Hello!
I added support from the TPM to SeaBIOS and have parts of the BIOS functionality successfully running on a Chromebook Acer C720 (as example hardware). Here are some findings on the Acer:
The TPM is successfully detected but sending TPM_Startup(ST_Clear) to the TPM fails since either coreboot or some other firmware seems to already have initialized the TPM, which is fine, and also extended PCR 0 with at least one hash. Ideally there would be a TCPA ACPI table containing information about what was logged, since otherwise the state of the PCR seems not that useful. SeaBIOS's TPM extensions could then also use this TCPA table and add its own logs into it along with extending PCRs in the TPM. So, in this case the TPM SeaBIOS extensions don't log anything and adding additional ACPI tables to the existing coreboot tables seems 'impractical'. I was wondering if coreboot could add such a table if a TPM was found to be present?
The latest set of TPM patches can be found here:
http://www.seabios.org/pipermail/seabios/2014-July/008178.html
Regards, Stefan
* Stefan Berger stefanb@linux.vnet.ibm.com [140714 12:14]:
The TPM is successfully detected but sending TPM_Startup(ST_Clear) to the TPM fails since either coreboot or some other firmware seems to already have initialized the TPM, which is fine, and also extended PCR 0 with at least one hash. Ideally there would be a TCPA ACPI table containing information about what was logged, since otherwise the state of the PCR seems not that useful. SeaBIOS's TPM extensions could then also use this TCPA table and add its own logs into it along with extending PCRs in the TPM. So, in this case the TPM SeaBIOS extensions don't log anything and adding additional ACPI tables to the existing coreboot tables seems 'impractical'. I was wondering if coreboot could add such a table if a TPM was found to be present?
Sure that would be great. Someone looked into this in 2008 but I don't think progress ever hit our tree..
http://www.coreboot.org/pipermail/coreboot/2008-November/042406.html
Patches would be very welcome!
Stefan
On 07/15/2014 03:37 PM, Stefan Reinauer wrote:
- Stefan Berger stefanb@linux.vnet.ibm.com [140714 12:14]:
The TPM is successfully detected but sending TPM_Startup(ST_Clear) to the TPM fails since either coreboot or some other firmware seems to already have initialized the TPM, which is fine, and also extended PCR 0 with at least one hash. Ideally there would be a TCPA ACPI table containing information about what was logged, since otherwise the state of the PCR seems not that useful. SeaBIOS's TPM extensions could then also use this TCPA table and add its own logs into it along with extending PCRs in the TPM. So, in this case the TPM SeaBIOS extensions don't log anything and adding additional ACPI tables to the existing coreboot tables seems 'impractical'. I was wondering if coreboot could add such a table if a TPM was found to be present?
Sure that would be great. Someone looked into this in 2008 but I don't think progress ever hit our tree..
http://www.coreboot.org/pipermail/coreboot/2008-November/042406.html
Patches would be very welcome!
Seems like a hint ... Do you have instructions for how to build coreboot for the Acer and write it into the existing coreboot image? I assume a similar process would be needed as for the updating of SeaBIOS -- Kevin posted a script that I think he wrote was based on info you gave him. Is messing up coreboot a way to brick that device?
Stefan
Stefan
On 07/16/2014 02:54 PM, Stefan Berger wrote:
On 07/15/2014 03:37 PM, Stefan Reinauer wrote:
- Stefan Berger stefanb@linux.vnet.ibm.com [140714 12:14]:
The TPM is successfully detected but sending TPM_Startup(ST_Clear) to the TPM fails since either coreboot or some other firmware seems to already have initialized the TPM, which is fine, and also extended PCR 0 with at least one hash. Ideally there would be a TCPA ACPI table containing information about what was logged, since otherwise the state of the PCR seems not that useful. SeaBIOS's TPM extensions could then also use this TCPA table and add its own logs into it along with extending PCRs in the TPM. So, in this case the TPM SeaBIOS extensions don't log anything and adding additional ACPI tables to the existing coreboot tables seems 'impractical'. I was wondering if coreboot could add such a table if a TPM was found to be present?
Sure that would be great. Someone looked into this in 2008 but I don't think progress ever hit our tree..
http://www.coreboot.org/pipermail/coreboot/2008-November/042406.html
Patches would be very welcome!
Seems like a hint ... Do you have instructions for how to build coreboot for the Acer and write it into the existing coreboot image? I assume a similar process would be needed as for the updating of SeaBIOS -- Kevin posted a script that I think he wrote was based on info you gave him. Is messing up coreboot a way to brick that device?
FYI: This here is the spec for the TCAP table:
http://www.trustedcomputinggroup.org/files/temp/6453AF78-1D09-3519-AD7402842...
Stefan
Hello
Did anyone try to use TPM on the X60? There's a tpm chip, but I can't make it work (cf http://www.grounation.org/?post/2008/07/04/8-how-to-use-a-tpm-with-linux)
On Tue, Jul 15, 2014 at 3:37 PM, Stefan Reinauer < stefan.reinauer@coreboot.org> wrote:
- Stefan Berger stefanb@linux.vnet.ibm.com [140714 12:14]:
The TPM is successfully detected but sending TPM_Startup(ST_Clear) to the TPM fails since either coreboot or some other firmware seems to already have initialized the TPM, which is fine, and also extended PCR 0 with at least one hash. Ideally there would be a TCPA ACPI table containing information about what was logged, since otherwise the state of the PCR seems not that useful. SeaBIOS's TPM extensions could then also use this TCPA table and add its own logs into it along with extending PCRs in the TPM. So, in this case the TPM SeaBIOS extensions don't log anything and adding additional ACPI tables to the existing coreboot tables seems 'impractical'. I was wondering if coreboot could add such a table if a TPM was found to be present?
Sure that would be great. Someone looked into this in 2008 but I don't think progress ever hit our tree..
http://www.coreboot.org/pipermail/coreboot/2008-November/042406.html
Patches would be very welcome!
Stefan
-- coreboot mailing list: coreboot@coreboot.org http://www.coreboot.org/mailman/listinfo/coreboot