[SeaBIOS] [RFC PATCH v1 0/9] Add TPM 2 support

Stefan Berger stefanb at us.ibm.com
Fri Jan 22 21:27:28 CET 2016 

"Kevin O'Connor" <kevin at koconnor.net> wrote on 01/21/2016 05:37:29 PM:

> 
> On Fri, Jan 15, 2016 at 02:44:30PM -0500, Stefan Berger wrote:
> > This series of patches adds TPM 2 support to SeaBIOS in the way 
previously
> > proposed.
> > 
> > TPM 2 support also changes the log entry format, which I have not 
addressed
> > at all so far, and would append to the end of the series.
> 
> Thanks Stefan.  In general it looks good to me.  I have a few
> comments, which I'll send separately.  All of my comments could be
> addressed after committing this series if desired.

I can address those comments and repost a V2 with the 10th patch adding 
the part for the logging.

> 
> How does one test and/or use this support?  Does QEMU have support, or
> is there hardware available on coreboot with the tpm2 hardware?

I did all the testing of these patches with the vTPM with CUSE interface 
integrated into QEMU. Unfortunately the vTPM-QEMU integration train seems 
a wreck now following comments on QEMU mailing list. So, I don't know of 
any TPM 2 hardware out there, less so hardware where coreboot runs. So 
that's probably currently the number one problem.

You know the TPM 1.2 PC BIOS specification, right? I think we can say that 
many of the functions implemented in this series for TPM 2 are necessary 
because of how it's done for TPM 1.2 as well as properties of the TPM 2 
device. This includes the TPM initialization, S3 support, setting of 
timeouts, menu items, etc. The problem with TPM 2 is that there's no 
official spec for TPM 2 for a BIOS. So it's not quite clear to me how much 
leeway we have to go about this in the areas of ACPI tables for logging 
and the API. Regarding these topics:

ACPI tables for logging: The (U)EFI specification for TPM 2 don't require 
a TCPA table with the logging area because there seems to be an API for 
the OS for retrieving the log. UEFI seems to log into just some buffer, 
not connected to any ACPI table. For the BIOS we would still need that 
TCPA table. QEMU currently provides that. The Linux kernel (and all other 
OSes -- uuuh) would then have to allow a TCPA table for logging for TPM 2 
even though we cannot point to a spec for that. Not sure whether we can 
create a standard for this little gap here...

BIOS API: Some functions pass the entry to write into the log via the 
function directly. Patch 10 handles that and transforms that entry into 
the log entry format as required for TPM 1.2 or TPM 2 (log entries are 
differently formatted for TPM 1.2 and for TPM 2). So the only remaining 
problem I know of is the function that allows one to pass TPM commands 
through to the TPM. This may end up causing problems in the application if 
it was written for TPM 1.2 and now there's a TPM 2 running underneath, 
which doesn't understand the TPM 1.2 commands. I would say this is likely 
the smaller of the problems also considering that there are not many 
applications out there that use that API call. Possibility to just shut 
down that function call is certainly there.

   Stefan


> 
> -Kevin
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.seabios.org/pipermail/seabios/attachments/20160122/aa5adef6/attachment.html>

More information about the SeaBIOS mailing list