On 04/16/2015 09:35 AM, Igor Mammedov wrote:
On Wed, 15 Apr 2015 18:38:43 -0400
Stefan Berger <stef...@linux.vnet.ibm.com> wrote:
The following series of patches extends TPM support with an
external TPM that offers a Linux CUSE (character device in userspace)
interface. This TPM lets each VM access its own private vTPM.
The CUSE TPM supports suspend/resume and migration. Much
out-of-band functionality necessary to control the CUSE TPM is
implemented using ioctl's.
The series extends the TPM support so far that most functionality of
TPM support on a physical platform is now available to each x86 VM,
this includes the Physical Presence Interface support that has
its counter-part in the SeaBIOS and is implemented using ACPI.
http://www.seabios.org/pipermail/seabios/2015-March/008978.html
is it already merged?
No, not yet. :-(
Is it possible to use MMIO region instead of allocating tpm_ppi_anchor
and tpm_ppi in BIOS memory?
MMIO region of what? Of the TIS? The TIS doesn't have memory locations
'just to keep bytes' and they would be cleared upon machine reset / reboot.
The purpose of the PPI interface is to leave an opcode for the BIOS to
act upon after a reset. So we have to write it into memory that doesn't
get cleared upon reboot. Also, the BIOS leaves a result in memory so we
can read the result code in the OS via sysfs entry.
I had previously tried using NVRAM of the TPM to leave that opcode (and
result) , but this doesn't work well due to protection restrictions of
the TPM's NVRAM locations and using the Linux TSS for example non-root
users could then write an opcode into the NVRAM of the TPM (there are
TPM commands to write to the TPM's NVRAM locations and tpm-tools has
tools to write to these locations) that the machine then ends up acting
upon without the admin of the machine wanting that. So, that's not a
choice, either.
That would simplify BIOS part a bit and significantly simplify ACPI code
as most of it is dealing with figuring out address of tpm_ppi.
Wished it would, but I don't see a way to make it easier.
So the first time one looks into the sysfs ppi entries [on Linux] it may
take a few seconds until the anchor is found. Subsequently the memory
location is cached and operations go a lot faster.
Stefan
Stefan Berger (5):
Provide support for the CUSE TPM
Support Physical Presence Interface Spec
Introduce condition to notifiy waiters of completed command
Introduce condition in TPM backend for notification
Add support for VM suspend/resume for TPM TIS
hmp.c | 6 +
hw/i386/acpi-tpm-core.dsl | 277 +++++++++++++++++++++++++++++
hw/i386/acpi-tpm2.dsl | 27 +++
hw/i386/q35-acpi-dsdt.dsl | 1 +
hw/i386/ssdt-tpm.dsl | 12 +-
hw/tpm/tpm_int.h | 4 +
hw/tpm/tpm_ioctl.h | 178 +++++++++++++++++++
hw/tpm/tpm_passthrough.c | 410 +++++++++++++++++++++++++++++++++++++++++--
hw/tpm/tpm_tis.c | 152 +++++++++++++++-
hw/tpm/tpm_tis.h | 2 +
hw/tpm/tpm_util.c | 206 ++++++++++++++++++++++
hw/tpm/tpm_util.h | 7 +
include/sysemu/tpm_backend.h | 12 ++
qapi-schema.json | 17 +-
qemu-options.hx | 21 ++-
qmp-commands.hx | 2 +-
tpm.c | 11 +-
17 files changed, 1316 insertions(+), 29 deletions(-)
create mode 100644 hw/i386/acpi-tpm-core.dsl
create mode 100644 hw/i386/acpi-tpm2.dsl
create mode 100644 hw/tpm/tpm_ioctl.h
