Hi Heinrich, On Mon, 30 Aug 2021 at 01:34, Heinrich Schuchardt <[email protected]> wrote: > > > > On 8/30/21 8:10 AM, Ilias Apalodimas wrote: > > On Sun, 29 Aug 2021 at 13:53, Peter Robinson <[email protected]> wrote: > >> > >> On Sat, Aug 28, 2021 at 10:19 PM Simon Glass <[email protected]> wrote: > >>> > >>> Hi Heinrich, > >>> > >>> On Sat, 28 Aug 2021 at 06:18, Heinrich Schuchardt <[email protected]> > >>> wrote: > >>>> > >>>> The current TPM emulation in drivers/tpm/tpm(2)_tis_sandbox.c is not > >>>> spec compliant. > > @Simon > Just have look at the bunch of TPM related error messages generated on > the sandbox: > > => host bind 0 ../sandbox.img > => load host 0:1 $kernel_addr_r EFI/grub/shimriscv64.efi > 755200 bytes read in 5 ms (144 MiB/s) > => bootefi $kernel_addr_r > Scanning disk mmc2.blk... > No valid Btrfs found > Bad magic number for SquashFS image. > ** Unrecognized filesystem type ** > Scanning disk mmc1.blk... > No valid Btrfs found > Bad magic number for SquashFS image. > ** Unrecognized filesystem type ** > Scanning disk mmc0.blk... > No valid Btrfs found > Bad magic number for SquashFS image. > ** Unrecognized filesystem type ** > Scanning disk host0... > Found 5 disks > Cannot install EFI_TCG2_PROTOCOL <<<<<<<<<<<<<<<<<<<<<<<<<<< > "dfu_alt_info" env variable not defined! > Probably dfu_alt_info not defined > "dfu_alt_info" env variable not defined! > Probably dfu_alt_info not defined > Booting /EFI\grub\shimriscv64.efi > PE image measurement failed <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > .sbat copied to 0x000000002ca7b000 > .sbat = > sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md > shim,1,UEFI shim,shim,1,https://github.com/rhboot/shim > > tcg2 measurement fails(0x8000000000000007) <<<<<<<<<<<<<<<<
OK...then I wonder what it would take to improve the sandbox TPM driver enough for these to pass? We have to think about cost/benefit of the amount of code we are bringing in, debugability, etc. > > > >>> > >>> Do you mean it is incomplete or that it has bugs? If it is incomplete, > >>> what is needed by U-Boot? > > > >>> > >>>> > >>>> A TPM emulation as UNIX socket exists with > >>>> https://github.com/stefanberger/swtpm.git. QEMU already uses this > >>>> emulator. > >>>> > >>>> Couldn't the sandbox do the same? I think this is the fastest way to get > >>>> a compliant sandbox TPM. > >>> > >>> Well we could if we need it. Are you sure it is a good idea? There is > >>> a lot of code there. Are you thinking it would be copied into the > >>> U-Boot tree and kept in sync with a script, perhaps? Presumably the > >>> project would accept changes we need? > >> > >> qemu doesn't copy it in, why can't it just run independently as part > >> of the CI process? The rust TPM2 bindings do that here: > >> https://github.com/parallaxsecond/rust-tss-esapi/blob/main/tss-esapi/tests/all-fedora.sh#L13 > > > > Keep in mind this is exposed as an MMIIO device. I did send a driver > > for it a while back [1]. In case we decide to use this, we can > > probably re-use that > > > > [1] > > https://lore.kernel.org/u-boot/[email protected]/ > > > > Regards > > /Ilias > > > > Currently we don't test measured boot. I would prefer the tests to run > on the sandbox and not in QEMU. This makes debugging much easier. I couldn't agree more; development also. Regards, Simon
