From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48067) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YikQb-0001Ub-VV for qemu-devel@nongnu.org; Thu, 16 Apr 2015 10:06:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YikQI-0003ud-Vb for qemu-devel@nongnu.org; Thu, 16 Apr 2015 10:06:01 -0400 Received: from e32.co.us.ibm.com ([32.97.110.150]:37641) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YikQI-0003tH-No for qemu-devel@nongnu.org; Thu, 16 Apr 2015 10:05:42 -0400 Received: from /spool/local by e32.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 16 Apr 2015 08:05:40 -0600 Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 9357B1FF001F for ; Thu, 16 Apr 2015 07:56:47 -0600 (MDT) Received: from d03av02.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.195.168]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id t3GE5K4340239240 for ; Thu, 16 Apr 2015 07:05:20 -0700 Received: from d03av02.boulder.ibm.com (localhost [127.0.0.1]) by d03av02.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id t3GE5aEG019488 for ; Thu, 16 Apr 2015 08:05:36 -0600 Message-ID: <552FC1AF.4030208@linux.vnet.ibm.com> Date: Thu, 16 Apr 2015 10:05:35 -0400 From: Stefan Berger MIME-Version: 1.0 References: <1429137528-1069064-1-git-send-email-stefanb@linux.vnet.ibm.com> <20150416153506.3260becd@nial.brq.redhat.com> In-Reply-To: <20150416153506.3260becd@nial.brq.redhat.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH 0/5] Extend TPM support with a QEMU-external TPM List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Igor Mammedov Cc: safford@watson.ibm.com, Kevin O'Connor , qemu-devel@nongnu.org, quan.xu@intel.com, mst@redhat.com On 04/16/2015 09:35 AM, Igor Mammedov wrote: > On Wed, 15 Apr 2015 18:38:43 -0400 > Stefan Berger wrote: > >> The following series of patches extends TPM support with an >> external TPM that offers a Linux CUSE (character device in userspace) >> interface. This TPM lets each VM access its own private vTPM. >> The CUSE TPM supports suspend/resume and migration. Much >> out-of-band functionality necessary to control the CUSE TPM is >> implemented using ioctl's. >> >> The series extends the TPM support so far that most functionality of >> TPM support on a physical platform is now available to each x86 VM, >> this includes the Physical Presence Interface support that has >> its counter-part in the SeaBIOS and is implemented using ACPI. >> >> http://www.seabios.org/pipermail/seabios/2015-March/008978.html > is it already merged? No, not yet. :-( > > Is it possible to use MMIO region instead of allocating tpm_ppi_anchor > and tpm_ppi in BIOS memory? MMIO region of what? Of the TIS? The TIS doesn't have memory locations 'just to keep bytes' and they would be cleared upon machine reset / reboot. The purpose of the PPI interface is to leave an opcode for the BIOS to act upon after a reset. So we have to write it into memory that doesn't get cleared upon reboot. Also, the BIOS leaves a result in memory so we can read the result code in the OS via sysfs entry. I had previously tried using NVRAM of the TPM to leave that opcode (and result) , but this doesn't work well due to protection restrictions of the TPM's NVRAM locations and using the Linux TSS for example non-root users could then write an opcode into the NVRAM of the TPM (there are TPM commands to write to the TPM's NVRAM locations and tpm-tools has tools to write to these locations) that the machine then ends up acting upon without the admin of the machine wanting that. So, that's not a choice, either. > That would simplify BIOS part a bit and significantly simplify ACPI code > as most of it is dealing with figuring out address of tpm_ppi. Wished it would, but I don't see a way to make it easier. So the first time one looks into the sysfs ppi entries [on Linux] it may take a few seconds until the anchor is found. Subsequently the memory location is cached and operations go a lot faster. Stefan >> >> Stefan Berger (5): >> Provide support for the CUSE TPM >> Support Physical Presence Interface Spec >> Introduce condition to notifiy waiters of completed command >> Introduce condition in TPM backend for notification >> Add support for VM suspend/resume for TPM TIS >> >> hmp.c | 6 + >> hw/i386/acpi-tpm-core.dsl | 277 +++++++++++++++++++++++++++++ >> hw/i386/acpi-tpm2.dsl | 27 +++ >> hw/i386/q35-acpi-dsdt.dsl | 1 + >> hw/i386/ssdt-tpm.dsl | 12 +- >> hw/tpm/tpm_int.h | 4 + >> hw/tpm/tpm_ioctl.h | 178 +++++++++++++++++++ >> hw/tpm/tpm_passthrough.c | 410 +++++++++++++++++++++++++++++++++++++++++-- >> hw/tpm/tpm_tis.c | 152 +++++++++++++++- >> hw/tpm/tpm_tis.h | 2 + >> hw/tpm/tpm_util.c | 206 ++++++++++++++++++++++ >> hw/tpm/tpm_util.h | 7 + >> include/sysemu/tpm_backend.h | 12 ++ >> qapi-schema.json | 17 +- >> qemu-options.hx | 21 ++- >> qmp-commands.hx | 2 +- >> tpm.c | 11 +- >> 17 files changed, 1316 insertions(+), 29 deletions(-) >> create mode 100644 hw/i386/acpi-tpm-core.dsl >> create mode 100644 hw/i386/acpi-tpm2.dsl >> create mode 100644 hw/tpm/tpm_ioctl.h >>