1. Patchew
  2. QEMU
  3. View series

[PATCH v7 0/3] Add support for TPM devices over I2C bus

Ninad Palsule posted 3 patches 1 year ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20230326224426.3918167-1-ninad@linux.ibm.com
Maintainers: Stefan Berger <stefanb@linux.vnet.ibm.com>, Peter Maydell <peter.maydell@linaro.org>, "Michael S. Tsirkin" <mst@redhat.com>, Igor Mammedov <imammedo@redhat.com>, Ani Sinha <ani@anisinha.ca>
There is a newer version of this series
docs/specs/tpm.rst      |  32 +++
hw/arm/Kconfig          |   1 +
hw/tpm/Kconfig          |   7 +
hw/tpm/meson.build      |   1 +
hw/tpm/tpm_tis.h        |   3 +
hw/tpm/tpm_tis_common.c |  36 ++-
hw/tpm/tpm_tis_i2c.c    | 540 ++++++++++++++++++++++++++++++++++++++++
hw/tpm/trace-events     |   6 +
include/hw/acpi/tpm.h   |  31 +++
include/sysemu/tpm.h    |   3 +
10 files changed, 652 insertions(+), 8 deletions(-)
create mode 100644 hw/tpm/tpm_tis_i2c.c
[PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Ninad Palsule 1 year ago 
Hello,

I have incorporated review comments from Stefan. Please review.

This drop adds support for the TPM devices attached to the I2C bus. It
only supports the TPM2 protocol. You need to run it with the external
TPM emulator like swtpm. I have tested it with swtpm.

I have refered to the work done by zhdaniel@meta.com but at the core
level out implementation is different.
https://github.com/theopolis/qemu/commit/2e2e57cde9e419c36af8071bb85392ad1ed70966

Based-on: $MESSAGE_ID


Ninad Palsule (3):
  docs: Add support for TPM devices over I2C bus
  tpm: Extend common APIs to support TPM TIS I2C
  tpm: Add support for TPM device over I2C bus

 docs/specs/tpm.rst      |  32 +++
 hw/arm/Kconfig          |   1 +
 hw/tpm/Kconfig          |   7 +
 hw/tpm/meson.build      |   1 +
 hw/tpm/tpm_tis.h        |   3 +
 hw/tpm/tpm_tis_common.c |  36 ++-
 hw/tpm/tpm_tis_i2c.c    | 540 ++++++++++++++++++++++++++++++++++++++++
 hw/tpm/trace-events     |   6 +
 include/hw/acpi/tpm.h   |  31 +++
 include/sysemu/tpm.h    |   3 +
 10 files changed, 652 insertions(+), 8 deletions(-)
 create mode 100644 hw/tpm/tpm_tis_i2c.c

-- 
2.37.2
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Joel Stanley 1 year ago 
Hi Ninad,

On Sun, 26 Mar 2023 at 22:44, Ninad Palsule <ninad@linux.ibm.com> wrote:
>
> Hello,
>
> I have incorporated review comments from Stefan. Please review.
>
> This drop adds support for the TPM devices attached to the I2C bus. It
> only supports the TPM2 protocol. You need to run it with the external
> TPM emulator like swtpm. I have tested it with swtpm.

Nice work. I tested these stop cedric's aspeed-8.0 qemu tree, using
the rainier machine and the openbmc dev-6.1 kernel.

We get this message when booting from a kernel:

[    0.582699] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
[    0.586361] tpm tpm0: A TPM error (256) occurred attempting the self test
[    0.586623] tpm tpm0: starting up the TPM manually

Do we understand why the error appears?

# grep -r . /sys/class/tpm/tpm0/pcr-sha256/ | sort -n -k 7 -t /
/sys/class/tpm/tpm0/pcr-sha256/0:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/1:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/2:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/3:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/4:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/5:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/6:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/7:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/8:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/9:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/10:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/11:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/12:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/13:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/14:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/15:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/16:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/17:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/18:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/19:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/20:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/21:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/22:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/23:0000000000000000000000000000000000000000000000000000000000000000

If I boot through the openbmc u-boot for the p10bmc machine, which
measures things into the PCRs:

[    0.556713] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)

/ # grep -r . /sys/class/tpm/tpm0/pcr-sha256/ | sort -n -k 7 -t /
/sys/class/tpm/tpm0/pcr-sha256/0:AFA13691EFC7BC6E189E92347F20676FB4523302CB957DA9A65C3430C45E8BCC
/sys/class/tpm/tpm0/pcr-sha256/1:37F0F710A5502FAE6DB7433B36001FEE1CBF15BA2A7D6923207FF56888584714
/sys/class/tpm/tpm0/pcr-sha256/2:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/3:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/4:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/5:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/6:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/7:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/8:AE67485BD01E8D6FE0208C46C473940173F66E9C6F43C75ABB404375787E9705
/sys/class/tpm/tpm0/pcr-sha256/9:DB99D92EADBB446894CB0C062AEB673F60DDAFBC62BC2A9CA561A13B31E5357C
/sys/class/tpm/tpm0/pcr-sha256/10:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/11:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/12:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/13:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/14:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/15:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/16:0000000000000000000000000000000000000000000000000000000000000000
/sys/class/tpm/tpm0/pcr-sha256/17:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/18:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/19:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/20:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/21:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/22:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
/sys/class/tpm/tpm0/pcr-sha256/23:0000000000000000000000000000000000000000000000000000000000000000

However on a clean boot into the TPM, the u-boot tpm commands fail:

ast# tpm info
tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [closed]
ast# tpINTERRUPT>
ast# tpm init
ast# tpm info
tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [open]
ast# tpm pcr_read 0 0x81000000
Error: 256
ast# md.l 0x81000000 16
81000000: 00000000 00000000 00000000 00000000    ................
81000010: 00000000 00000000 00000000 00000000    ................
81000020: 00000000 00000000 00000000 00000000    ................
81000030: 00000000 00000000 00000000 00000000    ................
81000040: 00000000 00000000 00000000 00000000    ................
81000050: 00000000 00000000                      ........

This doesn't need to block merging into qemu, as the model works fine
for pcr measurement and accessing under Linux. However it would be
good to work though these issues in case there's a modelling
discrepancy.



>
> I have refered to the work done by zhdaniel@meta.com but at the core
> level out implementation is different.
> https://github.com/theopolis/qemu/commit/2e2e57cde9e419c36af8071bb85392ad1ed70966
>
> Based-on: $MESSAGE_ID
>
>
> Ninad Palsule (3):
>   docs: Add support for TPM devices over I2C bus
>   tpm: Extend common APIs to support TPM TIS I2C
>   tpm: Add support for TPM device over I2C bus
>
>  docs/specs/tpm.rst      |  32 +++
>  hw/arm/Kconfig          |   1 +
>  hw/tpm/Kconfig          |   7 +
>  hw/tpm/meson.build      |   1 +
>  hw/tpm/tpm_tis.h        |   3 +
>  hw/tpm/tpm_tis_common.c |  36 ++-
>  hw/tpm/tpm_tis_i2c.c    | 540 ++++++++++++++++++++++++++++++++++++++++
>  hw/tpm/trace-events     |   6 +
>  include/hw/acpi/tpm.h   |  31 +++
>  include/sysemu/tpm.h    |   3 +
>  10 files changed, 652 insertions(+), 8 deletions(-)
>  create mode 100644 hw/tpm/tpm_tis_i2c.c
>
> --
> 2.37.2
>
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Stefan Berger 1 year ago 

On 3/26/23 21:05, Joel Stanley wrote:
> Hi Ninad,
> 
> On Sun, 26 Mar 2023 at 22:44, Ninad Palsule <ninad@linux.ibm.com> wrote:
>>
>> Hello,
>>
>> I have incorporated review comments from Stefan. Please review.
>>
>> This drop adds support for the TPM devices attached to the I2C bus. It
>> only supports the TPM2 protocol. You need to run it with the external
>> TPM emulator like swtpm. I have tested it with swtpm.
> 
> Nice work. I tested these stop cedric's aspeed-8.0 qemu tree, using
> the rainier machine and the openbmc dev-6.1 kernel.
> 
> We get this message when booting from a kernel:
> 
> [    0.582699] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
> [    0.586361] tpm tpm0: A TPM error (256) occurred attempting the self test
> [    0.586623] tpm tpm0: starting up the TPM manually
> 
> Do we understand why the error appears?

The firmware did not initialize the TPM 2.



> 
> # grep -r . /sys/class/tpm/tpm0/pcr-sha256/ | sort -n -k 7 -t /
> /sys/class/tpm/tpm0/pcr-sha256/0:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/1:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/2:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/3:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/4:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/5:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/6:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/7:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/8:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/9:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/10:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/11:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/12:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/13:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/14:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/15:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/16:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/17:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/18:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/19:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/20:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/21:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/22:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/23:0000000000000000000000000000000000000000000000000000000000000000
> 
> If I boot through the openbmc u-boot for the p10bmc machine, which
> measures things into the PCRs:
> 
> [    0.556713] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)

In this case the firmware started up the TPM 2. Also the PCRs have been touched by the firmware in this case.

> 
> / # grep -r . /sys/class/tpm/tpm0/pcr-sha256/ | sort -n -k 7 -t /
> /sys/class/tpm/tpm0/pcr-sha256/0:AFA13691EFC7BC6E189E92347F20676FB4523302CB957DA9A65C3430C45E8BCC
> /sys/class/tpm/tpm0/pcr-sha256/1:37F0F710A5502FAE6DB7433B36001FEE1CBF15BA2A7D6923207FF56888584714
> /sys/class/tpm/tpm0/pcr-sha256/2:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/3:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/4:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/5:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/6:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/7:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/8:AE67485BD01E8D6FE0208C46C473940173F66E9C6F43C75ABB404375787E9705
> /sys/class/tpm/tpm0/pcr-sha256/9:DB99D92EADBB446894CB0C062AEB673F60DDAFBC62BC2A9CA561A13B31E5357C
> /sys/class/tpm/tpm0/pcr-sha256/10:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/11:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/12:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/13:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/14:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/15:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/16:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/17:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/18:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/19:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/20:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/21:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/22:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/23:0000000000000000000000000000000000000000000000000000000000000000
> 
> However on a clean boot into the TPM, the u-boot tpm commands fail:
> 
> ast# tpm info
> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [closed]
> ast# tpINTERRUPT>

Is this normal output? Is it an indication of some sort of IRQ?

> ast# tpm init
> ast# tpm info
> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [open]
> ast# tpm pcr_read 0 0x81000000
> Error: 256
> ast# md.l 0x81000000 16
> 81000000: 00000000 00000000 00000000 00000000    ................
> 81000010: 00000000 00000000 00000000 00000000    ................
> 81000020: 00000000 00000000 00000000 00000000    ................
> 81000030: 00000000 00000000 00000000 00000000    ................
> 81000040: 00000000 00000000 00000000 00000000    ................
> 81000050: 00000000 00000000                      ........
> 
> This doesn't need to block merging into qemu, as the model works fine
> for pcr measurement and accessing under Linux. However it would be
> good to work though these issues in case there's a modelling
> discrepancy.


It reads the didvid and rid registers just fine and per the touched PCRs it knows how to talk to the TPM 2 to extend the PCRs.
So this is strange. What is the 0x81000000 parameter in this command? Is it some memory location?


    Stefan

> 
> 
> 
>>
>> I have refered to the work done by zhdaniel@meta.com but at the core
>> level out implementation is different.
>> https://github.com/theopolis/qemu/commit/2e2e57cde9e419c36af8071bb85392ad1ed70966
>>
>> Based-on: $MESSAGE_ID
>>
>>
>> Ninad Palsule (3):
>>    docs: Add support for TPM devices over I2C bus
>>    tpm: Extend common APIs to support TPM TIS I2C
>>    tpm: Add support for TPM device over I2C bus
>>
>>   docs/specs/tpm.rst      |  32 +++
>>   hw/arm/Kconfig          |   1 +
>>   hw/tpm/Kconfig          |   7 +
>>   hw/tpm/meson.build      |   1 +
>>   hw/tpm/tpm_tis.h        |   3 +
>>   hw/tpm/tpm_tis_common.c |  36 ++-
>>   hw/tpm/tpm_tis_i2c.c    | 540 ++++++++++++++++++++++++++++++++++++++++
>>   hw/tpm/trace-events     |   6 +
>>   include/hw/acpi/tpm.h   |  31 +++
>>   include/sysemu/tpm.h    |   3 +
>>   10 files changed, 652 insertions(+), 8 deletions(-)
>>   create mode 100644 hw/tpm/tpm_tis_i2c.c
>>
>> --
>> 2.37.2
>>
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Stefan Berger 1 year ago 

On 3/27/23 07:11, Stefan Berger wrote:
> 
> 

>> We get this message when booting from a kernel:
>>
>> [    0.582699] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
>> [    0.586361] tpm tpm0: A TPM error (256) occurred attempting the self test
>> [    0.586623] tpm tpm0: starting up the TPM manually
>>
>> Do we understand why the error appears?
> 
> The firmware did not initialize the TPM 2.
> 

>> However on a clean boot into the TPM, the u-boot tpm commands fail:
>>
>> ast# tpm info
>> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [closed]
>> ast# tpINTERRUPT>
> 
> Is this normal output? Is it an indication of some sort of IRQ?
> 
>> ast# tpm init
>> ast# tpm info
>> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [open]
>> ast# tpm pcr_read 0 0x81000000
>> Error: 256

If this is an error from the TPM 2 , then the 256 error code is the same as reported by Linux above:

$ tssreturncode 0x100
TPM_RC_INITIALIZE - TPM not initialized by TPM2_Startup or already initialized


I will try to reproduce this today. u-boot should have a sent TPM2_Startup as part of 'tpm init' command above or even before on its own.

     Stefan
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Stefan Berger 1 year ago 

On 3/27/23 08:31, Stefan Berger wrote:
> 
> 
> On 3/27/23 07:11, Stefan Berger wrote:
>>
>>
> 
>>> We get this message when booting from a kernel:
>>>
>>> [    0.582699] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
>>> [    0.586361] tpm tpm0: A TPM error (256) occurred attempting the self test
>>> [    0.586623] tpm tpm0: starting up the TPM manually
>>>
>>> Do we understand why the error appears?
>>
>> The firmware did not initialize the TPM 2.
>>
> 
>>> However on a clean boot into the TPM, the u-boot tpm commands fail:
>>>
>>> ast# tpm info
>>> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [closed]
>>> ast# tpINTERRUPT>
>>
>> Is this normal output? Is it an indication of some sort of IRQ?
>>
>>> ast# tpm init
>>> ast# tpm info
>>> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [open]
>>> ast# tpm pcr_read 0 0x81000000
>>> Error: 256
> 
> If this is an error from the TPM 2 , then the 256 error code is the same as reported by Linux above:
> 
> $ tssreturncode 0x100
> TPM_RC_INITIALIZE - TPM not initialized by TPM2_Startup or already initialized
> 
> 
> I will try to reproduce this today. u-boot should have a sent TPM2_Startup as part of 'tpm init' command above or even before on its own.

One needs to do this here:

ast# tpm2 startup TPM2_SU_CLEAR
ast# tpm2 pcr_read 0 0x81000000
PCR #0 content (332 known updates):
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    Stefan
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Joel Stanley 1 year ago 
On Mon, 27 Mar 2023 at 11:11, Stefan Berger <stefanb@linux.ibm.com> wrote:
>
>
>
> On 3/26/23 21:05, Joel Stanley wrote:
> > Hi Ninad,
> >
> > On Sun, 26 Mar 2023 at 22:44, Ninad Palsule <ninad@linux.ibm.com> wrote:
> >>
> >> Hello,
> >>
> >> I have incorporated review comments from Stefan. Please review.
> >>
> >> This drop adds support for the TPM devices attached to the I2C bus. It
> >> only supports the TPM2 protocol. You need to run it with the external
> >> TPM emulator like swtpm. I have tested it with swtpm.
> >
> > Nice work. I tested these stop cedric's aspeed-8.0 qemu tree, using
> > the rainier machine and the openbmc dev-6.1 kernel.
> >
> > We get this message when booting from a kernel:
> >
> > [    0.582699] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
> > [    0.586361] tpm tpm0: A TPM error (256) occurred attempting the self test
> > [    0.586623] tpm tpm0: starting up the TPM manually
> >
> > Do we understand why the error appears?
>
> The firmware did not initialize the TPM 2.

Which firmware are we talking about here?

In the case of these systems, we (u-boot+linux) are what would
traditionally be referred to as firmware.

> > # grep -r . /sys/class/tpm/tpm0/pcr-sha256/ | sort -n -k 7 -t /
> > /sys/class/tpm/tpm0/pcr-sha256/0:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/1:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/2:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/3:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/4:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/5:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/6:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/7:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/8:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/9:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/10:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/11:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/12:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/13:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/14:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/15:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/16:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/17:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/18:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/19:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/20:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/21:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/22:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/23:0000000000000000000000000000000000000000000000000000000000000000
> >
> > If I boot through the openbmc u-boot for the p10bmc machine, which
> > measures things into the PCRs:
> >
> > [    0.556713] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
>
> In this case the firmware started up the TPM 2. Also the PCRs have been touched by the firmware in this case.
>
> >
> > / # grep -r . /sys/class/tpm/tpm0/pcr-sha256/ | sort -n -k 7 -t /
> > /sys/class/tpm/tpm0/pcr-sha256/0:AFA13691EFC7BC6E189E92347F20676FB4523302CB957DA9A65C3430C45E8BCC
> > /sys/class/tpm/tpm0/pcr-sha256/1:37F0F710A5502FAE6DB7433B36001FEE1CBF15BA2A7D6923207FF56888584714
> > /sys/class/tpm/tpm0/pcr-sha256/2:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> > /sys/class/tpm/tpm0/pcr-sha256/3:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> > /sys/class/tpm/tpm0/pcr-sha256/4:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> > /sys/class/tpm/tpm0/pcr-sha256/5:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> > /sys/class/tpm/tpm0/pcr-sha256/6:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> > /sys/class/tpm/tpm0/pcr-sha256/7:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> > /sys/class/tpm/tpm0/pcr-sha256/8:AE67485BD01E8D6FE0208C46C473940173F66E9C6F43C75ABB404375787E9705
> > /sys/class/tpm/tpm0/pcr-sha256/9:DB99D92EADBB446894CB0C062AEB673F60DDAFBC62BC2A9CA561A13B31E5357C
> > /sys/class/tpm/tpm0/pcr-sha256/10:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/11:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/12:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/13:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/14:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/15:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/16:0000000000000000000000000000000000000000000000000000000000000000
> > /sys/class/tpm/tpm0/pcr-sha256/17:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/18:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/19:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/20:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/21:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/22:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> > /sys/class/tpm/tpm0/pcr-sha256/23:0000000000000000000000000000000000000000000000000000000000000000

> > However on a clean boot into the TPM, the u-boot tpm commands fail:
> >
> > ast# tpm info
> > tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [closed]
> > ast# tpINTERRUPT>
>
> Is this normal output? Is it an indication of some sort of IRQ?

Ignore that line, that was me using ctrl+c to cancel the input. I
should have trimmed it from the email before sending.

>
> > ast# tpm init
> > ast# tpm info
> > tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [open]
> > ast# tpm pcr_read 0 0x81000000
> > Error: 256
> > ast# md.l 0x81000000 16
> > 81000000: 00000000 00000000 00000000 00000000    ................
> > 81000010: 00000000 00000000 00000000 00000000    ................
> > 81000020: 00000000 00000000 00000000 00000000    ................
> > 81000030: 00000000 00000000 00000000 00000000    ................
> > 81000040: 00000000 00000000 00000000 00000000    ................
> > 81000050: 00000000 00000000                      ........
> >
> > This doesn't need to block merging into qemu, as the model works fine
> > for pcr measurement and accessing under Linux. However it would be
> > good to work though these issues in case there's a modelling
> > discrepancy.
>
>
> It reads the didvid and rid registers just fine and per the touched PCRs it knows how to talk to the TPM 2 to extend the PCRs.

It hasn't done so in this case; the boot step that extends the PCRs
hasn't been executed.

> So this is strange. What is the 0x81000000 parameter in this command? Is it some memory location?

Yes, it's an arbitrary DRAM location that we've asked u-boot to place
the contents of the PCR.

Cheers,

Joel
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Stefan Berger 1 year ago 

On 3/27/23 07:18, Joel Stanley wrote:
> On Mon, 27 Mar 2023 at 11:11, Stefan Berger <stefanb@linux.ibm.com> wrote:
>>
>>
>>
>> On 3/26/23 21:05, Joel Stanley wrote:
>>> Hi Ninad,
>>>
>>> On Sun, 26 Mar 2023 at 22:44, Ninad Palsule <ninad@linux.ibm.com> wrote:
>>>>
>>>> Hello,
>>>>
>>>> I have incorporated review comments from Stefan. Please review.
>>>>
>>>> This drop adds support for the TPM devices attached to the I2C bus. It
>>>> only supports the TPM2 protocol. You need to run it with the external
>>>> TPM emulator like swtpm. I have tested it with swtpm.
>>>
>>> Nice work. I tested these stop cedric's aspeed-8.0 qemu tree, using
>>> the rainier machine and the openbmc dev-6.1 kernel.
>>>
>>> We get this message when booting from a kernel:
>>>
>>> [    0.582699] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
>>> [    0.586361] tpm tpm0: A TPM error (256) occurred attempting the self test
>>> [    0.586623] tpm tpm0: starting up the TPM manually
>>>
>>> Do we understand why the error appears?
>>
>> The firmware did not initialize the TPM 2.
> 
> Which firmware are we talking about here?

This happens if either no firmware is used or the firmware doesn't know how to talk to the TPM 2.
Linux detects that the TPM 2 wasn't initialized (TPM2_Startup was not sent).
   
    Stefan
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Ninad Palsule 1 year ago 
Hi Joel,

On 3/26/23 8:05 PM, Joel Stanley wrote:
> Hi Ninad,
>
> On Sun, 26 Mar 2023 at 22:44, Ninad Palsule <ninad@linux.ibm.com> wrote:
>> Hello,
>>
>> I have incorporated review comments from Stefan. Please review.
>>
>> This drop adds support for the TPM devices attached to the I2C bus. It
>> only supports the TPM2 protocol. You need to run it with the external
>> TPM emulator like swtpm. I have tested it with swtpm.
> Nice work. I tested these stop cedric's aspeed-8.0 qemu tree, using
> the rainier machine and the openbmc dev-6.1 kernel.
>
> We get this message when booting from a kernel:
>
> [    0.582699] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
> [    0.586361] tpm tpm0: A TPM error (256) occurred attempting the self test
> [    0.586623] tpm tpm0: starting up the TPM manually
>
> Do we understand why the error appears?


Yes, As per kernel code this is an expected error for some emulators.

On swtpm emulator, It returns TPM2_RC_INITIALIZE if emulator is not 
initialized. I searched it in swtpm and it indicated that selftest 
requested before it is initialized. I meant to ask Stefan but busy with 
the review comments.

This function comment in the driver mentioned below indicate that this 
case possible with emulators.

/**
  * tpm2_startup - turn on the TPM
  * @chip: TPM chip to use
  *
  * Normally the firmware should start the TPM. This function is 
provided as a
  * workaround if this does not happen. A legal case for this could be for
  * example when a TPM emulator is used.
  *
  * Return: same as tpm_transmit_cmd()
  */

static int tpm2_startup(struct tpm_chip *chip)


>
> # grep -r . /sys/class/tpm/tpm0/pcr-sha256/ | sort -n -k 7 -t /
> /sys/class/tpm/tpm0/pcr-sha256/0:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/1:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/2:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/3:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/4:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/5:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/6:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/7:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/8:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/9:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/10:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/11:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/12:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/13:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/14:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/15:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/16:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/17:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/18:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/19:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/20:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/21:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/22:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/23:0000000000000000000000000000000000000000000000000000000000000000
>
> If I boot through the openbmc u-boot for the p10bmc machine, which
> measures things into the PCRs:
>
> [    0.556713] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
>
> / # grep -r . /sys/class/tpm/tpm0/pcr-sha256/ | sort -n -k 7 -t /
> /sys/class/tpm/tpm0/pcr-sha256/0:AFA13691EFC7BC6E189E92347F20676FB4523302CB957DA9A65C3430C45E8BCC
> /sys/class/tpm/tpm0/pcr-sha256/1:37F0F710A5502FAE6DB7433B36001FEE1CBF15BA2A7D6923207FF56888584714
> /sys/class/tpm/tpm0/pcr-sha256/2:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/3:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/4:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/5:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/6:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/7:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
> /sys/class/tpm/tpm0/pcr-sha256/8:AE67485BD01E8D6FE0208C46C473940173F66E9C6F43C75ABB404375787E9705
> /sys/class/tpm/tpm0/pcr-sha256/9:DB99D92EADBB446894CB0C062AEB673F60DDAFBC62BC2A9CA561A13B31E5357C
> /sys/class/tpm/tpm0/pcr-sha256/10:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/11:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/12:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/13:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/14:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/15:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/16:0000000000000000000000000000000000000000000000000000000000000000
> /sys/class/tpm/tpm0/pcr-sha256/17:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/18:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/19:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/20:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/21:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/22:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> /sys/class/tpm/tpm0/pcr-sha256/23:0000000000000000000000000000000000000000000000000000000000000000

Great thanks. I could not try it.


>
> However on a clean boot into the TPM, the u-boot tpm commands fail:
>
> ast# tpm info
> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [closed]
> ast# tpINTERRUPT>
> ast# tpm init
> ast# tpm info
> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [open]
> ast# tpm pcr_read 0 0x81000000
> Error: 256
> ast# md.l 0x81000000 16
> 81000000: 00000000 00000000 00000000 00000000    ................
> 81000010: 00000000 00000000 00000000 00000000    ................
> 81000020: 00000000 00000000 00000000 00000000    ................
> 81000030: 00000000 00000000 00000000 00000000    ................
> 81000040: 00000000 00000000 00000000 00000000    ................
> 81000050: 00000000 00000000                      ........
>
> This doesn't need to block merging into qemu, as the model works fine
> for pcr measurement and accessing under Linux. However it would be
> good to work though these issues in case there's a modelling
> discrepancy.


Yes, Please provide me details on how to reproduce it. I will take a look.


Thanks for the review.

Ninad

>
>
>
>> I have refered to the work done by zhdaniel@meta.com but at the core
>> level out implementation is different.
>> https://github.com/theopolis/qemu/commit/2e2e57cde9e419c36af8071bb85392ad1ed70966
>>
>> Based-on: $MESSAGE_ID
>>
>>
>> Ninad Palsule (3):
>>    docs: Add support for TPM devices over I2C bus
>>    tpm: Extend common APIs to support TPM TIS I2C
>>    tpm: Add support for TPM device over I2C bus
>>
>>   docs/specs/tpm.rst      |  32 +++
>>   hw/arm/Kconfig          |   1 +
>>   hw/tpm/Kconfig          |   7 +
>>   hw/tpm/meson.build      |   1 +
>>   hw/tpm/tpm_tis.h        |   3 +
>>   hw/tpm/tpm_tis_common.c |  36 ++-
>>   hw/tpm/tpm_tis_i2c.c    | 540 ++++++++++++++++++++++++++++++++++++++++
>>   hw/tpm/trace-events     |   6 +
>>   include/hw/acpi/tpm.h   |  31 +++
>>   include/sysemu/tpm.h    |   3 +
>>   10 files changed, 652 insertions(+), 8 deletions(-)
>>   create mode 100644 hw/tpm/tpm_tis_i2c.c
>>
>> --
>> 2.37.2
>>
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Joel Stanley 1 year ago 
On Mon, 27 Mar 2023 at 03:52, Ninad Palsule <ninad@linux.vnet.ibm.com> wrote:
>
> Hi Joel,
>
> On 3/26/23 8:05 PM, Joel Stanley wrote:
> > Hi Ninad,
> >
> > On Sun, 26 Mar 2023 at 22:44, Ninad Palsule <ninad@linux.ibm.com> wrote:
> >> Hello,
> >>
> >> I have incorporated review comments from Stefan. Please review.
> >>
> >> This drop adds support for the TPM devices attached to the I2C bus. It
> >> only supports the TPM2 protocol. You need to run it with the external
> >> TPM emulator like swtpm. I have tested it with swtpm.
> > Nice work. I tested these stop cedric's aspeed-8.0 qemu tree, using
> > the rainier machine and the openbmc dev-6.1 kernel.
> >
> > We get this message when booting from a kernel:
> >
> > [    0.582699] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
> > [    0.586361] tpm tpm0: A TPM error (256) occurred attempting the self test
> > [    0.586623] tpm tpm0: starting up the TPM manually
> >
> > Do we understand why the error appears?
>
>
> Yes, As per kernel code this is an expected error for some emulators.
>
> On swtpm emulator, It returns TPM2_RC_INITIALIZE if emulator is not
> initialized. I searched it in swtpm and it indicated that selftest
> requested before it is initialized. I meant to ask Stefan but busy with
> the review comments.

The swtpm man page mentions some flags we can set. Perhaps they would help?

       --flags [not-need-init]
[,startup-clear|startup-state|startup-deactivated|startup-none]


>
> This function comment in the driver mentioned below indicate that this
> case possible with emulators.
>
> /**
>   * tpm2_startup - turn on the TPM
>   * @chip: TPM chip to use
>   *
>   * Normally the firmware should start the TPM. This function is
> provided as a
>   * workaround if this does not happen. A legal case for this could be for
>   * example when a TPM emulator is used.
>   *
>   * Return: same as tpm_transmit_cmd()
>   */
>
> static int tpm2_startup(struct tpm_chip *chip)
>

> > However on a clean boot into the TPM, the u-boot tpm commands fail:
> >
> > ast# tpm info
> > tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [closed]
> > ast# tpINTERRUPT>
> > ast# tpm init
> > ast# tpm info
> > tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [open]
> > ast# tpm pcr_read 0 0x81000000
> > Error: 256
> > ast# md.l 0x81000000 16
> > 81000000: 00000000 00000000 00000000 00000000    ................
> > 81000010: 00000000 00000000 00000000 00000000    ................
> > 81000020: 00000000 00000000 00000000 00000000    ................
> > 81000030: 00000000 00000000 00000000 00000000    ................
> > 81000040: 00000000 00000000 00000000 00000000    ................
> > 81000050: 00000000 00000000                      ........
> >
> > This doesn't need to block merging into qemu, as the model works fine
> > for pcr measurement and accessing under Linux. However it would be
> > good to work though these issues in case there's a modelling
> > discrepancy.
>
>
> Yes, Please provide me details on how to reproduce it. I will take a look.

This is the buildroot tree I've been using for testing:

https://github.com/shenki/buildroot/commits/ast2600-tpm

git clone https://github.com/shenki/buildroot -b ast2600-tpm
cd buildroot
make O=ast2600evb aspeed_ast2600evb_defconfig

I launch it with this qemu commandline:

swtpm socket --tpmstate dir=$XDG_RUNTIME_DIR --ctrl
type=unixio,path=$XDG_RUNTIME_DIR/swtpm-socket --tpm2

qemu-system-arm -M ast2600-evb -nographic -drive
file=ast2600evb/images/flash.img,if=mtd,format=raw -chardev
socket,id=chrtpm,path=$XDG_RUNTIME_DIR/swtpm-socket -tpmdev
emulator,id=tpm0,chardev=chrtpm -device
tpm-tis-i2c,tpmdev=tpm0,bus=aspeed.i2c.bus.12,address=0x2e

If you want to reproduce the u-boot behaviour, press any key to
interrupt the boot.

Booting this way, you can also test the u-boot behaviour. Once you're
in userspace:

# echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device
[   13.637081] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
[   13.665239] i2c i2c-12: new_device: Instantiated device tpm_tis_i2c at 0x2e

# cat /sys/class/tpm/tpm0/pcr-sha256/0
FE9A732EAA7842D77DEECFC1DC610EBEA9414BFC39BEEBC8D2F071CF030FA592
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Stefan Berger 1 year ago 

On 3/27/23 04:04, Joel Stanley wrote:
> On Mon, 27 Mar 2023 at 03:52, Ninad Palsule <ninad@linux.vnet.ibm.com> wrote:
>>
>> Hi Joel,
>>
>> On 3/26/23 8:05 PM, Joel Stanley wrote:
>>> Hi Ninad,
>>>
>>> On Sun, 26 Mar 2023 at 22:44, Ninad Palsule <ninad@linux.ibm.com> wrote:
>>>> Hello,
>>>>
>>>> I have incorporated review comments from Stefan. Please review.
>>>>
>>>> This drop adds support for the TPM devices attached to the I2C bus. It
>>>> only supports the TPM2 protocol. You need to run it with the external
>>>> TPM emulator like swtpm. I have tested it with swtpm.
>>> Nice work. I tested these stop cedric's aspeed-8.0 qemu tree, using
>>> the rainier machine and the openbmc dev-6.1 kernel.
>>>
>>> We get this message when booting from a kernel:
>>>
>>> [    0.582699] tpm_tis_i2c 12-002e: 2.0 TPM (device-id 0x1, rev-id 1)
>>> [    0.586361] tpm tpm0: A TPM error (256) occurred attempting the self test
>>> [    0.586623] tpm tpm0: starting up the TPM manually
>>>
>>> Do we understand why the error appears?
>>
>>
>> Yes, As per kernel code this is an expected error for some emulators.
>>
>> On swtpm emulator, It returns TPM2_RC_INITIALIZE if emulator is not
>> initialized. I searched it in swtpm and it indicated that selftest
>> requested before it is initialized. I meant to ask Stefan but busy with
>> the review comments.
> 
> The swtpm man page mentions some flags we can set. Perhaps they would help?
> 
>         --flags [not-need-init]
> [,startup-clear|startup-state|startup-deactivated|startup-none]

With firmware initializing the TPM 2 neither of these options is necessary.
If firmware doesn't initialize the TPM 2 then Linux will show that error message and initialize it.



    Stefan
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Cédric Le Goater 1 year ago 
>>> However on a clean boot into the TPM, the u-boot tpm commands fail:
>>>
>>> ast# tpm info
>>> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [closed]
>>> ast# tpINTERRUPT>
>>> ast# tpm init
>>> ast# tpm info
>>> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [open]
>>> ast# tpm pcr_read 0 0x81000000
>>> Error: 256
>>> ast# md.l 0x81000000 16
>>> 81000000: 00000000 00000000 00000000 00000000    ................
>>> 81000010: 00000000 00000000 00000000 00000000    ................
>>> 81000020: 00000000 00000000 00000000 00000000    ................
>>> 81000030: 00000000 00000000 00000000 00000000    ................
>>> 81000040: 00000000 00000000 00000000 00000000    ................
>>> 81000050: 00000000 00000000                      ........
>>>
>>> This doesn't need to block merging into qemu, as the model works fine
>>> for pcr measurement and accessing under Linux. However it would be
>>> good to work though these issues in case there's a modelling
>>> discrepancy.
>>
>>
>> Yes, Please provide me details on how to reproduce it. I will take a look.
> 
> This is the buildroot tree I've been using for testing:
> 
> https://github.com/shenki/buildroot/commits/ast2600-tpm
> 
> git clone https://github.com/shenki/buildroot -b ast2600-tpm
> cd buildroot
> make O=ast2600evb aspeed_ast2600evb_defconfig

I have pushed binaries here also :

   https://github.com/legoater/qemu-aspeed-boot/tree/master/images/ast2600-evb/buildroot-2023.02-tpm

Cheers,

C.
Re: [PATCH v7 0/3] Add support for TPM devices over I2C bus
Posted by Joel Stanley 1 year ago 
On Mon, 27 Mar 2023 at 08:21, Cédric Le Goater <clg@kaod.org> wrote:
>
> >>> However on a clean boot into the TPM, the u-boot tpm commands fail:
> >>>
> >>> ast# tpm info
> >>> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [closed]
> >>> ast# tpINTERRUPT>
> >>> ast# tpm init
> >>> ast# tpm info
> >>> tpm@2e v2.0: VendorID 0x1014, DeviceID 0x0001, RevisionID 0x01 [open]
> >>> ast# tpm pcr_read 0 0x81000000
> >>> Error: 256
> >>> ast# md.l 0x81000000 16
> >>> 81000000: 00000000 00000000 00000000 00000000    ................
> >>> 81000010: 00000000 00000000 00000000 00000000    ................
> >>> 81000020: 00000000 00000000 00000000 00000000    ................
> >>> 81000030: 00000000 00000000 00000000 00000000    ................
> >>> 81000040: 00000000 00000000 00000000 00000000    ................
> >>> 81000050: 00000000 00000000                      ........
> >>>
> >>> This doesn't need to block merging into qemu, as the model works fine
> >>> for pcr measurement and accessing under Linux. However it would be
> >>> good to work though these issues in case there's a modelling
> >>> discrepancy.
> >>
> >>
> >> Yes, Please provide me details on how to reproduce it. I will take a look.
> >
> > This is the buildroot tree I've been using for testing:
> >
> > https://github.com/shenki/buildroot/commits/ast2600-tpm
> >
> > git clone https://github.com/shenki/buildroot -b ast2600-tpm
> > cd buildroot
> > make O=ast2600evb aspeed_ast2600evb_defconfig
>
> I have pushed binaries here also :
>
>    https://github.com/legoater/qemu-aspeed-boot/tree/master/images/ast2600-evb/buildroot-2023.02-tpm

Thank you!

The non-zero PCRs I see with this are:

#  grep -r . /sys/class/tpm/tpm0/pcr-sha256/ | sort -n -k 7 -t /
/sys/class/tpm/tpm0/pcr-sha256/0:B804724EA13F52A9072BA87FE8FDCC497DFC9DF9AA15B9088694639C431688E0
/sys/class/tpm/tpm0/pcr-sha256/1:37F0F710A5502FAE6DB7433B36001FEE1CBF15BA2A7D6923207FF56888584714
/sys/class/tpm/tpm0/pcr-sha256/2:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/3:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/4:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/5:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/6:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/7:E21B703EE69C77476BCCB43EC0336A9A1B2914B378944F7B00A10214CA8FEA93
/sys/class/tpm/tpm0/pcr-sha256/8:C840364040A0F98631A48A4C401C567226BFE5A2A30B958F1800E4849A140F69
/sys/class/tpm/tpm0/pcr-sha256/9:9D00428C528120A3F2D0D8CB0EB5D036D87C0D0F8D2990B8C1F12DEFAE3890C7

They seem to be stable across boots, which is good! We could use these
images and that pcr0 value for an avocado test.

Perhaps we could add an init script that binds the driver and prints
the value to the console to save having to log in.

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.