On Fri, Jan 22, 2016 at 03:27:28PM -0500, Stefan Berger wrote: > "Kevin O'Connor" <ke...@koconnor.net> wrote on 01/21/2016 05:37:29 PM: > > > > > On Fri, Jan 15, 2016 at 02:44:30PM -0500, Stefan Berger wrote: > > > This series of patches adds TPM 2 support to SeaBIOS in the way previously > > > proposed. > > > > > > TPM 2 support also changes the log entry format, which I have not > > > addressed > > > at all so far, and would append to the end of the series. > > > > Thanks Stefan. In general it looks good to me. I have a few > > comments, which I'll send separately. All of my comments could be > > addressed after committing this series if desired. > > I can address those comments and repost a V2 with the 10th patch adding the > part for the logging. > > > > > How does one test and/or use this support? Does QEMU have support, or > > is there hardware available on coreboot with the tpm2 hardware? > > I did all the testing of these patches with the vTPM with CUSE interface > integrated into QEMU. Unfortunately the vTPM-QEMU integration train seems a > wreck now following comments on QEMU mailing list. So, I don't know of any TPM > 2 hardware out there, less so hardware where coreboot runs. So that's probably > currently the number one problem. > > You know the TPM 1.2 PC BIOS specification, right? I think we can say that > many > of the functions implemented in this series for TPM 2 are necessary because of > how it's done for TPM 1.2 as well as properties of the TPM 2 device. This > includes the TPM initialization, S3 support, setting of timeouts, menu items, > etc. The problem with TPM 2 is that there's no official spec for TPM 2 for a > BIOS. So it's not quite clear to me how much leeway we have to go about this > in > the areas of ACPI tables for logging and the API. Regarding these topics: > > ACPI tables for logging: The (U)EFI specification for TPM 2 don't require a > TCPA table with the logging area because there seems to be an API for the OS > for retrieving the log. UEFI seems to log into just some buffer, not connected > to any ACPI table. For the BIOS we would still need that TCPA table. QEMU > currently provides that. The Linux kernel (and all other OSes -- uuuh) would > then have to allow a TCPA table for logging for TPM 2 even though we cannot > point to a spec for that. Not sure whether we can create a standard for this > little gap here...
Do you know the reason why it isn't required? This really confuses me that there isn't anything standardized for TPM2. How can that have happened... /Jarkko > BIOS API: Some functions pass the entry to write into the log via the function > directly. Patch 10 handles that and transforms that entry into the log entry > format as required for TPM 1.2 or TPM 2 (log entries are differently formatted > for TPM 1.2 and for TPM 2). So the only remaining problem I know of is the > function that allows one to pass TPM commands through to the TPM. This may end > up causing problems in the application if it was written for TPM 1.2 and now > there's a TPM 2 running underneath, which doesn't understand the TPM 1.2 > commands. I would say this is likely the smaller of the problems also > considering that there are not many applications out there that use that API > call. Possibility to just shut down that function call is certainly there. > > Stefan > > > > > > -Kevin > > > _______________________________________________ SeaBIOS mailing list SeaBIOS@seabios.org http://www.seabios.org/mailman/listinfo/seabios