sandbox TPM
Heinrich Schuchardt
xypron.glpk at gmx.de
Mon Aug 30 09:34:04 CEST 2021
On 8/30/21 8:10 AM, Ilias Apalodimas wrote:
> On Sun, 29 Aug 2021 at 13:53, Peter Robinson <pbrobinson at gmail.com> wrote:
>>
>> On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <sjg at chromium.org> wrote:
>>>
>>> Hi Heinrich,
>>>
>>> On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>>>>
>>>> The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not
>>>> spec compliant.
@Simon
Just have look at the bunch of TPM related error messages generated on
the sandbox:
=> host bind 0 ../sandbox.img
=> load host 0:1 $kernel_addr_r EFI/grub/shimriscv64.efi
755200 bytes read in 5 ms (144 MiB/s)
=> bootefi $kernel_addr_r
Scanning disk mmc2.blk...
No valid Btrfs found
Bad magic number for SquashFS image.
** Unrecognized filesystem type **
Scanning disk mmc1.blk...
No valid Btrfs found
Bad magic number for SquashFS image.
** Unrecognized filesystem type **
Scanning disk mmc0.blk...
No valid Btrfs found
Bad magic number for SquashFS image.
** Unrecognized filesystem type **
Scanning disk host0...
Found 5 disks
Cannot install EFI_TCG2_PROTOCOL <<<<<<<<<<<<<<<<<<<<<<<<<<<
"dfu_alt_info" env variable not defined!
Probably dfu_alt_info not defined
"dfu_alt_info" env variable not defined!
Probably dfu_alt_info not defined
Booting /EFI\grub\shimriscv64.efi
PE image measurement failed <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
.sbat copied to 0x000000002ca7b000
.sbat =
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
tcg2 measurement fails(0x8000000000000007) <<<<<<<<<<<<<<<<
>>>
>>> Do you mean it is incomplete or that it has bugs? If it is incomplete,
>>> what is needed by U-Boot?
>
>>>
>>>>
>>>> A TPM emulation as UNIX socket exists with
>>>> https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator.
>>>>
>>>> Couldn't the sandbox do the same? I think this is the fastest way to get
>>>> a compliant sandbox TPM.
>>>
>>> Well we could if we need it. Are you sure it is a good idea? There is
>>> a lot of code there. Are you thinking it would be copied into the
>>> U-Boot tree and kept in sync with a script, perhaps? Presumably the
>>> project would accept changes we need?
>>
>> qemu doesn't copy it in, why can't it just run independently as part
>> of the CI process? The rust TPM2 bindings do that here:
>> https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13
>
> Keep in mind this is exposed as an MMIIO device. I did send a driver
> for it a while back [1]. In case we decide to use this, we can
> probably re-use that
>
> [1] https://lore.kernel.org/u-boot/20210707162604.84196-1-ilias.apalodimas@linaro.org/
>
> Regards
> /Ilias
>
Currently we don't test measured boot. I would prefer the tests to run
on the sandbox and not in QEMU. This makes debugging much easier.
Best regards
Heinrich
More information about the U-Boot
mailing list