From nobody Wed Nov 5 18:40:05 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1536204785563932.6894350969811; Wed, 5 Sep 2018 20:33:05 -0700 (PDT) Received: from localhost ([::1]:59162 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fxl2W-0006aK-D3 for importer@patchew.org; Wed, 05 Sep 2018 23:33:04 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37477) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fxl0D-0005Dv-Q9 for qemu-devel@nongnu.org; Wed, 05 Sep 2018 23:30:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fxl0C-0004La-HV for qemu-devel@nongnu.org; Wed, 05 Sep 2018 23:30:41 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:47498 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fxl0A-0004GZ-3w for qemu-devel@nongnu.org; Wed, 05 Sep 2018 23:30:39 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 25A8C402315B; Thu, 6 Sep 2018 03:30:37 +0000 (UTC) Received: from localhost (ovpn-112-18.ams2.redhat.com [10.36.112.18]) by smtp.corp.redhat.com (Postfix) with ESMTP id 59E73945D1; Thu, 6 Sep 2018 03:30:32 +0000 (UTC) From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= To: qemu-devel@nongnu.org Date: Thu, 6 Sep 2018 07:29:49 +0400 Message-Id: <20180906032949.13753-7-marcandre.lureau@redhat.com> In-Reply-To: <20180906032949.13753-1-marcandre.lureau@redhat.com> References: <20180906032949.13753-1-marcandre.lureau@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 06 Sep 2018 03:30:37 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 06 Sep 2018 03:30:37 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'marcandre.lureau@redhat.com' RCPT:'' Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH v11 6/6] tpm: add ACPI memory clear interface X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Habkost , "Michael S. Tsirkin" , stefanb@linux.vnet.ibm.com, =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Igor Mammedov , Paolo Bonzini , Richard Henderson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" This allows to pass the last failing test from the Windows HLK TPM 2.0 TCG PPI 1.3 tests. The interface is described in the "TCG Platform Reset Attack Mitigation Specification", chapter 6 "ACPI _DSM Function". According to Laszlo, it's not so easy to implement in OVMF, he suggested to do it in qemu instead. Signed-off-by: Marc-Andr=C3=A9 Lureau --- hw/tpm/tpm_ppi.h | 2 ++ hw/i386/acpi-build.c | 46 ++++++++++++++++++++++++++++++++++++++++++++ hw/tpm/tpm_crb.c | 1 + hw/tpm/tpm_ppi.c | 23 ++++++++++++++++++++++ hw/tpm/tpm_tis.c | 1 + docs/specs/tpm.txt | 2 ++ hw/tpm/trace-events | 3 +++ 7 files changed, 78 insertions(+) diff --git a/hw/tpm/tpm_ppi.h b/hw/tpm/tpm_ppi.h index c2ab2ed300..b8f67962c7 100644 --- a/hw/tpm/tpm_ppi.h +++ b/hw/tpm/tpm_ppi.h @@ -23,4 +23,6 @@ typedef struct TPMPPI { bool tpm_ppi_init(TPMPPI *tpmppi, struct MemoryRegion *m, hwaddr addr, Object *obj, Error **errp); =20 +void tpm_ppi_reset(TPMPPI *tpmppi); + #endif /* TPM_TPM_PPI_H */ diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c index c5e9a6e11d..2ab3e8fae7 100644 --- a/hw/i386/acpi-build.c +++ b/hw/i386/acpi-build.c @@ -1824,6 +1824,13 @@ build_tpm_ppi(TPMIf *tpm, Aml *dev) pprq =3D aml_name("PPRQ"); pprm =3D aml_name("PPRM"); =20 + aml_append(dev, + aml_operation_region("TPP3", AML_SYSTEM_MEMORY, + aml_int(TPM_PPI_ADDR_BASE + 0x15a), + 0x1)); + field =3D aml_field("TPP3", AML_BYTE_ACC, AML_NOLOCK, AML_PRESERVE); + aml_append(field, aml_named_field("MOVV", 8)); + aml_append(dev, field); /* * DerefOf in Windows is broken with SYSTEM_MEMORY. Use a dynamic * operation region inside of a method for getting FUNC[op]. @@ -2166,7 +2173,46 @@ build_tpm_ppi(TPMIf *tpm, Aml *dev) aml_append(ifctx, aml_return(aml_buffer(1, zerobyte))); } aml_append(method, ifctx); + + ifctx =3D aml_if( + aml_equal(uuid, + aml_touuid("376054ED-CC13-4675-901C-4756D7F2D45D"))); + { + /* standard DSM query function */ + ifctx2 =3D aml_if(aml_equal(function, zero)); + { + uint8_t byte_list[1] =3D { 0x03 }; + aml_append(ifctx2, aml_return(aml_buffer(1, byte_list))); + } + aml_append(ifctx, ifctx2); + + /* + * TCG Platform Reset Attack Mitigation Specification 1.0 Ch.6 + * + * Arg 2 (Integer): Function Index =3D 1 + * Arg 3 (Package): Arguments =3D Package: Type: Integer + * Operation Value of the Request + * Returns: Type: Integer + * 0: Success + * 1: General Failure + */ + ifctx2 =3D aml_if(aml_equal(function, one)); + { + aml_append(ifctx2, + aml_store(aml_derefof(aml_index(arguments, zero= )), + op)); + { + aml_append(ifctx2, aml_store(op, aml_name("MOVV"))); + + /* 0: success */ + aml_append(ifctx2, aml_return(zero)); + } + } + aml_append(ifctx, ifctx2); + } + aml_append(method, ifctx); } + aml_append(dev, method); } =20 diff --git a/hw/tpm/tpm_crb.c b/hw/tpm/tpm_crb.c index b243222fd6..48f6a716ad 100644 --- a/hw/tpm/tpm_crb.c +++ b/hw/tpm/tpm_crb.c @@ -233,6 +233,7 @@ static void tpm_crb_reset(void *dev) { CRBState *s =3D CRB(dev); =20 + tpm_ppi_reset(&s->ppi); tpm_backend_reset(s->tpmbe); =20 memset(s->regs, 0, sizeof(s->regs)); diff --git a/hw/tpm/tpm_ppi.c b/hw/tpm/tpm_ppi.c index f2f07f895e..46ca8ea3ea 100644 --- a/hw/tpm/tpm_ppi.c +++ b/hw/tpm/tpm_ppi.c @@ -16,8 +16,30 @@ #include "qapi/error.h" #include "cpu.h" #include "sysemu/memory_mapping.h" +#include "sysemu/reset.h" #include "migration/vmstate.h" #include "tpm_ppi.h" +#include "trace.h" + +void tpm_ppi_reset(TPMPPI *tpmppi) +{ + char *ptr =3D memory_region_get_ram_ptr(&tpmppi->ram); + + if (ptr[0x15a] & 0x1) { + GuestPhysBlockList guest_phys_blocks; + GuestPhysBlock *block; + + guest_phys_blocks_init(&guest_phys_blocks); + guest_phys_blocks_append(&guest_phys_blocks); + QTAILQ_FOREACH(block, &guest_phys_blocks.head, next) { + trace_tpm_ppi_memset(block->host_addr, + block->target_end - block->target_start); + memset(block->host_addr, 0, + block->target_end - block->target_start); + } + guest_phys_blocks_free(&guest_phys_blocks); + } +} =20 bool tpm_ppi_init(TPMPPI *tpmppi, struct MemoryRegion *m, hwaddr addr, Object *obj, Error **errp) @@ -28,5 +50,6 @@ bool tpm_ppi_init(TPMPPI *tpmppi, struct MemoryRegion *m, vmstate_register_ram(&tpmppi->ram, DEVICE(obj)); =20 memory_region_add_subregion(m, addr, &tpmppi->ram); + return true; } diff --git a/hw/tpm/tpm_tis.c b/hw/tpm/tpm_tis.c index 70432ffe8b..d9bfa956cc 100644 --- a/hw/tpm/tpm_tis.c +++ b/hw/tpm/tpm_tis.c @@ -868,6 +868,7 @@ static void tpm_tis_reset(DeviceState *dev) s->be_buffer_size =3D MIN(tpm_backend_get_buffer_size(s->be_driver), TPM_TIS_BUFFER_MAX); =20 + tpm_ppi_reset(&s->ppi); tpm_backend_reset(s->be_driver); =20 s->active_locty =3D TPM_TIS_NO_LOCALITY; diff --git a/docs/specs/tpm.txt b/docs/specs/tpm.txt index 332c2ae597..ce9bda3c89 100644 --- a/docs/specs/tpm.txt +++ b/docs/specs/tpm.txt @@ -121,6 +121,8 @@ layout: +----------+--------+--------+-------------------------------------------+ | next_step| 0x1 | 0x159 | Operation to execute after reboot by | | | | | firmware. Used by firmware. | + +----------+--------+--------+-------------------------------------------+ + | movv | 0x1 | 0x15a | Memory overwrite variable | +----------+--------+--------+-------------------------------------------+ =20 The following values are supported for the 'func' field. They correspond diff --git a/hw/tpm/trace-events b/hw/tpm/trace-events index 25bee0cecf..920d32ad55 100644 --- a/hw/tpm/trace-events +++ b/hw/tpm/trace-events @@ -51,3 +51,6 @@ tpm_tis_mmio_write_init_abort(void) "Initiating abort" tpm_tis_mmio_write_lowering_irq(void) "Lowering IRQ" tpm_tis_mmio_write_data2send(uint32_t value, unsigned size) "Data to send = to TPM: 0x%08x (size=3D%d)" tpm_tis_pre_save(uint8_t locty, uint32_t rw_offset) "locty: %d, rw_offset = =3D %u" + +# hw/tpm/tpm_ppi.c +tpm_ppi_memset(uint8_t *ptr, size_t size) "memset: %p %zu" --=20 2.19.0.rc1