MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 18 +-- MdeModulePkg/Core/Pei/Image/Image.c | 4 +- MdeModulePkg/Core/Pei/PeiMain.h | 2 +- MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 2 +- OvmfPkg/OvmfPkgIa32.dsc | 6 +- OvmfPkg/OvmfPkgIa32X64.dsc | 6 +- OvmfPkg/OvmfPkgX64.dsc | 49 ++++++- OvmfPkg/OvmfPkgX64.fdf | 9 ++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 57 ++++++++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c | 124 ++++++++++++++++++ OvmfPkg/Tcg/Tcg2Config/TpmDetection.c | 46 +++++++ .../HashLibBaseCryptoRouterPei.c | 1 + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 - 13 files changed, 299 insertions(+), 26 deletions(-) create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c create mode 100644 OvmfPkg/Tcg/Tcg2Config/TpmDetection.c
From: Marc-André Lureau <marcandre.lureau@redhat.com> Hi, The following series adds basic TPM2 support for OVMF-on-QEMU (I haven't tested TPM1, for lack of interest). It links with the modules to initializes the device in PEI phase, and do measurements (both PEI and DXE). The Tcg2Dxe module provides the Tcg2 protocol which allows the guest to access the measurement log and other facilities. DxeTpm2MeasureBootLib seems to do its job at measuring images that are not measured in PEI phase (such as PCI PXE rom) Tcg2ConfigDxe is not included due to its integration with edk2 own PPI implementation which conflicts with qemu design. PPI design is still being discussed & experimented at this point. Linux guests seem to work fine. But windows guest generally complains about the lack of PPI interface (most HLK tests require it, tpm.msc admin interactions too). I haven't done "real" use-cases tests, as I lack experience with TPM usage. Any help appreciated to test the TPM. I build edk2 with: $ build -DTPM2_ENABLE -DSECURE_BOOT_ENABLE -DMEM_VARSTORE_EMU_ENABLE=FALSE I test with qemu & swtpm/libtpms (tpm2 branches, swtpm_setup.sh --tpm2 --tpm-state tpmstatedir) $ swtpm socket --tpmstate tpmstatedir --ctrl type=unixio,path=tpmsock --tpm2 & $ qemu .. -chardev socket,id=chrtpm,path=tpmsock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0 Thanks Github tree: https://github.com/elmarco/edk2/tree/tpm2 (tpm2-v2 tag) Related bug: https://bugzilla.tianocore.org/show_bug.cgi?id=594 v2: - the series can now be applied to master directly, thanks to dropping PeiReadOnlyVariable requirement - remove the HOB list workaround, the main fix is now upstream. Add a preliminary patch to complete it. - removed traces of TPM1.2 support - add own OvmfPkg Tcg2ConfigPei, which performs only TPM2 detection - make PcdTpmInstanceGuid default all-bits-zero - drop unneeded Pcd values - explain why SHA1 is still nice to have (for 1.2 log format) - drop Tcg2ConfigDxe - more detailed commit messages, thanks to Laszlo explanations! - rebased TODO: - modify Ia32 and Ia32X64 builds Marc-André Lureau (8): SecurityPkg: also clear HashInterfaceHob.SupportedHashMask SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable from Depex MdeModulePkg: fix REGISITER -> REGISTER ovmf: simplify SecurityStubDxe.inf inclusion ovmf: add OvmfPkg Tcg2ConfigPei module ovmf: link with Tcg2Pei module ovmf: link with Tcg2Dxe module ovmf: add DxeTpm2MeasureBootLib MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 18 +-- MdeModulePkg/Core/Pei/Image/Image.c | 4 +- MdeModulePkg/Core/Pei/PeiMain.h | 2 +- MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 2 +- OvmfPkg/OvmfPkgIa32.dsc | 6 +- OvmfPkg/OvmfPkgIa32X64.dsc | 6 +- OvmfPkg/OvmfPkgX64.dsc | 49 ++++++- OvmfPkg/OvmfPkgX64.fdf | 9 ++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 57 ++++++++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c | 124 ++++++++++++++++++ OvmfPkg/Tcg/Tcg2Config/TpmDetection.c | 46 +++++++ .../HashLibBaseCryptoRouterPei.c | 1 + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 - 13 files changed, 299 insertions(+), 26 deletions(-) create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c create mode 100644 OvmfPkg/Tcg/Tcg2Config/TpmDetection.c -- 2.16.2.346.g9779355e34 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Hi Marcandre, > I test with qemu & swtpm/libtpms (tpm2 branches, swtpm_setup.sh --tpm2 --tpm-state tpmstatedir) > $ swtpm socket --tpmstate tpmstatedir --ctrl type=unixio,path=tpmsock --tpm2 & Where is the swtpm_setup.sh? And could you tell how to build & install the swtpm? Thanks Steven Shi _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Hi On Thu, Mar 8, 2018 at 1:31 PM, Shi, Steven <steven.shi@intel.com> wrote: > Hi Marcandre, >> I test with qemu & swtpm/libtpms (tpm2 branches, swtpm_setup.sh --tpm2 --tpm-state tpmstatedir) >> $ swtpm socket --tpmstate tpmstatedir --ctrl type=unixio,path=tpmsock --tpm2 & > > Where is the swtpm_setup.sh? And could you tell how to build & install the swtpm? > You need to compile & install libtpms & swtpm : git clone -b tpm2-preview.rev146.v2 https://github.com/stefanberger/libtpms cd libtpms autoreconf -vfi && ./configure --with-tpm2 --with-openssl && make install git clone -b tpm2-preview.v2 https://github.com/stefanberger/swtpm cd swtpm autoreconf -vfi && ./configure --with-openssl && make install Then you can run: mkdir tpmstatedir swtpm_setup.sh --tpm2 --tpm-state tpmstatedir Run the emulator: swtpm socket --tpmstate dir=tpmstatedir --ctrl type=unixio,path=tpmemu.sock --tpm2 Run qemu (from git) with ovmf (with this series): qemu ... -chardev socket,id=chrtpm,path=tpmemu.sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0 -drive if=pflash,format=raw,file=OVMF_CODE.fd,readonly -drive if=pflash,format=raw,file=OVMF_VARS.fd .. cheers -- Marc-André Lureau _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Hi Marcandre, Thanks for your command steps and I tried them, but my qemu failed to connect the socket tpmemu.sock. When I added the control channel to the TPM, the swtpm socket command stuck there and never exit. Not sure whether it was successful. Below are the command steps running output in my side > Then you can run: > mkdir tpmstatedir > swtpm_setup.sh --tpm2 --tpm-state tpmstatedir $ swtpm_setup.sh --tpm2 --tpm-state tpmstatedir Starting vTPM manufacturing as jshi19:jshi19 @ 2018年03月09日 星期五 10时28分39秒 TPM is listening on TCP port 47364. Successfully authored TPM state. Ending vTPM manufacturing @ 2018年03月09日 星期五 10时28分39秒 > Run the emulator: > swtpm socket --tpmstate dir=tpmstatedir --ctrl type=unixio,path=tpmemu.sock --tpm2 $ swtpm socket --tpmstate dir=tpmstatedir --ctrl type=unixio,path=tpmemu.sock --tpm2 (the swtpm socket command stuck there and never exit) > Run qemu (from git) with ovmf (with this series): > qemu ... -chardev socket,id=chrtpm,path=tpmemu.sock -tpmdev > emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0 > -drive if=pflash,format=raw,file=OVMF_CODE.fd,readonly -drive > if=pflash,format=raw,file=OVMF_VARS.fd .. $ qemu-system-x86_64 -serial file:serial.log -m 5120 -hda fat:. -monitor stdio --enable-kvm -smp 4 -bios ../Ovmf3264/NOOPT_GCC5/FV/OVMF.fd -chardev socket,id=chrtpm,path=tpmemu.sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0 qemu-system-x86_64: -chardev socket,id=chrtpm,path=tpmemu.sock: Failed to connect socket tpmemu.sock: No such file or directory I use the latest version qemu as below: $ qemu-system-x86_64 --version QEMU emulator version 2.11.50 (v2.10.0-4184-g930b01138b-dirty) Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers Thanks Steven Shi _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
On 03/08/2018 10:03 PM, Shi, Steven wrote: > Hi Marcandre, > Thanks for your command steps and I tried them, but my qemu failed to connect the socket tpmemu.sock. When I added the control channel to the TPM, the swtpm socket command stuck there and never exit. Not sure whether it was successful. > Below are the command steps running output in my side > >> Then you can run: >> mkdir tpmstatedir >> swtpm_setup.sh --tpm2 --tpm-state tpmstatedir > $ swtpm_setup.sh --tpm2 --tpm-state tpmstatedir > Starting vTPM manufacturing as jshi19:jshi19 @ 2018年03月09日 星期五 10时28分39秒 > TPM is listening on TCP port 47364. > Successfully authored TPM state. > Ending vTPM manufacturing @ 2018年03月09日 星期五 10时28分39秒 > >> Run the emulator: >> swtpm socket --tpmstate dir=tpmstatedir --ctrl type=unixio,path=tpmemu.sock --tpm2 > $ swtpm socket --tpmstate dir=tpmstatedir --ctrl type=unixio,path=tpmemu.sock --tpm2 > (the swtpm socket command stuck there and never exit) > >> Run qemu (from git) with ovmf (with this series): >> qemu ... -chardev socket,id=chrtpm,path=tpmemu.sock -tpmdev >> emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0 >> -drive if=pflash,format=raw,file=OVMF_CODE.fd,readonly -drive >> if=pflash,format=raw,file=OVMF_VARS.fd .. > $ qemu-system-x86_64 -serial file:serial.log -m 5120 -hda fat:. -monitor stdio --enable-kvm -smp 4 -bios ../Ovmf3264/NOOPT_GCC5/FV/OVMF.fd -chardev socket,id=chrtpm,path=tpmemu.sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0 > qemu-system-x86_64: -chardev socket,id=chrtpm,path=tpmemu.sock: Failed to connect socket tpmemu.sock: No such file or directory Try giving it both, swtpm and qemu, the full path to the socket. > > I use the latest version qemu as below: > $ qemu-system-x86_64 --version > QEMU emulator version 2.11.50 (v2.10.0-4184-g930b01138b-dirty) > Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers > > Thanks > Steven Shi > _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
It works in my side after specify the full path to swtpm tpmemu.sock in qemu command options. Thanks! Steven Shi Intel\SSG\STO\UEFI Firmware Tel: +86 021-61166522 iNet: 821-6522 > -----Original Message----- > From: Stefan Berger [mailto:stefanb@linux.vnet.ibm.com] > Sent: Friday, March 9, 2018 9:54 PM > To: Shi, Steven <steven.shi@intel.com>; Marc-André Lureau > <marcandre.lureau@gmail.com> > Cc: edk2-devel@lists.01.org; lersek@redhat.com; pjones@redhat.com; Yao, > Jiewen <jiewen.yao@intel.com>; qemu-devel@nongnu.org; > javierm@redhat.com > Subject: Re: [edk2] [PATCH v2 0/8] RFC: ovmf: preliminary TPM2 support > > On 03/08/2018 10:03 PM, Shi, Steven wrote: > > Hi Marcandre, > > Thanks for your command steps and I tried them, but my qemu failed to > connect the socket tpmemu.sock. When I added the control channel to the > TPM, the swtpm socket command stuck there and never exit. Not sure > whether it was successful. > > Below are the command steps running output in my side > > > >> Then you can run: > >> mkdir tpmstatedir > >> swtpm_setup.sh --tpm2 --tpm-state tpmstatedir > > $ swtpm_setup.sh --tpm2 --tpm-state tpmstatedir > > Starting vTPM manufacturing as jshi19:jshi19 @ 2018年03月09日 星期 > 五 10时28分39秒 > > TPM is listening on TCP port 47364. > > Successfully authored TPM state. > > Ending vTPM manufacturing @ 2018年03月09日 星期五 10时28分39 > 秒 > > > >> Run the emulator: > >> swtpm socket --tpmstate dir=tpmstatedir --ctrl > type=unixio,path=tpmemu.sock --tpm2 > > $ swtpm socket --tpmstate dir=tpmstatedir --ctrl > type=unixio,path=tpmemu.sock --tpm2 > > (the swtpm socket command stuck there and never exit) > > > >> Run qemu (from git) with ovmf (with this series): > >> qemu ... -chardev socket,id=chrtpm,path=tpmemu.sock -tpmdev > >> emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0 > >> -drive if=pflash,format=raw,file=OVMF_CODE.fd,readonly -drive > >> if=pflash,format=raw,file=OVMF_VARS.fd .. > > $ qemu-system-x86_64 -serial file:serial.log -m 5120 -hda fat:. -monitor > stdio --enable-kvm -smp 4 -bios ../Ovmf3264/NOOPT_GCC5/FV/OVMF.fd - > chardev socket,id=chrtpm,path=tpmemu.sock -tpmdev > emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0 > > qemu-system-x86_64: -chardev socket,id=chrtpm,path=tpmemu.sock: > Failed to connect socket tpmemu.sock: No such file or directory > > Try giving it both, swtpm and qemu, the full path to the socket. > > > > > > I use the latest version qemu as below: > > $ qemu-system-x86_64 --version > > QEMU emulator version 2.11.50 (v2.10.0-4184-g930b01138b-dirty) > > Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers > > > > Thanks > > Steven Shi > > _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
© 2016 - 2024 Red Hat, Inc.