[SeaBIOS] [RFC PATCH v1 0/9] Add TPM 2 support
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Sat Jan 23 13:49:59 CET 2016
On Fri, Jan 22, 2016 at 03:27:28PM -0500, Stefan Berger wrote:
> "Kevin O'Connor" <kevin at koconnor.net> wrote on 01/21/2016 05:37:29 PM:
>
> >
> > On Fri, Jan 15, 2016 at 02:44:30PM -0500, Stefan Berger wrote:
> > > This series of patches adds TPM 2 support to SeaBIOS in the way previously
> > > proposed.
> > >
> > > TPM 2 support also changes the log entry format, which I have not addressed
> > > at all so far, and would append to the end of the series.
> >
> > Thanks Stefan. In general it looks good to me. I have a few
> > comments, which I'll send separately. All of my comments could be
> > addressed after committing this series if desired.
>
> I can address those comments and repost a V2 with the 10th patch adding the
> part for the logging.
>
> >
> > How does one test and/or use this support? Does QEMU have support, or
> > is there hardware available on coreboot with the tpm2 hardware?
>
> I did all the testing of these patches with the vTPM with CUSE interface
> integrated into QEMU. Unfortunately the vTPM-QEMU integration train seems a
> wreck now following comments on QEMU mailing list. So, I don't know of any TPM
> 2 hardware out there, less so hardware where coreboot runs. So that's probably
> currently the number one problem.
>
> You know the TPM 1.2 PC BIOS specification, right? I think we can say that many
> of the functions implemented in this series for TPM 2 are necessary because of
> how it's done for TPM 1.2 as well as properties of the TPM 2 device. This
> includes the TPM initialization, S3 support, setting of timeouts, menu items,
> etc. The problem with TPM 2 is that there's no official spec for TPM 2 for a
> BIOS. So it's not quite clear to me how much leeway we have to go about this in
> the areas of ACPI tables for logging and the API. Regarding these topics:
>
> ACPI tables for logging: The (U)EFI specification for TPM 2 don't require a
> TCPA table with the logging area because there seems to be an API for the OS
> for retrieving the log. UEFI seems to log into just some buffer, not connected
> to any ACPI table. For the BIOS we would still need that TCPA table. QEMU
> currently provides that. The Linux kernel (and all other OSes -- uuuh) would
> then have to allow a TCPA table for logging for TPM 2 even though we cannot
> point to a spec for that. Not sure whether we can create a standard for this
> little gap here...
Do you know the reason why it isn't required? This really confuses me
that there isn't anything standardized for TPM2. How can that have
happened...
/Jarkko
> BIOS API: Some functions pass the entry to write into the log via the function
> directly. Patch 10 handles that and transforms that entry into the log entry
> format as required for TPM 1.2 or TPM 2 (log entries are differently formatted
> for TPM 1.2 and for TPM 2). So the only remaining problem I know of is the
> function that allows one to pass TPM commands through to the TPM. This may end
> up causing problems in the application if it was written for TPM 1.2 and now
> there's a TPM 2 running underneath, which doesn't understand the TPM 1.2
> commands. I would say this is likely the smaller of the problems also
> considering that there are not many applications out there that use that API
> call. Possibility to just shut down that function call is certainly there.
>
> Stefan
>
>
> >
> > -Kevin
> >
>
More information about the SeaBIOS
mailing list