM (SRK password, owner password, keys) 
>>>> basically prevent/complicate this. The implementation for Xen was 
>>>> indep. of the Qemu code base today and there we used a software 
>>>> implementation of the TPM that provided a private TPm instance to 
>>>> each VM. I have patches for this for Qemu but due to an IRC chat in 
>>>> Sept. 2011 they are 'behind' the pass-through driver patches.
>>>>
>>>>    Stefan
>>>>
>>>
>>>
>>
>>
>>
>
>
>