On 03/20/2015 08:05 PM, Kevin O'Connor wrote:
On Fri, Mar 20, 2015 at 02:00:35PM -0400, Stefan Berger wrote:
This is a repost of a series of patches providing TPM support to SeaBIOS.
As an addition, this patch series now works on the Acer C720 Chromebook with limitations (S3 not getting invoked; no logging into TCPA table).
The patch series cleanly applies to a checkout of a1ac8861.
The following set of patches add TPM and Trusted Computing support to SeaBIOS. In particular the patches add:
- a TPM driver for the Qemu's TPM TIS emulation
- Support for initialzation of the TPM
- init of TCPA logging table
- Support for the TCG BIOS extensions (1ah handler [ah = 0xbb]) (used by trusted grub; http://trousers.sourceforge.net/grub.html)
- Static Root of Trusted for Measurement (SRTM) support
- Support for S3 resume (sends command to TPM upon resume)
- Support for sending control messages from the OS to the BIOS and have the BIOS control certain life-cycle aspects of the TPM following those messages
- TPM-specific menu for controlling aspects of the TPM
Thanks for working on this Stefan. How does this series compare with the xen patch that was recently sent (is it a prerequisite, unrelated, or a conflict)? What is the state of QEMU TPM TIS emulation?
The QEMU TPM TIS emulation is checked into QEMU. Next from my perspective is to send out patches for QEMU to access TPM emulator that is running outside of QEMU and is accessed using a CUSE (character device in user space) interface. The plan is to post the patches once QEMU 2.4 is out.
https://github.com/stefanberger/swtpm
This one will need the BIOS support for initialization etc. of the emulated TPM.
I posted the patches now again since these patches should / have to cover TPM support for Xen, QEMU, and SeaBIOS running on plain hardware. In the latter case there are some problems with underlying coreboot or other firmware piggybacking SeaBIOS. I want to mention that, though certainly don't want that to be a reason for these patches not to go in. :-) The underlying firmware for example has to setup all the ACPI tables in the same way as Xen and QEMU do it.
I have some minor comments on the first five patches, but nothing major - they could probably all be addressed after inclusion.
Thank you.
I think patches 1-2 would be good for inclusion now and should cover the Xen case well. Quan Xu should probably have a look at these and comment.
I don't agree with adding a new top level menu option to SeaBIOS. Is patch six needed for the other patches to make sense? (FYI, Paolo was proposing enhancing the boot menu, and depending on the outcome of that proposal there might be a way forward for TPM control as a sub-menu to the boot menu. But I don't think the further waiting and further unknowns are a good idea unless necessary.)
The life-cycle management of the TPM requires a menu. If someone forgot the TPM password, the only way to reset it is to go through the BIOS. Then activating and enabling a deactivated and disabled TPM needs to be done in the BIOS. There's no way around this -- except the physical presence interface (PPI) patch [5/6] allows one to send those control messages from the OS (on Linux via sysfs) to the BIOS that the BIOS can react upon. It needs that anchor created via ACPI we had talked about (privately) a while ago so that the OS knows the memory area where to post that message. I can post that ACPI DSM patch. It would have to go into Xen and QEMU for PPI to work there.
Stefan
-Kevin