[U-BOOT-TEST-HOOKS PATCH 1/1] Enable TPMv2 emulation
Provide a QEMU helper script to launch swtpm and add extra parameters to conf.qemu_arm64_na and conf.qemu_arm_na to provide an emulated TPMv2.
Signed-off-by: Heinrich Schuchardt heinrich.schuchardt@canonical.com --- bin/qemu.swtpm | 19 +++++++++++++++++++ bin/travis-ci/conf.qemu_arm64_na | 3 ++- bin/travis-ci/conf.qemu_arm_na | 3 ++- 3 files changed, 23 insertions(+), 2 deletions(-) create mode 100755 bin/qemu.swtpm
diff --git a/bin/qemu.swtpm b/bin/qemu.swtpm new file mode 100755 index 0000000..089feba --- /dev/null +++ b/bin/qemu.swtpm @@ -0,0 +1,19 @@ +#!/bin/sh +# SPDX-License-Identifier: BSD-2 +# +# This script launches swtpm to emulate a TPMv2. The parameter -t makes it +# unload when the connection to QEMU is terminated. To make use of it add +# +# qemu_helper_script="swtpm" +# +# to the board script and the following arguments to qemu_extra_args +# +# -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \ +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ +# -device tpm-tis-device,tpmdev=tpm0 +# +# U-Boot must be built with CONFIG_TPM2_MMIO=y. + +mkdir -p /tmp/tpm +swtpm socket -t --tpmstate dir=/tmp/tpm --tpm2 \ +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock & diff --git a/bin/travis-ci/conf.qemu_arm64_na b/bin/travis-ci/conf.qemu_arm64_na index e7c9426..14577d8 100644 --- a/bin/travis-ci/conf.qemu_arm64_na +++ b/bin/travis-ci/conf.qemu_arm64_na @@ -22,8 +22,9 @@
console_impl=qemu qemu_machine="virt" +qemu_helper_script="swtpm" qemu_binary="qemu-system-aarch64" -qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci" +qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0" qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin" reset_impl=none flash_impl=none diff --git a/bin/travis-ci/conf.qemu_arm_na b/bin/travis-ci/conf.qemu_arm_na index 0f07c80..de0694d 100644 --- a/bin/travis-ci/conf.qemu_arm_na +++ b/bin/travis-ci/conf.qemu_arm_na @@ -22,8 +22,9 @@
console_impl=qemu qemu_machine="virt" +qemu_helper_script="swtpm" qemu_binary="qemu-system-arm" -qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci" +qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0" qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin" reset_impl=none flash_impl=none
Hi Heinrich,
On Mon, 15 Nov 2021 at 12:11, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
Provide a QEMU helper script to launch swtpm and add extra parameters to conf.qemu_arm64_na and conf.qemu_arm_na to provide an emulated TPMv2.
Signed-off-by: Heinrich Schuchardt heinrich.schuchardt@canonical.com
bin/qemu.swtpm | 19 +++++++++++++++++++ bin/travis-ci/conf.qemu_arm64_na | 3 ++- bin/travis-ci/conf.qemu_arm_na | 3 ++- 3 files changed, 23 insertions(+), 2 deletions(-) create mode 100755 bin/qemu.swtpm
diff --git a/bin/qemu.swtpm b/bin/qemu.swtpm new file mode 100755 index 0000000..089feba --- /dev/null +++ b/bin/qemu.swtpm @@ -0,0 +1,19 @@ +#!/bin/sh +# SPDX-License-Identifier: BSD-2 +# +# This script launches swtpm to emulate a TPMv2. The parameter -t makes it +# unload when the connection to QEMU is terminated. To make use of it add +# +# qemu_helper_script="swtpm" +# +# to the board script and the following arguments to qemu_extra_args +# +# -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \ +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ +# -device tpm-tis-device,tpmdev=tpm0 +# +# U-Boot must be built with CONFIG_TPM2_MMIO=y.
+mkdir -p /tmp/tpm +swtpm socket -t --tpmstate dir=/tmp/tpm --tpm2 \ +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock &
Nit pick the & can be '-d'
diff --git a/bin/travis-ci/conf.qemu_arm64_na b/bin/travis-ci/conf.qemu_arm64_na index e7c9426..14577d8 100644 --- a/bin/travis-ci/conf.qemu_arm64_na +++ b/bin/travis-ci/conf.qemu_arm64_na @@ -22,8 +22,9 @@
console_impl=qemu qemu_machine="virt" +qemu_helper_script="swtpm" qemu_binary="qemu-system-aarch64" -qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci" +qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0" qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin" reset_impl=none flash_impl=none diff --git a/bin/travis-ci/conf.qemu_arm_na b/bin/travis-ci/conf.qemu_arm_na index 0f07c80..de0694d 100644 --- a/bin/travis-ci/conf.qemu_arm_na +++ b/bin/travis-ci/conf.qemu_arm_na @@ -22,8 +22,9 @@
console_impl=qemu qemu_machine="virt" +qemu_helper_script="swtpm" qemu_binary="qemu-system-arm" -qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci" +qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
Just a note here 'tpm-tis-device' works for arm. If we evenr need this on x86 it's 'tpm-tis' ....
qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin" reset_impl=none flash_impl=none -- 2.32.0
Other than that Reviewed-by: Ilias Apalodimas ilias.apalodimas@linaro.org
On 11/24/21 08:23, Ilias Apalodimas wrote:
Hi Heinrich,
On Mon, 15 Nov 2021 at 12:11, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
Provide a QEMU helper script to launch swtpm and add extra parameters to conf.qemu_arm64_na and conf.qemu_arm_na to provide an emulated TPMv2.
Signed-off-by: Heinrich Schuchardt heinrich.schuchardt@canonical.com
bin/qemu.swtpm | 19 +++++++++++++++++++ bin/travis-ci/conf.qemu_arm64_na | 3 ++- bin/travis-ci/conf.qemu_arm_na | 3 ++- 3 files changed, 23 insertions(+), 2 deletions(-) create mode 100755 bin/qemu.swtpm
diff --git a/bin/qemu.swtpm b/bin/qemu.swtpm new file mode 100755 index 0000000..089feba --- /dev/null +++ b/bin/qemu.swtpm @@ -0,0 +1,19 @@ +#!/bin/sh +# SPDX-License-Identifier: BSD-2 +# +# This script launches swtpm to emulate a TPMv2. The parameter -t makes it +# unload when the connection to QEMU is terminated. To make use of it add +# +# qemu_helper_script="swtpm" +# +# to the board script and the following arguments to qemu_extra_args +# +# -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \ +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ +# -device tpm-tis-device,tpmdev=tpm0 +# +# U-Boot must be built with CONFIG_TPM2_MMIO=y.
+mkdir -p /tmp/tpm +swtpm socket -t --tpmstate dir=/tmp/tpm --tpm2 \ +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock &
Nit pick the & can be '-d'
Daemonizing will ensure that we don't get console output. I will change this.
diff --git a/bin/travis-ci/conf.qemu_arm64_na b/bin/travis-ci/conf.qemu_arm64_na index e7c9426..14577d8 100644 --- a/bin/travis-ci/conf.qemu_arm64_na +++ b/bin/travis-ci/conf.qemu_arm64_na @@ -22,8 +22,9 @@
console_impl=qemu qemu_machine="virt" +qemu_helper_script="swtpm" qemu_binary="qemu-system-aarch64" -qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci" +qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0" qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin" reset_impl=none flash_impl=none diff --git a/bin/travis-ci/conf.qemu_arm_na b/bin/travis-ci/conf.qemu_arm_na index 0f07c80..de0694d 100644 --- a/bin/travis-ci/conf.qemu_arm_na +++ b/bin/travis-ci/conf.qemu_arm_na @@ -22,8 +22,9 @@
console_impl=qemu qemu_machine="virt" +qemu_helper_script="swtpm" qemu_binary="qemu-system-arm" -qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci" +qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
Just a note here 'tpm-tis-device' works for arm. If we evenr need this on x86 it's 'tpm-tis' ....
This file is ARM specific.
Best regards
Heinrich
qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin" reset_impl=none flash_impl=none -- 2.32.0
Other than that Reviewed-by: Ilias Apalodimas ilias.apalodimas@linaro.org
On Wed, Nov 24, 2021 at 08:33:42AM +0100, Heinrich Schuchardt wrote:
On 11/24/21 08:23, Ilias Apalodimas wrote:
Hi Heinrich,
On Mon, 15 Nov 2021 at 12:11, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
Provide a QEMU helper script to launch swtpm and add extra parameters to conf.qemu_arm64_na and conf.qemu_arm_na to provide an emulated TPMv2.
Signed-off-by: Heinrich Schuchardt heinrich.schuchardt@canonical.com
bin/qemu.swtpm | 19 +++++++++++++++++++ bin/travis-ci/conf.qemu_arm64_na | 3 ++- bin/travis-ci/conf.qemu_arm_na | 3 ++- 3 files changed, 23 insertions(+), 2 deletions(-) create mode 100755 bin/qemu.swtpm
diff --git a/bin/qemu.swtpm b/bin/qemu.swtpm new file mode 100755 index 0000000..089feba --- /dev/null +++ b/bin/qemu.swtpm @@ -0,0 +1,19 @@ +#!/bin/sh +# SPDX-License-Identifier: BSD-2 +# +# This script launches swtpm to emulate a TPMv2. The parameter -t makes it +# unload when the connection to QEMU is terminated. To make use of it add +# +# qemu_helper_script="swtpm" +# +# to the board script and the following arguments to qemu_extra_args +# +# -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \ +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ +# -device tpm-tis-device,tpmdev=tpm0 +# +# U-Boot must be built with CONFIG_TPM2_MMIO=y.
+mkdir -p /tmp/tpm +swtpm socket -t --tpmstate dir=/tmp/tpm --tpm2 \ +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock &
Nit pick the & can be '-d'
Daemonizing will ensure that we don't get console output. I will change this.
diff --git a/bin/travis-ci/conf.qemu_arm64_na b/bin/travis-ci/conf.qemu_arm64_na index e7c9426..14577d8 100644 --- a/bin/travis-ci/conf.qemu_arm64_na +++ b/bin/travis-ci/conf.qemu_arm64_na @@ -22,8 +22,9 @@
console_impl=qemu qemu_machine="virt" +qemu_helper_script="swtpm" qemu_binary="qemu-system-aarch64" -qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci" +qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0" qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin" reset_impl=none flash_impl=none diff --git a/bin/travis-ci/conf.qemu_arm_na b/bin/travis-ci/conf.qemu_arm_na index 0f07c80..de0694d 100644 --- a/bin/travis-ci/conf.qemu_arm_na +++ b/bin/travis-ci/conf.qemu_arm_na @@ -22,8 +22,9 @@
console_impl=qemu qemu_machine="virt" +qemu_helper_script="swtpm" qemu_binary="qemu-system-arm" -qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci" +qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
Just a note here 'tpm-tis-device' works for arm. If we evenr need this on x86 it's 'tpm-tis' ....
This file is ARM specific.
Sure, but it's worth noting since if we can also use these features and tests on qemu-x86_64 we should. Doesn't need to be to start with tho. And I will apply this shortly.
On 11/27/21 02:38, Tom Rini wrote:
On Wed, Nov 24, 2021 at 08:33:42AM +0100, Heinrich Schuchardt wrote:
On 11/24/21 08:23, Ilias Apalodimas wrote:
Hi Heinrich,
On Mon, 15 Nov 2021 at 12:11, Heinrich Schuchardt heinrich.schuchardt@canonical.com wrote:
Provide a QEMU helper script to launch swtpm and add extra parameters to conf.qemu_arm64_na and conf.qemu_arm_na to provide an emulated TPMv2.
Signed-off-by: Heinrich Schuchardt heinrich.schuchardt@canonical.com
bin/qemu.swtpm | 19 +++++++++++++++++++ bin/travis-ci/conf.qemu_arm64_na | 3 ++- bin/travis-ci/conf.qemu_arm_na | 3 ++- 3 files changed, 23 insertions(+), 2 deletions(-) create mode 100755 bin/qemu.swtpm
diff --git a/bin/qemu.swtpm b/bin/qemu.swtpm new file mode 100755 index 0000000..089feba --- /dev/null +++ b/bin/qemu.swtpm @@ -0,0 +1,19 @@ +#!/bin/sh +# SPDX-License-Identifier: BSD-2 +# +# This script launches swtpm to emulate a TPMv2. The parameter -t makes it +# unload when the connection to QEMU is terminated. To make use of it add +# +# qemu_helper_script="swtpm" +# +# to the board script and the following arguments to qemu_extra_args +# +# -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \ +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ +# -device tpm-tis-device,tpmdev=tpm0 +# +# U-Boot must be built with CONFIG_TPM2_MMIO=y.
+mkdir -p /tmp/tpm +swtpm socket -t --tpmstate dir=/tmp/tpm --tpm2 \ +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock &
Nit pick the & can be '-d'
Daemonizing will ensure that we don't get console output. I will change this.
diff --git a/bin/travis-ci/conf.qemu_arm64_na b/bin/travis-ci/conf.qemu_arm64_na index e7c9426..14577d8 100644 --- a/bin/travis-ci/conf.qemu_arm64_na +++ b/bin/travis-ci/conf.qemu_arm64_na @@ -22,8 +22,9 @@
console_impl=qemu qemu_machine="virt" +qemu_helper_script="swtpm" qemu_binary="qemu-system-aarch64" -qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci" +qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0" qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin" reset_impl=none flash_impl=none diff --git a/bin/travis-ci/conf.qemu_arm_na b/bin/travis-ci/conf.qemu_arm_na index 0f07c80..de0694d 100644 --- a/bin/travis-ci/conf.qemu_arm_na +++ b/bin/travis-ci/conf.qemu_arm_na @@ -22,8 +22,9 @@
console_impl=qemu qemu_machine="virt" +qemu_helper_script="swtpm" qemu_binary="qemu-system-arm" -qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci" +qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
Just a note here 'tpm-tis-device' works for arm. If we evenr need this on x86 it's 'tpm-tis' ....
This file is ARM specific.
Sure, but it's worth noting since if we can also use these features and tests on qemu-x86_64 we should. Doesn't need to be to start with tho. And I will apply this shortly.
The current version of this patch is:
[v2,1/1] Enable TPMv2 emulation https://patchwork.ozlabs.org/project/uboot/patch/20211124081251.59511-1-hein...
On x86 we don't have support for the emulated TPM in U-Boot. According to the QEMU documentation you would have to parse ACPI tables to detect if a TPM is made available by QEMU. Maybe you could instead define it in arch/x86/dts/qemu-x86_i440fx.dts. Cf. https://qemu-project.gitlab.io/qemu/specs/tpm.html#acpi-interface
Once that work is done we should enable the TPM emulation on x86 in the U-Boot test hooks.
This will be the required settings:
qemu_helper_script="swtpm" qemu_extra_args="-nographic -cpu qemu64 -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"
Best regards
Heinrich
participants (3)
-
Heinrich Schuchardt -
Ilias Apalodimas -
Tom Rini