From nobody Tue Nov 4 21:41:04 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1530713828518438.6176374257824; Wed, 4 Jul 2018 07:17:08 -0700 (PDT) Received: from localhost ([::1]:47418 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1faiad-0006g5-Lr for importer@patchew.org; Wed, 04 Jul 2018 10:17:03 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36813) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1faiYY-0005PB-Au for qemu-devel@nongnu.org; Wed, 04 Jul 2018 10:14:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1faiYV-00062S-JU for qemu-devel@nongnu.org; Wed, 04 Jul 2018 10:14:54 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:57406 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1faiYV-00062L-F7 for qemu-devel@nongnu.org; Wed, 04 Jul 2018 10:14:51 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1297B87929; Wed, 4 Jul 2018 14:14:51 +0000 (UTC) Received: from localhost (ovpn-112-61.ams2.redhat.com [10.36.112.61]) by smtp.corp.redhat.com (Postfix) with ESMTP id 97BD02026D76; Wed, 4 Jul 2018 14:14:50 +0000 (UTC) From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= To: qemu-devel@nongnu.org Date: Wed, 4 Jul 2018 16:14:33 +0200 Message-Id: <20180704141433.498-6-marcandre.lureau@redhat.com> In-Reply-To: <20180704141433.498-1-marcandre.lureau@redhat.com> References: <20180704141433.498-1-marcandre.lureau@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 04 Jul 2018 14:14:51 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 04 Jul 2018 14:14:51 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'marcandre.lureau@redhat.com' RCPT:'' Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH v7 5/5] PoC: tpm: add ACPI memory clear interface X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Habkost , "Michael S. Tsirkin" , stefanb@linux.vnet.ibm.com, =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Igor Mammedov , Paolo Bonzini , Richard Henderson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" This allows to pass the last failing test from the Windows HLK TPM 2.0 TCG PPI 1.3 tests. The interface is described in the "TCG Platform Reset Attack Mitigation Specification", chapter 6 "ACPI _DSM Function". According to Laszlo, it's not so easy to implement in OVMF, he suggested to do it in qemu instead. It is relatively simple to implement in QEMU, but make this a proof-of-concept PATCH for discussion, since this is not a conventional approach. Signed-off-by: Marc-Andr=C3=A9 Lureau --- hw/i386/acpi-build.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ hw/tpm/tpm_ppi.c | 25 +++++++++++++++++++++++ docs/specs/tpm.txt | 2 ++ hw/tpm/trace-events | 3 +++ 4 files changed, 77 insertions(+) diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index 8cdfcec935..c96ae4bdf9 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -1835,6 +1835,13 @@ build_tpm_ppi(TPMIf *tpm, Aml *dev) pprq =3D aml_name("PPRQ"); pprm =3D aml_name("PPRM"); =20 + aml_append(dev, + aml_operation_region("TPP3", AML_SYSTEM_MEMORY, + aml_int(TPM_PPI_ADDR_BASE + 0x200), + 0x1)); + field =3D aml_field("TPP3", AML_ANY_ACC, AML_NOLOCK, AML_PRESERVE); + aml_append(field, aml_named_field("MOVV", 8)); + aml_append(dev, field); /* * A function to return the value of DerefOf (FUNC [N]), by using * accessing the fields individually instead. This is a workaround @@ -2174,7 +2181,47 @@ build_tpm_ppi(TPMIf *tpm, Aml *dev) aml_append(ifctx, aml_return(aml_buffer(1, zerobyte))); } aml_append(method, ifctx); + + ifctx =3D aml_if( + aml_equal(uuid, + aml_touuid("376054ED-CC13-4675-901C-4756D7F2D45D"))); + { + /* standard DSM query function */ + ifctx2 =3D aml_if(aml_equal(function, aml_int(0))); + { + uint8_t byte_list[1] =3D { 0x03 }; + aml_append(ifctx2, aml_return(aml_buffer(1, byte_list))); + } + aml_append(ifctx, ifctx2); + + /* + * TCG Platform Reset Attack Mitigation Specification 1.0 Ch.6 + * + * Arg 2 (Integer): Function Index =3D 1 + * Arg 3 (Package): Arguments =3D Package: Type: Integer + * Operation Value of the Request + * Returns: Type: Integer + * 0: Success + * 1: General Failure + */ + ifctx2 =3D aml_if(aml_equal(function, aml_int(1))); + { + op =3D aml_local(0); + aml_append(ifctx2, + aml_store(aml_derefof(aml_index(arguments, + aml_int(0))), o= p)); + { + aml_append(ifctx2, aml_store(op, aml_name("MOVV"))); + + /* 0: success */ + aml_append(ifctx2, aml_return(aml_int(0))); + } + } + aml_append(ifctx, ifctx2); + } + aml_append(method, ifctx); } + aml_append(dev, method); } =20 diff --git a/hw/tpm/tpm_ppi.c b/hw/tpm/tpm_ppi.c index 8b46b9dd4b..64e8d828e8 100644 --- a/hw/tpm/tpm_ppi.c +++ b/hw/tpm/tpm_ppi.c @@ -16,8 +16,31 @@ #include "qapi/error.h" #include "cpu.h" #include "sysemu/memory_mapping.h" +#include "sysemu/reset.h" #include "migration/vmstate.h" #include "tpm_ppi.h" +#include "trace.h" + +static void tpm_ppi_reset(void *opaque) +{ + TPMPPI *tpmppi =3D opaque; + char *ptr =3D memory_region_get_ram_ptr(&tpmppi->ram); + + if (ptr[0x200] & 0x1) { + GuestPhysBlockList guest_phys_blocks; + GuestPhysBlock *block; + + guest_phys_blocks_init(&guest_phys_blocks); + guest_phys_blocks_append(&guest_phys_blocks); + QTAILQ_FOREACH(block, &guest_phys_blocks.head, next) { + trace_tpm_ppi_memset(block->host_addr, + block->target_end - block->target_start); + memset(block->host_addr, 0, + block->target_end - block->target_start); + } + guest_phys_blocks_free(&guest_phys_blocks); + } +} =20 bool tpm_ppi_init(TPMPPI *tpmppi, struct MemoryRegion *m, hwaddr addr, Object *obj, Error **errp) @@ -27,5 +50,7 @@ bool tpm_ppi_init(TPMPPI *tpmppi, struct MemoryRegion *m, vmstate_register_ram(&tpmppi->ram, DEVICE(obj)); =20 memory_region_add_subregion(m, addr, &tpmppi->ram); + qemu_register_reset(tpm_ppi_reset, tpmppi); + return true; } diff --git a/docs/specs/tpm.txt b/docs/specs/tpm.txt index 625f48f0c8..f1d3aded1b 100644 --- a/docs/specs/tpm.txt +++ b/docs/specs/tpm.txt @@ -121,6 +121,8 @@ layout: +----------+--------+--------+-------------------------------------------+ | next_step| 0x1 | 0x159 | Operation to execute after reboot by | | | | | firmware. Used by firmware. | + +----------+--------+--------+-------------------------------------------+ + | movv | 0x1 | 0x200 | Memory overwrite variable | +----------+--------+--------+-------------------------------------------+ =20 The following values are supported for the 'func' field. They correspond diff --git a/hw/tpm/trace-events b/hw/tpm/trace-events index 25bee0cecf..920d32ad55 100644 --- a/hw/tpm/trace-events +++ b/hw/tpm/trace-events @@ -51,3 +51,6 @@ tpm_tis_mmio_write_init_abort(void) "Initiating abort" tpm_tis_mmio_write_lowering_irq(void) "Lowering IRQ" tpm_tis_mmio_write_data2send(uint32_t value, unsigned size) "Data to send = to TPM: 0x%08x (size=3D%d)" tpm_tis_pre_save(uint8_t locty, uint32_t rw_offset) "locty: %d, rw_offset = =3D %u" + +# hw/tpm/tpm_ppi.c +tpm_ppi_memset(uint8_t *ptr, size_t size) "memset: %p %zu" --=20 2.18.0.rc1