Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

[Matthew Garrett]

On Thu, Jul 14, 2016 at 11:54 PM, Daniel P. Berrange <address@hidden>
wrote:

> On Thu, Jun 23, 2016 at 04:36:59PM -0700, Matthew Garrett wrote:
> > In combination with work in SeaBIOS and the kernel, this permits a fully
> measured
> > boot in a virtualised environment without the overhead of a full TPM
> > implementation.
>
> Will it be capable of workubg with edk2/OVMF/AVMF as well as SeaBIOS ?
>
> Yes, that will work fine.


> > This version of the implementation depends on port io, but if there's
> interest I'll
> > add mmio as well.
>
> So I guess this is the reason you've only enabled it for x86_64. Since
> we're
> inventing an entirely new type of device here, not copying existing
> hardware,
> I think it'd desirable if we created one that was supported across arches,
> particularly aarch64, since that's the new hotness.  With the convergance
> of both x86_64 and aarch64 to EFI, it'd be nice to aim for parity for this
> trusted boot support too if practical.
>

Fair. I can redo this so it's mmio everywhere.

>
> > diff --git a/hmp-commands.hx b/hmp-commands.hx
> > index 98b4b1a..6a31392 100644
> > --- a/hmp-commands.hx
> > +++ b/hmp-commands.hx
> > @@ -1748,6 +1748,19 @@ Set QOM property @var{property} of object at
> location @var{path} to value @var{v
> >  ETEXI
> >
> >      {
> > +        .name       = "measurements",
> > +        .args_type  = "",
> > +        .params     = "",
> > +        .help       = "Print system measurements",
> > +        .mhandler.cmd = print_measurements,
> > +    },
> > +STEXI
> > address@hidden measurements
> > address@hidden measurements
> > +Redirect Print system measurements
> > +ETEXI
> > +
> > +    {
>
> Thus since is just reporting info about a device, from a HMP POV,
> it would fit better as an 'info' sub-command, eg 'info measurements'.
> The QMP equivalent would be a 'query-measurements' command
>

Ok.


>
> > +void print_measurements(Monitor *mon, const QDict *qdict)
> > +{
> > +    int i, j;
> > +    Object *obj = object_resolve_path_type("", TYPE_MEASUREMENTS, NULL);
> > +    MeasurementState *s;
> > +
> > +    if (!obj) {
> > +        return;
> > +    }
> > +
> > +    s = MEASUREMENT(obj);
> > +
> > +    for (i = 0; i < 24; i++) {
> > +        monitor_printf(mon, "0x%02x: ", i);
> > +        for (j = 0; j < 20; j++) {
> > +            monitor_printf(mon, "0x%02x ", s->measurements[i][j]);
> > +        }
> > +        monitor_printf(mon, "\n");
> > +    }
> > +}
>
> The preferred approach to supporting monitor commands these
> days is to first define a schema for the information to be
> output in qapi-schema.json.  Then implement a QMP command
> that returns an instance of the data structure you defined.
> Finally the HMP command, would invoke the QMP command to
> get the data to be printed.
>

Ok, thanks for the pointers!

>
> > diff --git a/hw/misc/measurements.h b/hw/misc/measurements.h
> > new file mode 100644
> > index 0000000..65ad246
> > --- /dev/null
> > +++ b/hw/misc/measurements.h
> > @@ -0,0 +1,2 @@
> > +void print_measurements(Monitor *mon, const QDict *qdict);
> > +void extend_data(int pcrnum, uint8_t *data, size_t len);
>
> 'extend_data' is rather too generic a name, for expose across
> QEMU. Just add a "measurements_" prefix for any exported methods
> from the measurements device.
>

Will do. Thanks for the feedback!