[SeaBIOS] [RFC PATCH v1 0/9] Add TPM 2 support
Stefan Berger
stefanb at us.ibm.com
Fri Jan 22 21:27:28 CET 2016
"Kevin O'Connor" <kevin at koconnor.net> wrote on 01/21/2016 05:37:29 PM:
>
> On Fri, Jan 15, 2016 at 02:44:30PM -0500, Stefan Berger wrote:
> > This series of patches adds TPM 2 support to SeaBIOS in the way
previously
> > proposed.
> >
> > TPM 2 support also changes the log entry format, which I have not
addressed
> > at all so far, and would append to the end of the series.
>
> Thanks Stefan. In general it looks good to me. I have a few
> comments, which I'll send separately. All of my comments could be
> addressed after committing this series if desired.
I can address those comments and repost a V2 with the 10th patch adding
the part for the logging.
>
> How does one test and/or use this support? Does QEMU have support, or
> is there hardware available on coreboot with the tpm2 hardware?
I did all the testing of these patches with the vTPM with CUSE interface
integrated into QEMU. Unfortunately the vTPM-QEMU integration train seems
a wreck now following comments on QEMU mailing list. So, I don't know of
any TPM 2 hardware out there, less so hardware where coreboot runs. So
that's probably currently the number one problem.
You know the TPM 1.2 PC BIOS specification, right? I think we can say that
many of the functions implemented in this series for TPM 2 are necessary
because of how it's done for TPM 1.2 as well as properties of the TPM 2
device. This includes the TPM initialization, S3 support, setting of
timeouts, menu items, etc. The problem with TPM 2 is that there's no
official spec for TPM 2 for a BIOS. So it's not quite clear to me how much
leeway we have to go about this in the areas of ACPI tables for logging
and the API. Regarding these topics:
ACPI tables for logging: The (U)EFI specification for TPM 2 don't require
a TCPA table with the logging area because there seems to be an API for
the OS for retrieving the log. UEFI seems to log into just some buffer,
not connected to any ACPI table. For the BIOS we would still need that
TCPA table. QEMU currently provides that. The Linux kernel (and all other
OSes -- uuuh) would then have to allow a TCPA table for logging for TPM 2
even though we cannot point to a spec for that. Not sure whether we can
create a standard for this little gap here...
BIOS API: Some functions pass the entry to write into the log via the
function directly. Patch 10 handles that and transforms that entry into
the log entry format as required for TPM 1.2 or TPM 2 (log entries are
differently formatted for TPM 1.2 and for TPM 2). So the only remaining
problem I know of is the function that allows one to pass TPM commands
through to the TPM. This may end up causing problems in the application if
it was written for TPM 1.2 and now there's a TPM 2 running underneath,
which doesn't understand the TPM 1.2 commands. I would say this is likely
the smaller of the problems also considering that there are not many
applications out there that use that API call. Possibility to just shut
down that function call is certainly there.
Stefan
>
> -Kevin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.seabios.org/pipermail/seabios/attachments/20160122/aa5adef6/attachment.html>
More information about the SeaBIOS
mailing list