From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: None (no SPF record) identity=mailfrom; client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=stefanb@linux.vnet.ibm.com; receiver=edk2-devel@lists.01.org Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 639AB224E693F for ; Thu, 1 Mar 2018 08:30:58 -0800 (PST) Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w21GZgG1147283 for ; Thu, 1 Mar 2018 11:37:05 -0500 Received: from e16.ny.us.ibm.com (e16.ny.us.ibm.com [129.33.205.206]) by mx0a-001b2d01.pphosted.com with ESMTP id 2gek7fpghv-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Thu, 01 Mar 2018 11:37:04 -0500 Received: from localhost by e16.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 1 Mar 2018 11:36:51 -0500 Received: from b01cxnp22034.gho.pok.ibm.com (9.57.198.24) by e16.ny.us.ibm.com (146.89.104.203) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 1 Mar 2018 11:36:48 -0500 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w21Galw749873024; Thu, 1 Mar 2018 16:36:48 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0E57B11204B; Thu, 1 Mar 2018 11:35:07 -0500 (EST) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id 0162C112056; Thu, 1 Mar 2018 11:35:06 -0500 (EST) To: Laszlo Ersek , marcandre.lureau@redhat.com, edk2-devel@lists.01.org References: <20180223132311.26555-1-marcandre.lureau@redhat.com> Cc: pjones@redhat.com, jiewen.yao@intel.com, qemu-devel@nongnu.org, javierm@redhat.com From: Stefan Berger Date: Thu, 1 Mar 2018 11:36:47 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: X-TM-AS-GCONF: 00 x-cbid: 18030116-0024-0000-0000-0000032FA40C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008608; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000254; SDB=6.00996863; UDB=6.00506829; IPR=6.00776181; MB=3.00019803; MTD=3.00000008; XFM=3.00000015; UTC=2018-03-01 16:36:51 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18030116-0025-0000-0000-00004730AA32 Message-Id: X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-01_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1803010206 Subject: Re: [Qemu-devel] [PATCH 0/7] RFC: ovmf: preliminary TPM2 support X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2018 16:30:58 -0000 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit On 02/23/2018 10:55 AM, Laszlo Ersek wrote: > On 02/23/18 14:23, marcandre.lureau@redhat.com wrote: >> From: Marc-André Lureau >> >> Hi, >> >> The following series adds basic TPM2 support for OVMF-on-QEMU (I >> haven't tested TPM1, for lack of interest). It links with the modules >> to initializes the device in PEI phase, and do measurements (both PEI >> and DXE). The Tcg2Dxe module provides the Tcg2 protocol which allows >> the guest to access the measurement log and other facilities. >> >> DxeTpm2MeasureBootLib seems to do its job at measuring images that are >> not measured in PEI phase (such as PCI PXE rom) >> >> Tcg2ConfigDxe is mostly interesting for debugging for now. >> >> A major lack is the support for Physical Present Interface (PPI, more >> below). >> >> Linux guests seem to work fine. But windows guest generally complains >> about the lack of PPI interface (most HLK tests require it, tpm.msc >> admin interactions too). I haven't done "real" use-cases tests, as I >> lack experience with TPM usage. Any help appreciated to test the TPM. >> >> Tcg2ConfigPei requires variable access, therefore >> must be solved >> first. I used "[edk2] [PATCH v2 0/8] OvmfPkg: add the Variable PEIM, >> defragment the UEFI memmap" as a base for this series. >> >> I build edk2 with: >> >> $ build -DTPM2_ENABLE -DSECURE_BOOT_ENABLE -DMEM_VARSTORE_EMU_ENABLE=FALSE >> >> I test with qemu & swtpm/libtpms (tpm2 branches, swtpm_setup.sh --tpm2 --tpm-state tpmstatedir) >> >> $ swtpm socket --tpmstate tpmstatedir --ctrl type=unixio,path=tpmsock --tpm2 & >> $ qemu .. -chardev socket,id=chrtpm,path=tpmsock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0 > Thanks for this work -- extra thanks for the instructions regarding the > software TPM backend. Please use the tpm2-preview.v2 branch of swtpm and the tpm2-preview.rev146.v2 branch of libtpms. I had to change the way the state is serialized, so unfortunately you will also have to remove the tpm2-00.permall files. Stefan