[SeaBIOS] [SLOF] [PATCH v3 00/17] Add vTPM support to SLOF

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Nov 15 23:17:45 CET 2017 

On 11/30/2015 05:01 PM, Stefan Berger wrote:

I am now reviving this series of patches. Over the last few years Kevin 
O'Connor and I have added TPM 1.2 and TPM 2 support to SeaBIOS and there 
would be good reasons to reuse large parts of the SeaBIOS 'C' TPM code 
in SLOF's. Reasons include faster development and finding/fixing of bugs 
in both of them when they occur.

I talked to Kevin about this and he agrees to having the SeaBIOS GPL 
code reused in SLOF (BSD), but I'd like him to state this here publicly 
as well. If someone among the SLOF maintainers does not agree with this, 
please let me know.

Regards,
     Stefan



> In this version of the patches I merged some of the patches of the previous
> version into a single patch to avoid gcc warnings about unused functions.
> I also rearranged the patches so that patch 7 allows Linux to retrieve the
> log from SLOF. At this point the log is still empty. Measurements will be
> added starting in patch 8. The menu is added in patch 10.
> Patch 1 now comes with a Readme providing some background on TPM/vTPM and
> installation instructions for libtpms, swtpm, and QEMU with TPM support
> (all currently provided via my account on github). The Readme can be found
> in lib/libtpm/Readme.
>
>
> The following series of patches adds TPM support to SLOF.
> In particular it adds the following:
>
> - TPM drivers for hardware interface and CRQ interface
> - TPM initialization
> - TPM logging area and firmware API to transfer it to the OS
>    (measurements are visible in sysfs)
> - Some measurement code (Static Core Root Of Trust)
> - TPM menu (accessible via 't' key during boot if TPM is available)
> - Firmware API extensions following Power Firmware Doc
>    (to make trusted grub work)
>
>
> Having a vTPM attached to a VM provides the following benefits:
>
> - enablement of trusted boot; this allow us to eventually extend the chain
>    of trust from the hypervisor to the guests
> - enablement of attestation so that one can verify what software is
>    running on a machine
> - provides TPM functionality to VMs, which includes a standardized
>    mechanism to store keys and other blobs
>    (Linux trusted keys, GNU TLS's TPM extensions)
>
> Necessarily, some of its parts are written in Forth, many are written
> in 'C'. The extensions are known to work with QEMU for ppc64 running Linux.
>
> v2->v3:
>    - Addressed Thomas Huth's comments.
>    - Rearranged patches and merged some patches.
>    - Followed some of the changes made by K. O'Connor (SeaBIOS).
>
> v1->v2:
>    - Addressed Nikunj's comments
>    - Since last post in August I added 3 more patches to the end of the series
>      and one in 13th place.
>
>
> Stefan Berger (17):
>    Add a TPM driver implementation
>    Add TPM initialization support
>    Add sha1 implementation
>    Add initial support for logging
>    Extend firmware API
>    Return value of actual log in sml-get-handover-size
>    Add sml related nodes to vdevice/vtpm node
>    Implement measurements of the master boot record
>    Add support for controlling the states of the TPM
>    Add support for a TPM menu to control the state of the TPM
>    Measure the static core root of trust for measurements
>    Add TPM firmware API call get-maximum-cmd-size
>    Add TPM firmware API call pass-through-to-tpm
>    Add TPM firmware API call get-state
>    Add TPM firmware API call get-failure-reason
>    Add TPM firmware API call reformat-sml-to-efi-alignment
>    Set the driver in pseudo failure state after handover
>
>   board-qemu/Makefile                 |    2 +-
>   board-qemu/slof/Makefile            |   10 +-
>   board-qemu/slof/OF.fs               |    3 +
>   board-qemu/slof/tree.fs             |    3 +
>   board-qemu/slof/vio-vtpm-cdriver.fs |  184 +++++
>   board-qemu/slof/vtpm-sml.fs         |  379 +++++++++++
>   include/helpers.h                   |    1 +
>   lib/Makefile                        |    2 +-
>   lib/libtpm/Makefile                 |   50 ++
>   lib/libtpm/Readme                   |   90 +++
>   lib/libtpm/sha1.c                   |  197 ++++++
>   lib/libtpm/sha1.h                   |   20 +
>   lib/libtpm/tcgbios.c                | 1281 +++++++++++++++++++++++++++++++++++
>   lib/libtpm/tcgbios.h                |   52 ++
>   lib/libtpm/tcgbios_int.h            |  179 +++++
>   lib/libtpm/tpm.code                 |  215 ++++++
>   lib/libtpm/tpm.in                   |   34 +
>   lib/libtpm/tpm_drivers.c            |  479 +++++++++++++
>   lib/libtpm/tpm_drivers.h            |   91 +++
>   slof/fs/packages/disk-label.fs      |   10 +-
>   slof/fs/start-up.fs                 |   16 +
>   slof/helpers.c                      |    6 +
>   22 files changed, 3298 insertions(+), 6 deletions(-)
>   create mode 100644 board-qemu/slof/vio-vtpm-cdriver.fs
>   create mode 100644 board-qemu/slof/vtpm-sml.fs
>   create mode 100644 lib/libtpm/Makefile
>   create mode 100644 lib/libtpm/Readme
>   create mode 100644 lib/libtpm/sha1.c
>   create mode 100644 lib/libtpm/sha1.h
>   create mode 100644 lib/libtpm/tcgbios.c
>   create mode 100644 lib/libtpm/tcgbios.h
>   create mode 100644 lib/libtpm/tcgbios_int.h
>   create mode 100644 lib/libtpm/tpm.code
>   create mode 100644 lib/libtpm/tpm.in
>   create mode 100644 lib/libtpm/tpm_drivers.c
>   create mode 100644 lib/libtpm/tpm_drivers.h
>

More information about the SeaBIOS mailing list