[SeaBIOS] [PATCH v8 0/8] Add TPM support to SeaBIOS

Kevin O'Connor kevin at koconnor.net
Tue Aug 26 18:49:57 CEST 2014 

On Tue, Aug 26, 2014 at 12:07:54PM -0400, Stefan Berger wrote:
> "Kevin O'Connor" <kevin at koconnor.net> wrote on 08/26/2014 11:19:14 AM:
> > If this is the intent, can't we just pass a flag (via fw_cfg) from
> > QEMU command line to SeaBIOS to force a clear?  That is, the guest
> > software can't manipulate the QEMU command line (or its fw_cfg
> > entries) and so the ability to set a flag there is proof of physical
> > presence.  (Access to the virtual machine disk images and virtual
> > machine command line is as close to "physical" as one can get.)
> 
> One would need at least a flag to indicate that the BIOS automatically 
> give up ownership of the TPM.
> Giving up ownership also means that the device automatically becomes 
> disabled and deactivated. The BIOS would then
> presumably automatically have to enabled and activate the TPM again 
> without user interaction.

Off the top of my head, I would think one could use a single
multi-purpose state indicator (eg, "TPM is enabled, active, ownable",
"TPM is enabled, active, non-ownable", "TPM is disabled, deactivated,
cleared, unownable", etc.).  I'd guess there are several permutations
that wouldn't make sense and the total list could be simplified.

> The other aspect is that this extension propagates all the way into higher 
> layers: libvirt would need an API and command
> line tool extension just to set this flag  and presumably use the QEMU 
> monitor with a new command to indicate it.
> You want to be able to do this in a cloud environment, you need another 
> API and/or GUI support in your cloud stack for doing
> just this...  I doesn't seem to become a lot easier this way.

Not easier.  But I don't think adding this menu to SeaBIOS is the
solution either.  As before, for the bulk of users it's just cryptic,
and for those rare users that do need it, it is not in a place they
want it.

> > On coreboot, a similar solution could be accomplished by setting a
> > flag in CBFS (the flash).  Granted, one doesn't need to be physically
> > present to reprogram the flash, but if one can reprogram the flash,
> > they could just as easily reprogram SeaBIOS anyway.
> 
> I am not so familiar with how CBFS is handled. Is it at least 
> access-restricted to root? I guess one would need a tool 
> to write the above flag(s) into the flash at the right position.

Yes, at a minimum it would require super-user access.  (Some hardware
platforms introduce additional restrictions.)

-Kevin

More information about the SeaBIOS mailing list