qemu: support virtual TPM

This enables the use of swtpm (from meta-security) as a virtual TPM in qemu. These patches extend the existing support in qemu for TPM passthrough so that a swtpm daemon can be accessed via CUSE (character device in user space). To use this: - add the meta-security layer including the swtpm enhancements for qemu - bitbake swtpm-native - create a TPM instance and initialize it with: $ mkdir -p my-machine/myvtpm0 $ tmp-glibc/sysroots/x86_64-linux/usr/bin/swtpm_setup_oe.sh --tpm-state my-machine/myvtpm0 --createek Starting vTPM manufacturing as root:root @ Fri 20 Jan 2017 08:56:18 AM CET TPM is listening on TCP port 52167. Successfully created EK. Successfully authored TPM state. Ending vTPM manufacturing @ Fri 20 Jan 2017 08:56:19 AM CET - run swtpm *before each runqemu invocation* (it shuts down after use) and do it as root (required to set up the /dev/vtpm0 CUSE device): $ sudo sh -c 'PATH=`pwd`/tmp-glibc/sysroots/x86_64-linux/usr/bin/:`pwd`/tmp-glibc/sysroots/x86_64-linux/usr/sbin/:$PATH; export TPM_PATH=`pwd`/my-machine/myvtpm0; swtpm_cuse -n vtpm0' && sudo chmod a+rw /dev/vtpm0 - run qemu: $ runqemu 'qemuparams=-tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device tpm-tis,tpmdev=tpm0' ... The guest kernel has to have TPM support enabled, which can be done with: KERNEL_FEATURES_append = " features/tpm/tpm.scc" (From OE-Core rev: 1264d26fa251ac11a9069f3e602dec6be9d8b9ba) Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Patrick Ohly <patrick.ohly@intel.com> 2017-01-20 08:51:07 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-03-01 11:17:44 +0000
commit: 81b7a9832f9292ced5a113f0c50e1318301f7358 (patch)
tree: c58018580b33e880c999e894cd2542a4cd601016 /meta/recipes-devtools/qemu/qemu/0002-Introduce-condition-to-notify-waiters-of-completed-c.patch
parent: b16192c93834d0a6530169557aa34122e1417bcf (diff)
download: poky-81b7a9832f9292ced5a113f0c50e1318301f7358.tar.gz
1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0002-Introduce-condition-to-notify-waiters-of-completed-c.patch b/meta/recipes-devtools/qemu/qemu/0002-Introduce-condition-to-notify-waiters-of-completed-c.patch
new file mode 100644
index 0000000000..c88c98e565
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002-Introduce-condition-to-notify-waiters-of-completed-c.patch
@@ -0,0 +1,86 @@
+From b5ffd3aa4e9bd4edb09cc84c46f78da72697a946 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Sat, 31 Dec 2016 11:23:32 -0500
+Subject: [PATCH 2/4] Introduce condition to notify waiters of completed
+ command
+Introduce a lock and a condition to notify anyone waiting for the completion
+of the execution of a TPM command by the backend (thread). The backend
+uses the condition to signal anyone waiting for command completion.
+We need to place the condition in two locations: one is invoked by the
+backend thread, the other by the bottom half thread.
+We will use the signalling to wait for command completion before VM
+suspend.
+Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Upstream-Status: Pending [https://lists.nongnu.org/archive/html/qemu-devel/2016-06/msg00252.html]
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ hw/tpm/tpm_int.h |  3 +++
+ hw/tpm/tpm_tis.c | 14 ++++++++++++++
+ 2 files changed, 17 insertions(+)
+diff --git a/hw/tpm/tpm_int.h b/hw/tpm/tpm_int.h
+index 6b2c9c953a..70be1ad8d9 100644
+--- a/hw/tpm/tpm_int.h
+++ b/hw/tpm/tpm_int.h
+@@ -30,6 +30,9 @@ struct TPMState {
+     char *backend;
+     TPMBackend *be_driver;
+     TPMVersion be_tpm_version;
+
+    QemuMutex state_lock;
+    QemuCond cmd_complete;
+ };
+ 
+ #define TPM(obj) OBJECT_CHECK(TPMState, (obj), TYPE_TPM_TIS)
+diff --git a/hw/tpm/tpm_tis.c b/hw/tpm/tpm_tis.c
+index 381e7266ea..14d9e83ea2 100644
+--- a/hw/tpm/tpm_tis.c
+++ b/hw/tpm/tpm_tis.c
+@@ -368,6 +368,8 @@ static void tpm_tis_receive_bh(void *opaque)
+     TPMTISEmuState *tis = &s->s.tis;
+     uint8_t locty = s->locty_number;
+ 
+    qemu_mutex_lock(&s->state_lock);
+
+     tpm_tis_sts_set(&tis->loc[locty],
+                     TPM_TIS_STS_VALID | TPM_TIS_STS_DATA_AVAILABLE);
+     tis->loc[locty].state = TPM_TIS_STATE_COMPLETION;
+@@ -384,6 +386,10 @@ static void tpm_tis_receive_bh(void *opaque)
+     tpm_tis_raise_irq(s, locty,
+                       TPM_TIS_INT_DATA_AVAILABLE | TPM_TIS_INT_STS_VALID);
+ #endif
+
+    /* notify of completed command */
+    qemu_cond_signal(&s->cmd_complete);
+    qemu_mutex_unlock(&s->state_lock);
+ }
+ 
+ /*
+@@ -403,6 +409,11 @@ static void tpm_tis_receive_cb(TPMState *s, uint8_t locty,
+         }
+     }
+ 
+    qemu_mutex_lock(&s->state_lock);
+    /* notify of completed command */
+    qemu_cond_signal(&s->cmd_complete);
+    qemu_mutex_unlock(&s->state_lock);
+
+     qemu_bh_schedule(tis->bh);
+ }
+ 
+@@ -1072,6 +1083,9 @@ static void tpm_tis_initfn(Object *obj)
+     memory_region_init_io(&s->mmio, OBJECT(s), &tpm_tis_memory_ops,
+                           s, "tpm-tis-mmio",
+                           TPM_TIS_NUM_LOCALITIES << TPM_TIS_LOCALITY_SHIFT);
+
+    qemu_mutex_init(&s->state_lock);
+    qemu_cond_init(&s->cmd_complete);
+ }
+ 
+ static void tpm_tis_class_init(ObjectClass *klass, void *data)
+-- 
+2.11.0
author	Patrick Ohly <patrick.ohly@intel.com>	2017-01-20 08:51:07 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-03-01 11:17:44 +0000
commit	81b7a9832f9292ced5a113f0c50e1318301f7358 (patch)
tree	c58018580b33e880c999e894cd2542a4cd601016 /meta/recipes-devtools/qemu/qemu/0002-Introduce-condition-to-notify-waiters-of-completed-c.patch
parent	b16192c93834d0a6530169557aa34122e1417bcf (diff)
download	poky-81b7a9832f9292ced5a113f0c50e1318301f7358.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/0002-Introduce-condition-to-notify-waiters-of-completed-c.patch b/meta/recipes-devtools/qemu/qemu/0002-Introduce-condition-to-notify-waiters-of-completed-c.patch new file mode 100644 index 0000000000..c88c98e565 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002-Introduce-condition-to-notify-waiters-of-completed-c.patch
@@ -0,0 +1,86 @@
	1	From b5ffd3aa4e9bd4edb09cc84c46f78da72697a946 Mon Sep 17 00:00:00 2001
	2	From: Stefan Berger <stefanb@linux.vnet.ibm.com>
	3	Date: Sat, 31 Dec 2016 11:23:32 -0500
	4	Subject: [PATCH 2/4] Introduce condition to notify waiters of completed
	5	command
	6
	7	Introduce a lock and a condition to notify anyone waiting for the completion
	8	of the execution of a TPM command by the backend (thread). The backend
	9	uses the condition to signal anyone waiting for command completion.
	10	We need to place the condition in two locations: one is invoked by the
	11	backend thread, the other by the bottom half thread.
	12	We will use the signalling to wait for command completion before VM
	13	suspend.
	14
	15	Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
	16
	17	Upstream-Status: Pending [https://lists.nongnu.org/archive/html/qemu-devel/2016-06/msg00252.html]
	18	Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
	19	---
	20	hw/tpm/tpm_int.h \| 3 +++
	21	hw/tpm/tpm_tis.c \| 14 ++++++++++++++
	22	2 files changed, 17 insertions(+)
	23
	24	diff --git a/hw/tpm/tpm_int.h b/hw/tpm/tpm_int.h
	25	index 6b2c9c953a..70be1ad8d9 100644
	26	--- a/hw/tpm/tpm_int.h
	27	+++ b/hw/tpm/tpm_int.h
	28	@@ -30,6 +30,9 @@ struct TPMState {
	29	char *backend;
	30	TPMBackend *be_driver;
	31	TPMVersion be_tpm_version;
	32	+
	33	+ QemuMutex state_lock;
	34	+ QemuCond cmd_complete;
	35	};
	36
	37	#define TPM(obj) OBJECT_CHECK(TPMState, (obj), TYPE_TPM_TIS)
	38	diff --git a/hw/tpm/tpm_tis.c b/hw/tpm/tpm_tis.c
	39	index 381e7266ea..14d9e83ea2 100644
	40	--- a/hw/tpm/tpm_tis.c
	41	+++ b/hw/tpm/tpm_tis.c
	42	@@ -368,6 +368,8 @@ static void tpm_tis_receive_bh(void *opaque)
	43	TPMTISEmuState *tis = &s->s.tis;
	44	uint8_t locty = s->locty_number;
	45
	46	+ qemu_mutex_lock(&s->state_lock);
	47	+
	48	tpm_tis_sts_set(&tis->loc[locty],
	49	TPM_TIS_STS_VALID \| TPM_TIS_STS_DATA_AVAILABLE);
	50	tis->loc[locty].state = TPM_TIS_STATE_COMPLETION;
	51	@@ -384,6 +386,10 @@ static void tpm_tis_receive_bh(void *opaque)
	52	tpm_tis_raise_irq(s, locty,
	53	TPM_TIS_INT_DATA_AVAILABLE \| TPM_TIS_INT_STS_VALID);
	54	#endif
	55	+
	56	+ /* notify of completed command */
	57	+ qemu_cond_signal(&s->cmd_complete);
	58	+ qemu_mutex_unlock(&s->state_lock);
	59	}
	60
	61	/*
	62	@@ -403,6 +409,11 @@ static void tpm_tis_receive_cb(TPMState *s, uint8_t locty,
	63	}
	64	}
	65
	66	+ qemu_mutex_lock(&s->state_lock);
	67	+ /* notify of completed command */
	68	+ qemu_cond_signal(&s->cmd_complete);
	69	+ qemu_mutex_unlock(&s->state_lock);
	70	+
	71	qemu_bh_schedule(tis->bh);
	72	}
	73
	74	@@ -1072,6 +1083,9 @@ static void tpm_tis_initfn(Object *obj)
	75	memory_region_init_io(&s->mmio, OBJECT(s), &tpm_tis_memory_ops,
	76	s, "tpm-tis-mmio",
	77	TPM_TIS_NUM_LOCALITIES << TPM_TIS_LOCALITY_SHIFT);
	78	+
	79	+ qemu_mutex_init(&s->state_lock);
	80	+ qemu_cond_init(&s->cmd_complete);
	81	}
	82
	83	static void tpm_tis_class_init(ObjectClass klass, void data)
	84	--
	85	2.11.0
	86