[SeaBIOS] [PATCH v9 0/6] Add TPM support to SeaBIOS

Stefan Berger stefanb at linux.vnet.ibm.com
Sat Mar 21 01:40:53 CET 2015 

On 03/20/2015 08:05 PM, Kevin O'Connor wrote:
> On Fri, Mar 20, 2015 at 02:00:35PM -0400, Stefan Berger wrote:
>> This is a repost of a series of patches providing TPM support to SeaBIOS.
>>
>> As an addition, this patch series now works on the Acer C720 Chromebook
>> with limitations (S3 not getting invoked; no logging into TCPA table).
>>
>> The patch series cleanly applies to a checkout of a1ac8861.
>>
>>
>> The following set of patches add TPM and Trusted Computing support to SeaBIOS.
>> In particular the patches add:
>>
>> - a TPM driver for the Qemu's TPM TIS emulation
>> - Support for initialzation of the TPM
>> - init of TCPA logging table
>> - Support for the TCG BIOS extensions (1ah handler [ah = 0xbb])
>>    (used by trusted grub; http://trousers.sourceforge.net/grub.html)
>> - Static Root of Trusted for Measurement (SRTM) support
>> - Support for S3 resume (sends command to TPM upon resume)
>> - Support for sending control messages from the OS to the BIOS
>>    and have the BIOS control certain life-cycle aspects of the TPM
>>    following those messages
>> - TPM-specific menu for controlling aspects of the TPM
> Thanks for working on this Stefan.  How does this series compare with
> the xen patch that was recently sent (is it a prerequisite, unrelated,
> or a conflict)?  What is the state of QEMU TPM TIS emulation?
The QEMU TPM TIS emulation is checked into QEMU. Next from my 
perspective is to send out patches for QEMU to access TPM emulator that 
is running outside of QEMU and is accessed using a CUSE (character 
device in user space) interface. The plan is to post the patches once 
QEMU 2.4 is out.

https://github.com/stefanberger/swtpm

This one will need the BIOS support for initialization etc. of the 
emulated TPM.

I posted the patches now again since these patches should / have to 
cover TPM support for Xen, QEMU, and SeaBIOS running on plain hardware. 
In the latter case there are some problems with underlying coreboot or 
other firmware piggybacking SeaBIOS. I want to mention that, though 
certainly don't want that to be a reason for these patches not to go in. 
:-) The underlying firmware for example has to setup all the ACPI tables 
in the same way as Xen and QEMU do it.

>
> I have some minor comments on the first five patches, but nothing
> major - they could probably all be addressed after inclusion.

Thank you.

I think patches 1-2 would be good for inclusion now and should cover the 
Xen case well. Quan Xu should probably have a look at these and comment.

> I don't agree with adding a new top level menu option to SeaBIOS.  Is
> patch six needed for the other patches to make sense?  (FYI, Paolo was
> proposing enhancing the boot menu, and depending on the outcome of
> that proposal there might be a way forward for TPM control as a
> sub-menu to the boot menu.  But I don't think the further waiting and
> further unknowns are a good idea unless necessary.)


The life-cycle management of the TPM requires a menu. If someone forgot 
the TPM password, the only way to reset it is to go through the BIOS. 
Then activating and enabling a deactivated and disabled TPM needs to be 
done in the BIOS. There's no way around this -- except the physical 
presence interface (PPI) patch [5/6] allows one to send those control 
messages from the OS (on Linux via sysfs) to the BIOS that the BIOS can 
react upon. It needs that anchor created via ACPI we had talked about 
(privately) a while ago so that the OS knows the memory area where to 
post that message. I can post that ACPI DSM patch. It would have to go 
into Xen and QEMU for PPI to work there.

     Stefan

>
> -Kevin
>

More information about the SeaBIOS mailing list