Stefan Berger <stef...@linux.vnet.ibm.com> wrote on 05/08/2015 12:15:17 PM:
> From: Stefan Berger <stef...@linux.vnet.ibm.com> > To: qemu-devel@nongnu.org, m...@redhat.com > Cc: imamm...@redhat.com, quan...@intel.com, Stefan Berger/Watson/ > IBM@IBMUS, ke...@koconnor.net, Stefan Berger <stef...@linux.vnet.ibm.com> > Date: 05/08/2015 12:15 PM > Subject: [PATCH v2 3/6] Support Physical Presence Interface Spec > > For automated management of a TPM device, implement the TCG Physical Presence > Interface Specification that allows a root user on Linux (for example) to set > an opcode for a sequence of TPM operations that the BIOS is supposedto execute > upon reboot of the physical or virtual machine. A sequence of > operations may for > example involve giving up ownership of the TPM and activating and enabling the > device. > > The sequences of operations are defined in table 2 in the specs to be found > at the following link: > > http://www.trustedcomputinggroup.org/resources/ > tcg_physical_presence_interface_specification > > As an example, in recent versions of Linux the opcode (5) can be set as > follows: > > cd /sys/devices/pnp0/00\:04/ppi > > echo 5 > request > > This ACPI implementation assumes that the underlying firmware (SeaBIOS) > has 'thrown an anchor' into the f-segment. The anchor is identified by > two signatures (TCG_MAGIC) surrounding a 64bit pointer. The structure > in the f-segment is write-protected and holds a pointer to a structure > in high memmory area where the ACPI code writes the opcode into and > where it can read the last response from the BIOS. > > The supported opcodes are 1-11, 14, and 21-22. (see table 2 in spec) > Also '0' is supported to 'clear' an intention. > The SeaBIOS part is now here: http://www.seabios.org/pipermail/seabios/2015-May/009135.html Stefan