Re: [Qemu-devel] [PATCH 2/3] tpm: Probe for connected TPM 1.2 or TPM 2

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Stefan Berger <stefanb@linux.vnet.ibm.com>
To: "Xu, Quan" <quan.xu@intel.com>,
	"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
	"mst@redhat.com" <mst@redhat.com>, Eric Blake <eblake@redhat.com>
Cc: Stefan Berger <stefanb@us.ibm.com>
Subject: Re: [Qemu-devel] [PATCH 2/3] tpm: Probe for connected TPM 1.2 or TPM 2
Date: Sun, 12 Apr 2015 16:59:26 -0400	[thread overview]
Message-ID: <552ADCAE.7070600@linux.vnet.ibm.com> (raw)
In-Reply-To: <945CA011AD5F084CBEA3E851C0AB28890E8DB967@SHSMSX101.ccr.corp.intel.com>

On 04/07/2015 04:54 AM, Xu, Quan wrote:
>
>> -----Original Message-----
>> From: Stefan Berger [mailto:stefanb@linux.vnet.ibm.com]
>> Sent: Wednesday, April 01, 2015 3:40 AM
>> To: qemu-devel@nongnu.org; mst@redhat.com
>> Cc: Xu, Quan; Stefan Berger; Stefan Berger
>> Subject: [PATCH 2/3] tpm: Probe for connected TPM 1.2 or TPM 2
>>
>> In the TPM passthrough backend driver, modify the probing code so that we can
>> check whether a TPM 1.2 or TPM 2 is being used and adapt the behavior of the
>> TPM TIS accordingly.
>>
>> Move the code that tested for a TPM 1.2 into tpm_utils.c and extend it with test
>> for probing for TPM 2. Have the function return the version of TPM found.
>>
>> Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
>> ---
>>   hw/tpm/Makefile.objs     |   2 +-
>>   hw/tpm/tpm_int.h         |   6 +++
>>   hw/tpm/tpm_passthrough.c |  59 +++-------------------
>>   hw/tpm/tpm_util.c        | 126
>> +++++++++++++++++++++++++++++++++++++++++++++++
>>   hw/tpm/tpm_util.h        |  28 +++++++++++
>>   5 files changed, 167 insertions(+), 54 deletions(-)  create mode 100644
>> hw/tpm/tpm_util.c  create mode 100644 hw/tpm/tpm_util.h
>>
>> diff --git a/hw/tpm/Makefile.objs b/hw/tpm/Makefile.objs index
>> 99f5983..64cecc3 100644
>> --- a/hw/tpm/Makefile.objs
>> +++ b/hw/tpm/Makefile.objs
>> @@ -1,2 +1,2 @@
>>   common-obj-$(CONFIG_TPM_TIS) += tpm_tis.o
>> -common-obj-$(CONFIG_TPM_PASSTHROUGH) += tpm_passthrough.o
>> +common-obj-$(CONFIG_TPM_PASSTHROUGH) += tpm_passthrough.o
>> tpm_util.o
>> diff --git a/hw/tpm/tpm_int.h b/hw/tpm/tpm_int.h index 24e12ce..edab824
>> 100644
>> --- a/hw/tpm/tpm_int.h
>> +++ b/hw/tpm/tpm_int.h
>> @@ -66,4 +66,10 @@ struct tpm_resp_hdr {  #define
>> TPM_ORD_ContinueSelfTest  0x53
>>   #define TPM_ORD_GetTicks          0xf1
>>
>> +
>> +/* TPM2 defines */
>> +#define TPM_ST_NO_SESSIONS        0x8001
>> +
>> +#define TPM_CC_ReadClock          0x00000181
>> +
> Could you define TPM2 macro definitions beginning with 'TPM2_*'?


Ok, will do.

[...]
> +/*
> + * Probe for the TPM device in the back
> + * Returns 0 on success with the version of the probed TPM set, 1 on failure.
> + */
> +int tpm_util_test_tpmdev(int tpm_fd, enum TPMVersion *tpm_version) {
> +    /*
> +     * Sending a TPM1.2 command to a TPM2 should return a TPM1.2
> +     * header (tag = 0xc4) and error code (TPM_BADTAG = 0x1e)
> +     *
> +     * Sending a TPM2 command to a TPM 2 will give a TPM 2 tag in the
> +     * header.
> +     * Sending a TPM2 command to a TPM 1.2 will give a TPM 1.2 tag
> +     * in the header and an error code.
> +     */
> +    const struct tpm_req_hdr test_req = {
> +        .tag = cpu_to_be16(TPM_TAG_RQU_COMMAND),
> +        .len = cpu_to_be32(sizeof(test_req)),
> +        .ordinal = cpu_to_be32(TPM_ORD_GetTicks),
> +    };
> +
> +    const struct tpm_req_hdr test_req_tpm2 = {
> +        .tag = cpu_to_be16(TPM_ST_NO_SESSIONS),
> +        .len = cpu_to_be32(sizeof(test_req_tpm2)),
> +        .ordinal = cpu_to_be32(TPM_CC_ReadClock),
> +    };
> +    uint16_t returnTag;
> +    int ret;
> +
> +    /* Send TPM 2 command */
> +    ret = tpm_util_test(tpm_fd, (unsigned char *)&test_req_tpm2,
> +                        sizeof(test_req_tpm2), &returnTag);
> +    /* TPM 2 would respond with a tag of TPM_ST_NO_SESSIONS */
> +    if (!ret && returnTag == TPM_ST_NO_SESSIONS) {
> +        *tpm_version = TPMVersion2_0;
> +        return 0;
> +    }
> +
> +    /* Send TPM 1.2 command */
> +    ret = tpm_util_test(tpm_fd, (unsigned char *)&test_req,
> +                        sizeof(test_req), &returnTag);
> +    if (!ret && returnTag == TPM_TAG_RSP_COMMAND) {
> +        *tpm_version = TPMVersion1_2;
> +        /* this is a TPM 1.2 */
> +        return 0;
> +    }
> +
> +    *tpm_version = TPMVersion_Unspec;
> +
> +    return 1;
> +}
>
> In my opinion, I prefer to point out tpm_version in QEMU command line options, then
> tpm_util_test_tpmdev() tries to verify it.

The only reason why I am not doing this was that libvirt for example 
will need to probe for whether the additional parameter indicating the 
TPM version is supported. Besides that I thought it should be possible 
to probe on any platform and get a reliable result.

Maybe Eric has a comment. I have recently seen a discussion where an 
additional parameter to an existing option was to be added, but cannot 
remember which option that was.

    Stefan

next prev parent reply	other threads:[~2015-04-12 20:59 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-31 19:40 [Qemu-devel] [PATCH 0/3] tpm: Upgrade TPM TIS for support of a TPM 2 Stefan Berger
2015-03-31 19:40 ` [Qemu-devel] [PATCH 1/3] Extend TPM TIS interface to version 2.0 Stefan Berger
2015-04-14  5:50   ` Michael S. Tsirkin
2015-03-31 19:40 ` [Qemu-devel] [PATCH 2/3] tpm: Probe for connected TPM 1.2 or TPM 2 Stefan Berger
2015-04-07  8:54   ` Xu, Quan
2015-04-12 20:59     ` Stefan Berger [this message]
2015-04-13 14:43       ` Eric Blake
2015-04-13 14:58         ` Stefan Berger
2015-04-14  5:48   ` Michael S. Tsirkin
2015-03-31 19:40 ` [Qemu-devel] [PATCH 3/3] TPM2 ACPI table support Stefan Berger
2015-04-07  8:58   ` Xu, Quan
2015-04-13  6:27   ` Michael S. Tsirkin
2015-04-14  2:29     ` Stefan Berger
2015-04-14  5:51       ` Michael S. Tsirkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=552ADCAE.7070600@linux.vnet.ibm.com \
    --to=stefanb@linux.vnet.ibm.com \
    --cc=eblake@redhat.com \
    --cc=mst@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=quan.xu@intel.com \
    --cc=stefanb@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).