Hi Heinrich,
On Mon, 30 Aug 2021 at 01:34, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 8/30/21 8:10 AM, Ilias Apalodimas wrote:
On Sun, 29 Aug 2021 at 13:53, Peter Robinson pbrobinson@gmail.com wrote:
On Sat, Aug 28, 2021 at 10:19 PM Simon Glass sjg@chromium.org wrote:
Hi Heinrich,
On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not spec compliant.
@Simon Just have look at the bunch of TPM related error messages generated on the sandbox:
=> host bind 0 ../sandbox.img => load host 0:1 $kernel_addr_r EFI/grub/shimriscv64.efi 755200 bytes read in 5 ms (144 MiB/s) => bootefi $kernel_addr_r Scanning disk mmc2.blk... No valid Btrfs found Bad magic number for SquashFS image. ** Unrecognized filesystem type ** Scanning disk mmc1.blk... No valid Btrfs found Bad magic number for SquashFS image. ** Unrecognized filesystem type ** Scanning disk mmc0.blk... No valid Btrfs found Bad magic number for SquashFS image. ** Unrecognized filesystem type ** Scanning disk host0... Found 5 disks Cannot install EFI_TCG2_PROTOCOL <<<<<<<<<<<<<<<<<<<<<<<<<<< "dfu_alt_info" env variable not defined! Probably dfu_alt_info not defined "dfu_alt_info" env variable not defined! Probably dfu_alt_info not defined Booting /EFI\grub\shimriscv64.efi PE image measurement failed <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< .sbat copied to 0x000000002ca7b000 .sbat = sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
tcg2 measurement fails(0x8000000000000007) <<<<<<<<<<<<<<<<
OK...then I wonder what it would take to improve the sandbox TPM driver enough for these to pass? We have to think about cost/benefit of the amount of code we are bringing in, debugability, etc.
Do you mean it is incomplete or that it has bugs? If it is incomplete, what is needed by U-Boot?
A TPM emulation as UNIX socket exists with https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator.
Couldn't the sandbox do the same? I think this is the fastest way to get a compliant sandbox TPM.
Well we could if we need it. Are you sure it is a good idea? There is a lot of code there. Are you thinking it would be copied into the U-Boot tree and kept in sync with a script, perhaps? Presumably the project would accept changes we need?
qemu doesn't copy it in, why can't it just run independently as part of the CI process? The rust TPM2 bindings do that here: https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/a...
Keep in mind this is exposed as an MMIIO device. I did send a driver for it a while back [1]. In case we decide to use this, we can probably re-use that
[1] https://lore.kernel.org/u-boot/20210707162604.84196-1-ilias.apalodimas@linar...
Regards /Ilias
Currently we don't test measured boot. I would prefer the tests to run on the sandbox and not in QEMU. This makes debugging much easier.
I couldn't agree more; development also.
Regards, Simon