cloud-hypervisor/docs/tpm.md
Yuji Hagiwara 5126e9b26e docs: Fix a typo on the doc for tpm
swtpm accepts --tpmstate option

Signed-off-by: Yuji Hagiwara <yuuzi41@gmail.com>
(cherry picked from commit 47a7ebe434)
Signed-off-by: Rob Bradford <robert.bradford@intel.com>
2022-12-13 15:12:40 +00:00

3.5 KiB

TPM

Tpm in Cloud-Hypervisor is emulated using swtpm as the backend. swtpm is the link to swtpm project.

Current implementation only supports TPM 2.0 version. At the moment only CRB Interface is implemented. This interface is described in TCG PC Client Platform TPM Profile Specification for TPM 2.0, Revision 01.05 v4.

Usage

--tpm, an optional argument, can be passed to enable tpm device. This argument takes an UNIX domain Socket as a socket value.

Example

An Example invocation with --tpm argument:

 ./cloud-hypervisor/target/release/cloud-hypervisor \
	--kernel ./hypervisor-fw \
	--disk path=focal-server-cloudimg-amd64.raw \
	--cpus boot=4 \
	--memory size=1024M \
	--net "tap=,mac=,ip=,mask=" \
	--tpm socket="/var/run/swtpm.socket"

swtpm

Before invoking cloud-hypervisor with --tpm argument, a swtpm process should be started to listen at the input socket. Below is an example invocation of swtpm process.

swtpm socket --tpmstate dir=/var/run/swtpm \
	--ctrl type=unixio,path="/var/run/swtpm.socket" \
	--flags startup-clear \
	--tpm2

Guest

After starting a guest with the above commands, ensure below listed modules are loaded in the guest:

# lsmod | grep tpm
tpm_crb                20480  0
tpm                    81920  1 tpm_crb

Below is the IO Memory map configured in the guest:

# cat /proc/iomem  | grep MSFT
fed40000-fed40fff : MSFT0101:00
  fed40000-fed40fff : MSFT0101:00

Below are the devices created in the guest:

# ls /dev/tpm*
/dev/tpm0  /dev/tpmrm0

Testing

Inside the guest install tpm2-tools package. This package provides some commands to run against TPM that supports 2.0 version.

Examples

// Run Self Test
# tpm2_selftest -f
# echo $?
0


# echo "hello" > input.txt
// this command generates hash of the input file using all the algos supported by TPM

# tpm2_pcrevent input.txt
sha1: f572d396fae9206628714fb2ce00f72e94f2258f
sha256: 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03
sha384: 1d0f284efe3edea4b9ca3bd514fa134b17eae361ccc7a1eefeff801b9bd6604e01f21f6bf249ef030599f0c
218f2ba8c
sha512: e7c22b994c59d9cf2b48e549b1e24666636045930d3da7c1acb299d1c3b7f931f94aae41edda2c2b207a36e
10f8bcb8d45223e54878f5b316e7ce3b6bc019629

// verify one of the hashes
# sha256sum input.txt
5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03  input.txt

Bundled Functional Test

Build time dependencies for tpm2-tss are captured in INSTALL.

# git clone https://github.com/tpm2-software/tpm2-tss.git
# cd tpm2-tss
# ./configure --enable-integration --with-devicetests="mandatory,optional" --with-device=/dev/tpm0
# sudo make check-device
.
.
.
.
============================================================================
Testsuite summary for tpm2-tss 3.2.0-74-ge03617d9
============================================================================
# TOTAL: 154
# PASS:  88
# SKIP:  7
# XFAIL: 0
# FAIL:  59
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to https://github.com/tpm2-software/tpm2-tss/issues
============================================================================

The same set of failures are noticed while running these tests on Qemu with its TPM implementation.