Re: [Qemu-devel] [PATCH 0/4] tpm: Provide a software vTPM

[Corey Bryant <coreyb@linux.vnet.ibm.com>]

On 11/19/2013 02:50 PM, Anthony Liguori wrote:
> On Wed, Nov 6, 2013 at 6:38 AM, Corey Bryant <coreyb@linux.vnet.ibm.com> wrote:
>> This patch series provides support for a software Trusted Platform
>> Module (otherwise known as a vTPM).  This support is provided via a
>> new backend that works with the existing QEMU tpm-tis front end.
>
> We do device emulation within QEMU.  This is fundamentally what QEMU does.
>
> Why should we link against an external library instead of providing
> TPM emulation within QEMU itself?  What makes TPM so special here?

Because 70k+ LOC *definitely* doesn't have a chance of getting into 
QEMU, so it makes more sense to link against a library.

>
> I know the answer to these questions of course.  There isn't a good
> reason but there exists vTPM as an external tool for historical
> reasons.  I don't think that's a good justification for doing this.
> libtpms has had no review by anyone and does not have a community
> around it.  Once we link against it, we are responsible for resolving

The source is now more readily available on github and while the 
community is small, there is a community.  Besides, QEMU uses other 
libraries that have very small communities doesn't it?

> any security issue around it and fixing any bug within it.

Is this really true?  Is QEMU responsible for fixing every bug in glibc?

-- 
Regards,
Corey Bryant

>
> That's essentially asking us to merge 70k+ LOCS without any review or
> validation ahead of time.  That's an unreasonable request.
>
> Regards,
>
> Anthony Liguori
>
>> With this patch series, multiple guests can run with their own vTPM.
>> In comparison, the existing passthrough vTPM does not allow this
>> because the host TPM cannot be shared.
>>
>> Note: There is seabios code that is not yet upstream that is
>> required to run with this support.  It provides support such as
>> initialization, ACPI table updates, and menu updates.  If anyone
>> would like to run with that support, let me know and I can send you
>> a bios.bin.
>>
>> Following is a sample command line:
>>
>> qemu-img create -f qcow2 /home/qemu/images/nvram.qcow2 500K
>>
>> qemu-system-x86_64 ... \
>> -drive file=/home/qemu/images/nvram.qcow2,if=none,id=nvram0-0-0,format=qcow2 \
>> -device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 \
>> -tpmdev libtpms,id=tpm-tpm0,nvram=nvram0-0-0
>>
>> Corey Bryant (4):
>>    tpm: Add TPM NVRAM implementation
>>    tpm: Share tpm_write_fatal_error_response
>>    tpm: QMP/HMP support for libtpms TPM backend
>>    tpm: Provide libtpms software TPM backend
>>
>>   configure                    |   24 ++
>>   hmp.c                        |    5 +
>>   hw/tpm/Makefile.objs         |    2 +
>>   hw/tpm/tpm_libtpms.c         |  885 ++++++++++++++++++++++++++++++++++++++++++
>>   hw/tpm/tpm_nvram.c           |  340 ++++++++++++++++
>>   hw/tpm/tpm_nvram.h           |   25 ++
>>   hw/tpm/tpm_passthrough.c     |   14 -
>>   hw/tpm/tpm_tis.h             |    1 +
>>   include/sysemu/tpm_backend.h |    3 +
>>   qapi-schema.json             |   18 +-
>>   qemu-options.hx              |   31 ++-
>>   tpm.c                        |   28 ++-
>>   12 files changed, 1357 insertions(+), 19 deletions(-)
>>   create mode 100644 hw/tpm/tpm_libtpms.c
>>   create mode 100644 hw/tpm/tpm_nvram.c
>>   create mode 100644 hw/tpm/tpm_nvram.h
>>
>>
>
>