Hi On Thu, Aug 16, 2018 at 3:29 AM 汤福 <tan...@gohighsec.com> wrote: > > Hi, > > I want to use the vTPM in a qemu Windows image. Unfortunately, it didn't work. > First, the equipment: > TPM 2.0 hardware > CentOS 7.2 > Qemu v2.10.2 > SeaBIOS 1.11.0 > libtpm and so on > > My host is centos 7.2 with the TPM 2.0 hardware and qemu v2.10.2. > I make the libtpm and seabios with ./configure, make and so on. I checked > seabios with make menuconfig the TPM setting. It is enabled tpm by default. > Eventually, all works without errors. > > I start the Widnows 10 image with: > qemu-system-x86_64 -display sdl -enable-kvm -m 2048 -boot d -bios bios.bin > -boot menu=on -tpmdev > cuse-tpm,id=tpm0,cancel-path=/dev/null,type=passthrough,path=/dev/tpm0 > -device tpm-tis,tpmdev=tpm0 win10.img > > > First it looks all fine. Windows 10 booted up but the vTPM was recognized as > TPM 1.2 instead of TPM 2.0 in device manager. I open the tpm Manager with > tpm.msc but get error with No compatible TPM found. > If I use vTPM in a qemu linux image, everything gose well. > > > So, what could be the problem?
You need to build libtpms & swtpm from Stefan tpm2-preview branches. (Alternatively, there is now an experimental fedora copr repository: https://copr.fedorainfracloud.org/coprs/stefanberger/swtpm/) I suggest to setup the VM with libvirt upstream, which will do the preliminary swtpm_setup for you, or follow https://github.com/stefanberger/swtpm/wiki/Certificiates-created-by-swtpm_setup For Windows TPM 2 support, you will need the TPM CRB device, and upstream OVMF compiled with -D TPM2_ENABLE (TIS & Bios are 1.2 only for Windows, even if seabios does have some 2.0 support with them) Furthermore, to pass the WLK tests, you need PPI & MOR interface, which are still pending merge ([PATCH v9 0/6] Add support for TPM Physical Presence interface) -- Marc-André Lureau
