Hi,
SeaBIOS commit 67643955c746 (make SeaBios compatible with Xen vTPM.) made tpm_start() exit before calling tpm_startup(). The commit message has no explanation why this change was made. Does anyone remember why it was made?
The code today means SeaBIOS will not populate PCRs when running on Xen. If I revert the patch, SeaBIOS populates PCRs as one would expect. This is with a QEMU-emulated TPM backed by swtpm in TPM 1.2 mode (qemu & swtpm running in a linux stubdom).
Any insight is appreciated.
Thanks, Jason
On 6/11/20 8:36 AM, Jason Andryuk wrote:
Hi,
SeaBIOS commit 67643955c746 (make SeaBios compatible with Xen vTPM.) made tpm_start() exit before calling tpm_startup(). The commit message has no explanation why this change was made. Does anyone remember why it was made?
The code today means SeaBIOS will not populate PCRs when running on Xen. If I revert the patch, SeaBIOS populates PCRs as one would expect. This is with a QEMU-emulated TPM backed by swtpm in TPM 1.2 mode (qemu & swtpm running in a linux stubdom).
Any insight is appreciated.
My guess would be that for some reason the TPM 1.2 was already started up through other means and didn't need the SeaBIOS tpm_startup() to run.
Thanks, Jason
On Thu, Jun 11, 2020 at 10:32 AM Stefan Berger stefanb@linux.ibm.com wrote:
On 6/11/20 8:36 AM, Jason Andryuk wrote:
Hi,
SeaBIOS commit 67643955c746 (make SeaBios compatible with Xen vTPM.) made tpm_start() exit before calling tpm_startup(). The commit message has no explanation why this change was made. Does anyone remember why it was made?
The code today means SeaBIOS will not populate PCRs when running on Xen. If I revert the patch, SeaBIOS populates PCRs as one would expect. This is with a QEMU-emulated TPM backed by swtpm in TPM 1.2 mode (qemu & swtpm running in a linux stubdom).
Any insight is appreciated.
My guess would be that for some reason the TPM 1.2 was already started up through other means and didn't need the SeaBIOS tpm_startup() to run.
Hmmm, yes. Thanks, Stefan. The mini-os vtpm stubdom calls TPM_Startup and it looks like the Berlios tpm_emulator returns an error when called twice.
From a little bit of googling, Quan and Emil (added to CC) were working on an interface from QEMU to the vtpm stubdom, but it looks like it didn't get merged into upstream QEMU? It doesn't seem to be there now.
Anyway, the mini-os vtpm stubdom calls TPM_Startup since a PV guest doesn't have firmware to make the call. SeaBIOS could make a tpm_startup error non-fatal for Xen. Or better - detect a vtpm stubdom and only then skip initialization. vtpm stubdom could also be changed to skip TPM_Startup for HVM - not sure if that would be problematic. That would let SeaBIOS drop the Xen condition.
Regards, Jason
-
Jason Andryuk -
Stefan Berger