From 4549a8b7ee3c47155c09582f31086f7d0ba61fc4 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 27 Feb 2013 12:47:53 -0500 Subject: Add a TPM Passthrough backend driver implementation This patch is based of off version 9 of Stefan Berger's patch series "QEMU Trusted Platform Module (TPM) integration" and adds a new backend driver for it. This patch adds a passthrough backend driver for passing commands sent to the emulated TPM device directly to a TPM device opened on the host machine. Thus it is possible to use a hardware TPM device in a system running on QEMU, providing the ability to access a TPM in a special state (e.g. after a Trusted Boot). This functionality is being used in the acTvSM Trusted Virtualization Platform which is available on [1]. Usage example: qemu-system-x86_64 -tpmdev passthrough,id=tpm0,path=/dev/tpm0 \ -device tpm-tis,tpmdev=tpm0 \ -cdrom test.iso -boot d Some notes about the host TPM: The TPM needs to be enabled and activated. If that's not the case one has to go through the BIOS/UEFI and enable and activate that TPM for TPM commands to work as expected. It may be necessary to boot the kernel using tpm_tis.force=1 in the boot command line or 'modprobe tpm_tis force=1' in case of using it as a module. Regards, Andreas Niederl, Stefan Berger [1] http://trustedjava.sourceforge.net/ Signed-off-by: Andreas Niederl Signed-off-by: Stefan Berger Reviewed-by: Corey Bryant Reviewed-by: Joel Schopp Message-id: 1361987275-26289-6-git-send-email-stefanb@linux.vnet.ibm.com Signed-off-by: Anthony Liguori --- qemu-options.hx | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) (limited to 'qemu-options.hx') diff --git a/qemu-options.hx b/qemu-options.hx index 291932faae..0be16b4d76 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -2221,7 +2221,8 @@ DEFHEADING() DEFHEADING(TPM device options:) DEF("tpmdev", HAS_ARG, QEMU_OPTION_tpmdev, \ - "-tpmdev [],id=str[,option][,option][,...]\n", + "-tpmdev passthrough,id=id[,path=path]\n" + " use path to provide path to a character device; default is /dev/tpm0\n", QEMU_ARCH_ALL) STEXI @@ -2231,6 +2232,7 @@ The general form of a TPM device option is: @item -tpmdev @var{backend} ,id=@var{id} [,@var{options}] @findex -tpmdev Backend type must be: +@option{passthrough}. The specific backend type will determine the applicable options. The @code{-tpmdev} option requires a @code{-device} option. @@ -2242,6 +2244,38 @@ Use 'help' to print all available TPM backend types. qemu -tpmdev help @end example +@item -tpmdev passthrough, id=@var{id}, path=@var{path} + +(Linux-host only) Enable access to the host's TPM using the passthrough +driver. + +@option{path} specifies the path to the host's TPM device, i.e., on +a Linux host this would be @code{/dev/tpm0}. +@option{path} is optional and by default @code{/dev/tpm0} is used. + +Some notes about using the host's TPM with the passthrough driver: + +The TPM device accessed by the passthrough driver must not be +used by any other application on the host. + +Since the host's firmware (BIOS/UEFI) has already initialized the TPM, +the VM's firmware (BIOS/UEFI) will not be able to initialize the +TPM again and may therefore not show a TPM-specific menu that would +otherwise allow the user to configure the TPM, e.g., allow the user to +enable/disable or activate/deactivate the TPM. +Further, if TPM ownership is released from within a VM then the host's TPM +will get disabled and deactivated. To enable and activate the +TPM again afterwards, the host has to be rebooted and the user is +required to enter the firmware's menu to enable and activate the TPM. +If the TPM is left disabled and/or deactivated most TPM commands will fail. + +To create a passthrough TPM use the following two options: +@example +-tpmdev passthrough,id=tpm0 -device tpm-tis,tpmdev=tpm0 +@end example +Note that the @code{-tpmdev} id is @code{tpm0} and is referenced by +@code{tpmdev=tpm0} in the device option. + @end table ETEXI -- cgit v1.2.1