| This directory hosts (v)TPM related code. |
| |
| Background: |
| ----------- |
| |
| A TPM is a crypto chip that is found in many systems. Besides it offering |
| a secure key store, among other functionality, it is also used to implement |
| 'trusted boot'. This is realized by code in the firmware measuring parts of the |
| firmware's code and data as well as system data, such as the boot block, and |
| logging these measurements and storing (extending) them in the TPM's platform |
| configuration register (PCR). |
| |
| The benefits of having a TPM (or vTPM) in a system are: |
| |
| - enablement of trusted boot; this allow us to eventually extend the chain of |
| trust from the hypervisor to the guests |
| - enablement of attestation so that one can verify what software is running on |
| a machine (OpenPTS, OpenAttestation) |
| - provides TPM functionality to VMs, which includes a standardized mechanism |
| to store keys and other blobs (Linux trusted keys, GNU TLS's TPM extensions) |
| |
| |
| QEMU/KVM + SLOF support: |
| ------------------------ |
| |
| vTPM for QEMU/KVM pSeries virtual machines is support in QEMU 5.0. |
| |
| To start a QEMU VM with an attached vTPM (swtpm), run the below shown commands. |
| The following will setup the vTPM so that its state will be stored in |
| /tmp/myvtpm1. A unique directory for each VM instance with attached vTPM |
| must be provided. Whenever QEMU is started, the swtpm has to be started |
| before it. The file 'boot_rom.bin' is SLOF with vTPM extensions built-in. |
| |
| #> mkdir -p /tmp/mytpm1 |
| #> swtpm socket --tpm2 --tpmstate dir=/tmp/mytpm1 \ |
| --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock |
| |
| In another terminal: |
| |
| #> sudo qemu-system-ppc64 -display sdl \ |
| -machine pseries,accel=kvm \ |
| -m 1024 -bios boot_rom.bin -boot menu=on \ |
| -nodefaults -device VGA -device pci-ohci -device usb-kbd \ |
| -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ |
| -tpmdev emulator,id=tpm0,chardev=chrtpm \ |
| -device tpm-spapr,tpmdev=tpm0 \ |
| -device spapr-vscsi,id=scsi0,reg=0x00002000 \ |
| -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,id=virtio-disk0 \ |
| -drive file=test.img,format=raw,if=none,id=drive-virtio-disk0 |
| |
| Notes: |
| - The Linux kernel in the VM must have the tpm_ibmvtpm module available |
| or built-in. A recent kernel is needed that enables TPM 2.0 support |
| in this module. |
| |
| - 'swtpm_ioctl --unix /tmp/mytpm1/swtpm-sock -s' can be used to gracefully |
| shut down the vTPM. |