[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Seabios Xen TPM check



On Thu, Jun 11, 2020 at 10:32 AM Stefan Berger <stefanb@xxxxxxxxxxxxx> wrote:
>
> On 6/11/20 8:36 AM, Jason Andryuk wrote:
> > Hi,
> >
> > SeaBIOS commit 67643955c746 (make SeaBios compatible with Xen vTPM.)
> > made tpm_start() exit before calling tpm_startup().  The commit
> > message has no explanation why this change was made.  Does anyone
> > remember why it was made?
> >
> > The code today means SeaBIOS will not populate PCRs when running on
> > Xen.  If I revert the patch, SeaBIOS populates PCRs as one would
> > expect.  This is with a QEMU-emulated TPM backed by swtpm in TPM 1.2
> > mode (qemu & swtpm running in a linux stubdom).
> >
> > Any insight is appreciated.
>
> My guess would be that for some reason the TPM 1.2 was already started
> up through other means and didn't need the SeaBIOS tpm_startup() to run.

Hmmm, yes.  Thanks, Stefan.  The mini-os vtpm stubdom calls
TPM_Startup and it looks like the Berlios tpm_emulator returns an
error when called twice.

>From a little bit of googling, Quan and Emil (added to CC) were
working on an interface from QEMU to the vtpm stubdom, but it looks
like it didn't get merged into upstream QEMU?  It doesn't seem to be
there now.

Anyway, the mini-os vtpm stubdom calls TPM_Startup since a PV guest
doesn't have firmware to make the call.  SeaBIOS could make a
tpm_startup error non-fatal for Xen.  Or better - detect a vtpm
stubdom and only then skip initialization.  vtpm stubdom could also be
changed to skip TPM_Startup for HVM - not sure if that would be
problematic.  That would let SeaBIOS drop the Xen condition.

Regards,
Jason



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.