On 8/30/21 8:10 AM, Ilias Apalodimas wrote:
On Sun, 29 Aug 2021 at 13:53, Peter Robinson <[email protected]> wrote:
On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <[email protected]> wrote:
Hi Heinrich,
On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <[email protected]> wrote:
The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not
spec compliant.
@Simon
Just have look at the bunch of TPM related error messages generated on
the sandbox:
=> host bind 0 ../sandbox.img
=> load host 0:1 $kernel_addr_r EFI/grub/shimriscv64.efi
755200 bytes read in 5 ms (144 MiB/s)
=> bootefi $kernel_addr_r
Scanning disk mmc2.blk...
No valid Btrfs found
Bad magic number for SquashFS image.
** Unrecognized filesystem type **
Scanning disk mmc1.blk...
No valid Btrfs found
Bad magic number for SquashFS image.
** Unrecognized filesystem type **
Scanning disk mmc0.blk...
No valid Btrfs found
Bad magic number for SquashFS image.
** Unrecognized filesystem type **
Scanning disk host0...
Found 5 disks
Cannot install EFI_TCG2_PROTOCOL <<<<<<<<<<<<<<<<<<<<<<<<<<<
"dfu_alt_info" env variable not defined!
Probably dfu_alt_info not defined
"dfu_alt_info" env variable not defined!
Probably dfu_alt_info not defined
Booting /EFI\grub\shimriscv64.efi
PE image measurement failed <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
.sbat copied to 0x000000002ca7b000
.sbat =
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim
tcg2 measurement fails(0x8000000000000007) <<<<<<<<<<<<<<<<
Do you mean it is incomplete or that it has bugs? If it is incomplete,
what is needed by U-Boot?
A TPM emulation as UNIX socket exists with
https://github.com/stefanberger/swtpm.git. QEMU already uses this emulator.
Couldn't the sandbox do the same? I think this is the fastest way to get
a compliant sandbox TPM.
Well we could if we need it. Are you sure it is a good idea? There is
a lot of code there. Are you thinking it would be copied into the
U-Boot tree and kept in sync with a script, perhaps? Presumably the
project would accept changes we need?
qemu doesn't copy it in, why can't it just run independently as part
of the CI process? The rust TPM2 bindings do that here:
https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13
Keep in mind this is exposed as an MMIIO device. I did send a driver
for it a while back [1]. In case we decide to use this, we can
probably re-use that
[1]
https://lore.kernel.org/u-boot/[email protected]/
Regards
/Ilias
Currently we don't test measured boot. I would prefer the tests to run
on the sandbox and not in QEMU. This makes debugging much easier.
Best regards
Heinrich
