[SeaBIOS] [PATCH v2 3/3] Add a menu for TPM control

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Jun 10 13:12:29 CEST 2015 

On 06/01/2015 12:54 PM, Kevin O'Connor wrote:
> On Tue, May 26, 2015 at 03:48:35PM -0400, Stefan Berger wrote:
>> This patch provides an addtional menu entry that enables the user to control
>> certain aspects of the TPM's state.
>>
>> If a working TPM has been detected, the boot menu will look like this:
>>
>> Select boot device:
>>
>> 1. ata0-1: QEMU HARDDISK ATA-7 Hard-Disk (6144 MiBytes)
>> 2. Legacy option rom
>> 3. iPXE (PCI 00:03.0)
>>
>> t. TPM Menu
>>
>> Upon pressing t the TPM menu will be shown:
>>
>> 1. Enable TPM
>> 2. Disable TPM
>> 3. Activate TPM
>> 4. Deactivate TPM
>> 5. Clear ownership
>> 6. Allow installation of owner
>> 7. Prevent installation of owner
>> Escape for previous menu.
>> TPM is enabled, active, does not have an owner but one can be installed.
> I'm okay with adding a "t" to the boot menu.  However, I think this
> sub-menu is too complex and cryptic.  (For example, I suspect most
> users wont even know what "TPM" means.)
>
> I think I'd prefer something like:
>
> t. TPM Configuration
>
> Upon pressing t the TPM menu will be shown:
>
>
> The Trusted Platform Module (TPM) is a hardware device in this
> machine.  It can help verify the integrity of system software.
>
> The current state of the TPM is:
>    Enabled
>    No ownership key has been installed
>    System software can install an ownership key
>
> Available options are:
>    d) Disable TPM and clear any ownership key settings
>
> If no change is desired or if this menu was reached by mistake, press
> ESC and this machine will be rebooted without change.
>
>
> Specifically, I think the menu should be a little more verbose (for
> users that just explore the menu), it should only be reached if the
> given hardware is present, and menu options should only be shown if
> they are actually available and make sense to invoke.
>
> -Kevin
>

Here's now the (code for the) menu I created. I hope it's an acceptable 
middle-ground. This sub-menu will only be available if a TPM has been 
detected on the machine. Also, only those menu items that can be 
selected at the moment, considering the state of the TPM, are shown. The 
allowed scancodes are collected in an array.


static void
show_tpm_menu(int state, int *scancodes)
{
     int i = 0;

     printf("\nThe current state of the TPM is\n");

     if (state & TPM_STATE_ENABLED)
         printf("  Enabled");
     else
         printf("  Disabled");

     if (state & TPM_STATE_ACTIVE)
         printf(" and active\n");
     else
         printf(" and deactivated\n");

     if (state & TPM_STATE_OWNED)
         printf("  Ownership has been taken\n");
     else {
         printf("  Ownership has not been taken\n");
         if (state & TPM_STATE_OWNERINSTALL)
             printf("  A user can take ownership of the TPM\n");
         else
             printf("  Taking ownership of the TPM has been disabled\n");
     }

     if ((state & (TPM_STATE_ENABLED | TPM_STATE_ACTIVE)) !=
         (TPM_STATE_ENABLED | TPM_STATE_ACTIVE)) {
         printf("\nNote: To make use of all functionality, the TPM must be "
                "enabled and active.\n");
     }

     printf("\nAvailable options are:\n");
     if (state & TPM_STATE_ENABLED) {
         printf(" d. Disable the TPM\n");
         scancodes[i++] = 32;

         if (state & TPM_STATE_ACTIVE) {
             printf(" v. Deactivate the TPM\n");
             scancodes[i++] = 47;

             if (state & TPM_STATE_OWNERINSTALL) {
                 printf(" p. Prevent installation of an owner\n");
                 scancodes[i++] = 25;
             } else {
                 printf(" s. Allow installation of an owner\n");
                 scancodes[i++] = 31;
             }
         } else {
             printf(" a. Activate the TPM\n");
             scancodes[i++] = 30;
         }

     } else {
         printf(" e. Enable the TPM\n");
         scancodes[i++] = 18;
     }

     if (state & TPM_STATE_OWNED) {
         printf(" c. Clear ownership\n");
         scancodes[i++] = 46;
     }

     scancodes[i++] = 0;
}

void
tpm_menu(void)
{
     if (!CONFIG_TCGBIOS)
         return;

     int scancode, scancodes[7];
     u32 rc, returnCode;
     u8 next_step;
     tpm_bios_cfg cfg = {
         .op  = TPM_PPI_OP_NOOP,
     };
     int state = 0, i;
     bool waitkey;

     while (get_keystroke(0) >= 0)
         ;
     wait_threads();

     if (has_working_tpm())
         printf("The Trusted Platform Module (TPM) is a hardware device in "
                "this machine.\n"
                "It can help verify the integrity of system software.\n\n");

     for (;;) {
         if (has_working_tpm() &&
             (state = get_tpm_state()) != ~0) {
             show_tpm_menu(state, scancodes);
         } else {
             printf("TPM is not working correctly.\n");
             return;
         }

         printf("\nIf no change is desired or if this menu was reached by "
                "mistake, press ESC to\n"
                "return to the previous menu.\n");
[...]

Regards,
     Stefan

More information about the SeaBIOS mailing list