[SeaBIOS] [RFC PATCH v1 0/9] Add TPM 2 support
Stefan Berger
stefanb at us.ibm.com
Tue Feb 2 15:36:51 CET 2016
"Kevin O'Connor" <kevin at koconnor.net> wrote on 02/01/2016 04:50:22 PM:
>
> On Fri, Jan 22, 2016 at 03:27:28PM -0500, Stefan Berger wrote:
> > "Kevin O'Connor" <kevin at koconnor.net> wrote on 01/21/2016 05:37:29 PM:
> > > Thanks Stefan. In general it looks good to me. I have a few
> > > comments, which I'll send separately. All of my comments could be
> > > addressed after committing this series if desired.
> >
> > I can address those comments and repost a V2 with the 10th patch
adding
> > the part for the logging.
>
> Hi Stefan. Sorry for the delay in responding. I have a couple of
> comments on the new patch series which I will respond with separately.
>
> > > How does one test and/or use this support? Does QEMU have support,
or
> > > is there hardware available on coreboot with the tpm2 hardware?
> >
> > I did all the testing of these patches with the vTPM with CUSE
interface
> > integrated into QEMU. Unfortunately the vTPM-QEMU integration train
seems
> > a wreck now following comments on QEMU mailing list. So, I don't know
of
> > any TPM 2 hardware out there, less so hardware where coreboot runs. So
> > that's probably currently the number one problem.
>
> Normally, I prefer to wait until upstream has committed the equivalent
> patches. I think there is some leeway here, however, because this
> series could be considered as adding support for additional hardware.
>
> That said, if you don't know of any TPM2 hardware that is shipping, it
> does raise the possibility that the specs might change by the time
> actual hardware does ship. What is your feel for the trade-off
> between merging now and merging after actual implementations exist?
TPM 2 is a published TCG and ISO/IED 11889:2015 standard now.
http://www.trustedcomputinggroup.org/resources/tpm_library_specification
Devices with TPM 2 are also shipping:
http://store.hp.com/us/en/pdp/hp-elitebook-folio-1020-g1-notebook-pc-%28energy-star%29-p-l4a53ut-aba--1
http://www.notebookcheck.net/Dell-XPS-13-Ultrabook-Review.136793.0.html
>
> > You know the TPM 1.2 PC BIOS specification, right? I think we can say
that
> > many of the functions implemented in this series for TPM 2 are
necessary
> > because of how it's done for TPM 1.2 as well as properties of the TPM
2
> > device. This includes the TPM initialization, S3 support, setting of
> > timeouts, menu items, etc. The problem with TPM 2 is that there's no
> > official spec for TPM 2 for a BIOS. So it's not quite clear to me how
much
> > leeway we have to go about this in the areas of ACPI tables for
logging
> > and the API. Regarding these topics:
> >
> > ACPI tables for logging: The (U)EFI specification for TPM 2 don't
require
> > a TCPA table with the logging area because there seems to be an API
for
> > the OS for retrieving the log. UEFI seems to log into just some
buffer,
> > not connected to any ACPI table. For the BIOS we would still need that
> > TCPA table. QEMU currently provides that. The Linux kernel (and all
other
> > OSes -- uuuh) would then have to allow a TCPA table for logging for
TPM 2
> > even though we cannot point to a spec for that. Not sure whether we
can
> > create a standard for this little gap here...
>
> It sounds like the creators of the spec assumed only EFI machines
> would have a TPM2 device. Unless there is evidence that OSes will
> accept the ACPI/TCPA table in the new format, I'd be inclined to leave
> it in the old format.
I think the format goes with the TPM 2. We should be able to log into the
TCPA table. It wouldn't make sense to come up with a new table and the
logging format should be TPM 2 specific.
>
> > BIOS API: Some functions pass the entry to write into the log via the
> > function directly. Patch 10 handles that and transforms that entry
into
> > the log entry format as required for TPM 1.2 or TPM 2 (log entries are
> > differently formatted for TPM 1.2 and for TPM 2). So the only
remaining
> > problem I know of is the function that allows one to pass TPM commands
> > through to the TPM. This may end up causing problems in the
application if
> > it was written for TPM 1.2 and now there's a TPM 2 running underneath,
> > which doesn't understand the TPM 1.2 commands. I would say this is
likely
> > the smaller of the problems also considering that there are not many
> > applications out there that use that API call. Possibility to just
shut
> > down that function call is certainly there.
>
> I'd say returning an error code for pass-through command requests is
> the safest solution.
TPM 1.2 and TPM 2 commands all differ in the tag field. We could filter by
that and return an error if the tag is not for the underlying TPM.
Stefan
>
> -Kevin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.seabios.org/pipermail/seabios/attachments/20160202/1bfbe5d5/attachment.html>
More information about the SeaBIOS
mailing list