Update the TPM documentation for usage of a TPM 2 rather than a TPM 1.2.
Adjust the command lines and expected outputs inside the VM accordingly.
Update the command line to start a TPM 2 with swtpm.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
docs/specs/tpm.rst | 44 ++++++++++++++++++++++++--------------------
1 file changed, 24 insertions(+), 20 deletions(-)
diff --git a/docs/specs/tpm.rst b/docs/specs/tpm.rst
index 3be190343a..535912a92b 100644
--- a/docs/specs/tpm.rst
+++ b/docs/specs/tpm.rst
@@ -250,24 +250,25 @@ hardware TPM ``/dev/tpm0``:
The following commands should result in similar output inside the VM
with a Linux kernel that either has the TPM TIS driver built-in or
-available as a module:
+available as a module (assuming a TPM 2 is passed through):
.. code-block:: console
# dmesg | grep -i tpm
- [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1)
-
- # dmesg | grep TCPA
- [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \
- BXPCTCPA 0000001 BXPC 00000001)
+ [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \
+ BXPC 0000001 BXPC 00000001)
# ls -l /dev/tpm*
- crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0
+ crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0
+ crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0
- # find /sys/devices/ | grep pcrs$ | xargs cat
- PCR-00: 35 4E 3B CE 23 9F 38 59 ...
+ Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs:
+ # find /sys/devices/ -type f | grep pcr-sha
+ ...
+ /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1
+ ...
+ /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9
...
- PCR-23: 00 00 00 00 00 00 00 00 ...
The QEMU TPM emulator device
----------------------------
@@ -304,6 +305,7 @@ a socket interface. They do not need to be run as root.
mkdir /tmp/mytpm1
swtpm socket --tpmstate dir=/tmp/mytpm1 \
--ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
+ --tpm2 \
--log level=20
Command line to start QEMU with the TPM emulator device communicating
@@ -365,19 +367,20 @@ available as a module:
.. code-block:: console
# dmesg | grep -i tpm
- [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1)
-
- # dmesg | grep TCPA
- [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \
- BXPCTCPA 0000001 BXPC 00000001)
+ [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \
+ BXPC 0000001 BXPC 00000001)
# ls -l /dev/tpm*
- crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0
+ crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0
+ crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0
- # find /sys/devices/ | grep pcrs$ | xargs cat
- PCR-00: 35 4E 3B CE 23 9F 38 59 ...
+ Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs:
+ # find /sys/devices/ -type f | grep pcr-sha
+ ...
+ /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1
+ ...
+ /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9
...
- PCR-23: 00 00 00 00 00 00 00 00 ...
Migration with the TPM emulator
===============================
@@ -398,7 +401,8 @@ In a 1st terminal start an instance of a swtpm using the following command:
mkdir /tmp/mytpm1
swtpm socket --tpmstate dir=/tmp/mytpm1 \
--ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
- --log level=20 --tpm2
+ --tpm2 \
+ --log level=20
In a 2nd terminal start the VM:
--
2.37.2
Le 27/09/2022 à 14:21, Stefan Berger a écrit : > Update the TPM documentation for usage of a TPM 2 rather than a TPM 1.2. > Adjust the command lines and expected outputs inside the VM accordingly. > Update the command line to start a TPM 2 with swtpm. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > docs/specs/tpm.rst | 44 ++++++++++++++++++++++++-------------------- > 1 file changed, 24 insertions(+), 20 deletions(-) > > diff --git a/docs/specs/tpm.rst b/docs/specs/tpm.rst > index 3be190343a..535912a92b 100644 > --- a/docs/specs/tpm.rst > +++ b/docs/specs/tpm.rst > @@ -250,24 +250,25 @@ hardware TPM ``/dev/tpm0``: > > The following commands should result in similar output inside the VM > with a Linux kernel that either has the TPM TIS driver built-in or > -available as a module: > +available as a module (assuming a TPM 2 is passed through): > > .. code-block:: console > > # dmesg | grep -i tpm > - [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) > - > - # dmesg | grep TCPA > - [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ > - BXPCTCPA 0000001 BXPC 00000001) > + [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ > + BXPC 0000001 BXPC 00000001) > > # ls -l /dev/tpm* > - crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 > + crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 > + crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 > > - # find /sys/devices/ | grep pcrs$ | xargs cat > - PCR-00: 35 4E 3B CE 23 9F 38 59 ... > + Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: > + # find /sys/devices/ -type f | grep pcr-sha > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 > ... > - PCR-23: 00 00 00 00 00 00 00 00 ... > > The QEMU TPM emulator device > ---------------------------- > @@ -304,6 +305,7 @@ a socket interface. They do not need to be run as root. > mkdir /tmp/mytpm1 > swtpm socket --tpmstate dir=/tmp/mytpm1 \ > --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ > + --tpm2 \ > --log level=20 > > Command line to start QEMU with the TPM emulator device communicating > @@ -365,19 +367,20 @@ available as a module: > .. code-block:: console > > # dmesg | grep -i tpm > - [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) > - > - # dmesg | grep TCPA > - [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ > - BXPCTCPA 0000001 BXPC 00000001) > + [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ > + BXPC 0000001 BXPC 00000001) > > # ls -l /dev/tpm* > - crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 > + crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 > + crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 > > - # find /sys/devices/ | grep pcrs$ | xargs cat > - PCR-00: 35 4E 3B CE 23 9F 38 59 ... > + Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: > + # find /sys/devices/ -type f | grep pcr-sha > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 > ... > - PCR-23: 00 00 00 00 00 00 00 00 ... > > Migration with the TPM emulator > =============================== > @@ -398,7 +401,8 @@ In a 1st terminal start an instance of a swtpm using the following command: > mkdir /tmp/mytpm1 > swtpm socket --tpmstate dir=/tmp/mytpm1 \ > --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ > - --log level=20 --tpm2 > + --tpm2 \ > + --log level=20 > > In a 2nd terminal start the VM: > Applied to my trivial-patches branch. Thanks, Laurent
On Tue, Sep 27, 2022 at 4:21 PM Stefan Berger <stefanb@linux.ibm.com> wrote: > > Update the TPM documentation for usage of a TPM 2 rather than a TPM 1.2. > Adjust the command lines and expected outputs inside the VM accordingly. > Update the command line to start a TPM 2 with swtpm. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > --- > docs/specs/tpm.rst | 44 ++++++++++++++++++++++++-------------------- > 1 file changed, 24 insertions(+), 20 deletions(-) > > diff --git a/docs/specs/tpm.rst b/docs/specs/tpm.rst > index 3be190343a..535912a92b 100644 > --- a/docs/specs/tpm.rst > +++ b/docs/specs/tpm.rst > @@ -250,24 +250,25 @@ hardware TPM ``/dev/tpm0``: > > The following commands should result in similar output inside the VM > with a Linux kernel that either has the TPM TIS driver built-in or > -available as a module: > +available as a module (assuming a TPM 2 is passed through): > > .. code-block:: console > > # dmesg | grep -i tpm > - [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) > - > - # dmesg | grep TCPA > - [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ > - BXPCTCPA 0000001 BXPC 00000001) > + [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ > + BXPC 0000001 BXPC 00000001) > > # ls -l /dev/tpm* > - crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 > + crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 > + crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 > > - # find /sys/devices/ | grep pcrs$ | xargs cat > - PCR-00: 35 4E 3B CE 23 9F 38 59 ... > + Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: > + # find /sys/devices/ -type f | grep pcr-sha > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 > ... > - PCR-23: 00 00 00 00 00 00 00 00 ... > > The QEMU TPM emulator device > ---------------------------- > @@ -304,6 +305,7 @@ a socket interface. They do not need to be run as root. > mkdir /tmp/mytpm1 > swtpm socket --tpmstate dir=/tmp/mytpm1 \ > --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ > + --tpm2 \ > --log level=20 > > Command line to start QEMU with the TPM emulator device communicating > @@ -365,19 +367,20 @@ available as a module: > .. code-block:: console > > # dmesg | grep -i tpm > - [ 0.711310] tpm_tis 00:06: 1.2 TPM (device=id 0x1, rev-id 1) > - > - # dmesg | grep TCPA > - [ 0.000000] ACPI: TCPA 0x0000000003FFD191C 000032 (v02 BOCHS \ > - BXPCTCPA 0000001 BXPC 00000001) > + [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ > + BXPC 0000001 BXPC 00000001) > > # ls -l /dev/tpm* > - crw-------. 1 root root 10, 224 Jul 11 10:11 /dev/tpm0 > + crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 > + crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 > > - # find /sys/devices/ | grep pcrs$ | xargs cat > - PCR-00: 35 4E 3B CE 23 9F 38 59 ... > + Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: > + # find /sys/devices/ -type f | grep pcr-sha > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 > + ... > + /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 > ... > - PCR-23: 00 00 00 00 00 00 00 00 ... > > Migration with the TPM emulator > =============================== > @@ -398,7 +401,8 @@ In a 1st terminal start an instance of a swtpm using the following command: > mkdir /tmp/mytpm1 > swtpm socket --tpmstate dir=/tmp/mytpm1 \ > --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ > - --log level=20 --tpm2 > + --tpm2 \ > + --log level=20 > > In a 2nd terminal start the VM: > > -- > 2.37.2 >
© 2016 - 2024 Red Hat, Inc.