From 83e83c34b2102153682729531b9c9d3e6659f037 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Thu, 5 Oct 2017 12:47:27 -0400 Subject: specs: Extend TPM spec with TPM emulator description MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Following the recent extension of QEMU with a TPM emulator device, update the specs describing for how to interact with the device. The results of commands run inside a Linux VM are expected to be similar to those when the TPM passthrough device is used, so we just reuse that. Signed-off-by: Stefan Berger Reviewed-by: Marc-André Lureau --- docs/specs/tpm.txt | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) (limited to 'docs') diff --git a/docs/specs/tpm.txt b/docs/specs/tpm.txt index 914daaceea..d1d71571e9 100644 --- a/docs/specs/tpm.txt +++ b/docs/specs/tpm.txt @@ -121,3 +121,82 @@ crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 PCR-00: 35 4E 3B CE 23 9F 38 59 ... ... PCR-23: 00 00 00 00 00 00 00 00 ... + + +== The QEMU TPM emulator device == + +The TPM emulator device uses an external TPM emulator called 'swtpm' for +sending TPM commands to and receiving responses from. The swtpm program +must have been started before trying to access it through the TPM emulator +with QEMU. + +The TPM emulator implements a command channel for transferring TPM commands +and responses as well as a control channel over which control commands can +be sent. The specification for the control channel can be found here: + +https://github.com/stefanberger/swtpm/blob/master/man/man3/swtpm_ioctls.pod + + +The control channel serves the purpose of resetting, initializing, and +migrating the TPM state, among other things. + +The swtpm program behaves like a hardware TPM and therefore needs to be +initialized by the firmware running inside the QEMU virtual machine. +One necessary step for initializing the device is to send the TPM_Startup +command to it. SeaBIOS, for example, has been instrumented to initialize +a TPM 1.2 or TPM 2 device using this command. + + +QEMU files related to the TPM emulator device: + - hw/tpm/tpm_emulator.c + - hw/tpm/tpm_util.c + - hw/tpm/tpm_util.h + + +The following commands start the swtpm with a UnixIO control channel over +a socket interface. They do not need to be run as root. + +mkdir /tmp/mytpm1 +swtpm socket --tpmstate dir=/tmp/mytpm1 \ + --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ + --log level=20 + +Command line to start QEMU with the TPM emulator device communicating with +the swtpm: + +qemu-system-x86_64 -display sdl -enable-kvm \ + -m 1024 -boot d -bios bios-256k.bin -boot menu=on \ + -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ + -tpmdev emulator,id=tpm0,chardev=chrtpm \ + -device tpm-tis,tpmdev=tpm0 test.img + + +In case SeaBIOS is used as firmware, it should show the TPM menu item +after entering the menu with 'ESC'. + +Select boot device: +1. DVD/CD [ata1-0: QEMU DVD-ROM ATAPI-4 DVD/CD] +[...] +5. Legacy option rom + +t. TPM Configuration + + +The following commands should result in similar output inside the VM with a +Linux kernel that either has the TPM TIS driver built-in or available as a +module: + +#> dmesg | grep -i tpm +[ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) + +#> dmesg | grep TCPA +[ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ + BXPCTCPA 0000001 BXPC 00000001) + +#> ls -l /dev/tpm* +crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 + +#> find /sys/devices/ | grep pcrs$ | xargs cat +PCR-00: 35 4E 3B CE 23 9F 38 59 ... +... +PCR-23: 00 00 00 00 00 00 00 00 ... -- cgit v1.2.1