On 03/20/2015 08:05 PM, Kevin O'Connor wrote:
On Fri, Mar 20, 2015 at 02:00:35PM -0400, Stefan
This is a repost of a series of patches providing
TPM support to SeaBIOS.
As an addition, this patch series now works on the Acer C720 Chromebook
with limitations (S3 not getting invoked; no logging into TCPA table).
The patch series cleanly applies to a checkout of a1ac8861.
The following set of patches add TPM and Trusted Computing support to SeaBIOS.
In particular the patches add:
- a TPM driver for the Qemu's TPM TIS emulation
- Support for initialzation of the TPM
- init of TCPA logging table
- Support for the TCG BIOS extensions (1ah handler [ah = 0xbb])
(used by trusted grub; http://trousers.sourceforge.net/grub.html
- Static Root of Trusted for Measurement (SRTM) support
- Support for S3 resume (sends command to TPM upon resume)
- Support for sending control messages from the OS to the BIOS
and have the BIOS control certain life-cycle aspects of the TPM
following those messages
- TPM-specific menu for controlling aspects of the TPM
Thanks for working on this
Stefan. How does this series compare with
the xen patch that was recently sent (is it a prerequisite, unrelated,
or a conflict)? What is the state of QEMU TPM TIS emulation?
The QEMU TPM TIS
emulation is checked into QEMU. Next from my
perspective is to send out patches for QEMU to access TPM emulator that
is running outside of QEMU and is accessed using a CUSE (character
device in user space) interface. The plan is to post the patches once
QEMU 2.4 is out.
This one will need the BIOS support for initialization etc. of the
I posted the patches now again since these patches should / have to
cover TPM support for Xen, QEMU, and SeaBIOS running on plain hardware.
In the latter case there are some problems with underlying coreboot or
other firmware piggybacking SeaBIOS. I want to mention that, though
certainly don't want that to be a reason for these patches not to go in.
:-) The underlying firmware for example has to setup all the ACPI tables
in the same way as Xen and QEMU do it.
I have some minor comments on the first five patches, but nothing
major - they could probably all be addressed after inclusion.
I think patches 1-2 would be good for inclusion now and should cover the
Xen case well. Quan Xu should probably have a look at these and comment.
I don't agree with adding a new top level menu
option to SeaBIOS. Is
patch six needed for the other patches to make sense? (FYI, Paolo was
proposing enhancing the boot menu, and depending on the outcome of
that proposal there might be a way forward for TPM control as a
sub-menu to the boot menu. But I don't think the further waiting and
further unknowns are a good idea unless necessary.)
The life-cycle management of the TPM requires a menu. If someone forgot
the TPM password, the only way to reset it is to go through the BIOS.
Then activating and enabling a deactivated and disabled TPM needs to be
done in the BIOS. There's no way around this -- except the physical
presence interface (PPI) patch [5/6] allows one to send those control
messages from the OS (on Linux via sysfs) to the BIOS that the BIOS can
react upon. It needs that anchor created via ACPI we had talked about
(privately) a while ago so that the OS knows the memory area where to
post that message. I can post that ACPI DSM patch. It would have to go
into Xen and QEMU for PPI to work there.