[SeaBIOS] [PATCH v9 0/6] Add TPM support to SeaBIOS
Stefan Berger
stefanb at linux.vnet.ibm.com
Sat Mar 21 01:40:53 CET 2015
On 03/20/2015 08:05 PM, Kevin O'Connor wrote:
> On Fri, Mar 20, 2015 at 02:00:35PM -0400, Stefan Berger wrote:
>> This is a repost of a series of patches providing TPM support to SeaBIOS.
>>
>> As an addition, this patch series now works on the Acer C720 Chromebook
>> with limitations (S3 not getting invoked; no logging into TCPA table).
>>
>> The patch series cleanly applies to a checkout of a1ac8861.
>>
>>
>> The following set of patches add TPM and Trusted Computing support to SeaBIOS.
>> In particular the patches add:
>>
>> - a TPM driver for the Qemu's TPM TIS emulation
>> - Support for initialzation of the TPM
>> - init of TCPA logging table
>> - Support for the TCG BIOS extensions (1ah handler [ah = 0xbb])
>> (used by trusted grub; http://trousers.sourceforge.net/grub.html)
>> - Static Root of Trusted for Measurement (SRTM) support
>> - Support for S3 resume (sends command to TPM upon resume)
>> - Support for sending control messages from the OS to the BIOS
>> and have the BIOS control certain life-cycle aspects of the TPM
>> following those messages
>> - TPM-specific menu for controlling aspects of the TPM
> Thanks for working on this Stefan. How does this series compare with
> the xen patch that was recently sent (is it a prerequisite, unrelated,
> or a conflict)? What is the state of QEMU TPM TIS emulation?
The QEMU TPM TIS emulation is checked into QEMU. Next from my
perspective is to send out patches for QEMU to access TPM emulator that
is running outside of QEMU and is accessed using a CUSE (character
device in user space) interface. The plan is to post the patches once
QEMU 2.4 is out.
https://github.com/stefanberger/swtpm
This one will need the BIOS support for initialization etc. of the
emulated TPM.
I posted the patches now again since these patches should / have to
cover TPM support for Xen, QEMU, and SeaBIOS running on plain hardware.
In the latter case there are some problems with underlying coreboot or
other firmware piggybacking SeaBIOS. I want to mention that, though
certainly don't want that to be a reason for these patches not to go in.
:-) The underlying firmware for example has to setup all the ACPI tables
in the same way as Xen and QEMU do it.
>
> I have some minor comments on the first five patches, but nothing
> major - they could probably all be addressed after inclusion.
Thank you.
I think patches 1-2 would be good for inclusion now and should cover the
Xen case well. Quan Xu should probably have a look at these and comment.
> I don't agree with adding a new top level menu option to SeaBIOS. Is
> patch six needed for the other patches to make sense? (FYI, Paolo was
> proposing enhancing the boot menu, and depending on the outcome of
> that proposal there might be a way forward for TPM control as a
> sub-menu to the boot menu. But I don't think the further waiting and
> further unknowns are a good idea unless necessary.)
The life-cycle management of the TPM requires a menu. If someone forgot
the TPM password, the only way to reset it is to go through the BIOS.
Then activating and enabling a deactivated and disabled TPM needs to be
done in the BIOS. There's no way around this -- except the physical
presence interface (PPI) patch [5/6] allows one to send those control
messages from the OS (on Linux via sysfs) to the BIOS that the BIOS can
react upon. It needs that anchor created via ACPI we had talked about
(privately) a while ago so that the OS knows the memory area where to
post that message. I can post that ACPI DSM patch. It would have to go
into Xen and QEMU for PPI to work there.
Stefan
>
> -Kevin
>
More information about the SeaBIOS
mailing list