[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] TPM status
|
From: |
Javier Martinez Canillas |
|
Subject: |
Re: [Qemu-devel] TPM status |
|
Date: |
Thu, 29 Jun 2017 16:07:07 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 |
Hello Stefan,
On 06/28/2017 10:57 PM, Stefan Berger wrote:
> On 06/28/2017 12:44 PM, Laszlo Ersek wrote:
>> On 06/28/17 17:22, Peter Jones wrote:
>>> On Tue, Jun 27, 2017 at 12:12:50PM -0400, Stefan Berger wrote:
[snip]
>>>>
>>>> To support measurements logs to be written by the firmware, e.g.
>>>> SeaBIOS, a TCPA table is implemented. This table provides a 64kb
>>>> buffer where the firmware can write its log into.
>>> How does this work if we boot with edk2?
>> My expectation is that it doesn't work at all, without doing some OVMF
>> platform enablement first. (See
>> <https://bugzilla.tianocore.org/show_bug.cgi?id=594>.) My plan is to use
>> Stefan's document as a starting point for the edk2 / OVMF investigation
>> -- one known and one unknown are better than two unknowns (to me).
>>> Do we get what's described in
>>> https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf
>>> instead of this interface? As well as it? It'd be good to have some
>>> text about this here.
>> I don't think that Stefan has spent any time on EFI enablement, so this
>> part of the document will have to be written later, once there is any
>> EFI-related functionality we can document. (I expect.)
>
> Right, I did not spend any time on EFI. I suppose the ACPI tables going to a
> BIOS are also useful for EFI.
>
> For BIOS there is unfortunately only a spec for TPM 1.2, none anymore for
> TPM2, at least back then when I last looked for it. So I ended up passing
> that TCPA table that has the pointer for the logging area also in case of
> a TPM 2. So SeaBIOS writes its log to it in both cases, following the TPM 2
But this isn't correct from a TPM2 pov, right? Because the TPM2 spec says
that the ACPI table that contains the TPM2.0 event logs is the TPM2 table.
So instead the LASA field in the passed TPM2 ACPI table should point to the
allocated buffer used by the firmware to store the event logs.
> format form the EFI specs for the entries. The Linux driver in the meantime
> has modified the code so that it doesn't show the log anymore in case of
> TPM 2 :-( . I think the above referenced specs would explain how the logging
Do you mean that in the past Linux exposed the securityfs files with the event
logs for TPM2 chips as well? My understanding is that Linux does the correct
thing now, since as mentioned the TCPA table should only be used for TPM1.2.
There are patches posted to add Linux support to read the event logs for TPM2
chips but from the TPM2 ACPI table. I see that hose haven't landed yet though:
https://patchwork.kernel.org/project/tpmdd-devel/list/?submitter=7143
Best regards,
--
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement
Red Hat
Re: [Qemu-devel] TPM status, Javier Martinez Canillas, 2017/06/29