1324c5debSPraveen K Paladugu# TPM 2324c5debSPraveen K PaladuguTpm in Cloud-Hypervisor is emulated using `swtpm` as the backend. [swtpm](https://github.com/stefanberger/swtpm) is the link to swtpm project. 3324c5debSPraveen K Paladugu 4324c5debSPraveen K PaladuguCurrent implementation only supports TPM `2.0` version. At the moment only 5324c5debSPraveen K Paladugu`CRB Interface` is implemented. This interface is described in 6324c5debSPraveen K Paladugu[TCG PC Client Platform TPM Profile Specification for TPM 2.0, Revision 01.05 v4](https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p05p_r14_pub.pdf). 7324c5debSPraveen K Paladugu 8324c5debSPraveen K Paladugu 9324c5debSPraveen K Paladugu## Usage 10324c5debSPraveen K Paladugu`--tpm`, an optional argument, can be passed to enable tpm device. 11324c5debSPraveen K PaladuguThis argument takes an UNIX domain Socket as a `socket` value. 12324c5debSPraveen K Paladugu 13324c5debSPraveen K Paladugu_Example_ 14324c5debSPraveen K Paladugu 15324c5debSPraveen K PaladuguAn Example invocation with `--tpm` argument: 16324c5debSPraveen K Paladugu 17324c5debSPraveen K Paladugu``` 18324c5debSPraveen K Paladugu ./cloud-hypervisor/target/release/cloud-hypervisor \ 19324c5debSPraveen K Paladugu --kernel ./hypervisor-fw \ 20324c5debSPraveen K Paladugu --disk path=focal-server-cloudimg-amd64.raw \ 21324c5debSPraveen K Paladugu --cpus boot=4 \ 22324c5debSPraveen K Paladugu --memory size=1024M \ 23324c5debSPraveen K Paladugu --net "tap=,mac=,ip=,mask=" \ 24324c5debSPraveen K Paladugu --tpm socket="/var/run/swtpm.socket" 25324c5debSPraveen K Paladugu``` 26324c5debSPraveen K Paladugu 27324c5debSPraveen K Paladugu## swtpm 28324c5debSPraveen K PaladuguBefore invoking cloud-hypervisor with `--tpm` argument, a `swtpm` 29324c5debSPraveen K Paladuguprocess should be started to listen at the input socket. Below is an 30324c5debSPraveen K Paladuguexample invocation of swtpm process. 31324c5debSPraveen K Paladugu 32324c5debSPraveen K Paladugu``` 33*47a7ebe4SYuji Hagiwaraswtpm socket --tpmstate dir=/var/run/swtpm \ 34324c5debSPraveen K Paladugu --ctrl type=unixio,path="/var/run/swtpm.socket" \ 35324c5debSPraveen K Paladugu --flags startup-clear \ 36324c5debSPraveen K Paladugu --tpm2 37324c5debSPraveen K Paladugu``` 38324c5debSPraveen K Paladugu 39324c5debSPraveen K Paladugu## Guest 40324c5debSPraveen K PaladuguAfter starting a guest with the above commands, ensure below listed modules are 41324c5debSPraveen K Paladuguloaded in the guest: 42324c5debSPraveen K Paladugu 43324c5debSPraveen K Paladugu``` 44324c5debSPraveen K Paladugu# lsmod | grep tpm 45324c5debSPraveen K Paladugutpm_crb 20480 0 46324c5debSPraveen K Paladugutpm 81920 1 tpm_crb 47324c5debSPraveen K Paladugu``` 48324c5debSPraveen K Paladugu 49324c5debSPraveen K PaladuguBelow is the IO Memory map configured in the guest: 50324c5debSPraveen K Paladugu 51324c5debSPraveen K Paladugu``` 52324c5debSPraveen K Paladugu# cat /proc/iomem | grep MSFT 53324c5debSPraveen K Paladugufed40000-fed40fff : MSFT0101:00 54324c5debSPraveen K Paladugu fed40000-fed40fff : MSFT0101:00 55324c5debSPraveen K Paladugu``` 56324c5debSPraveen K PaladuguBelow are the devices created in the guest: 57324c5debSPraveen K Paladugu 58324c5debSPraveen K Paladugu``` 59324c5debSPraveen K Paladugu# ls /dev/tpm* 60324c5debSPraveen K Paladugu/dev/tpm0 /dev/tpmrm0 61324c5debSPraveen K Paladugu``` 62324c5debSPraveen K Paladugu 63324c5debSPraveen K Paladugu 64324c5debSPraveen K Paladugu## Testing 65324c5debSPraveen K Paladugu 66324c5debSPraveen K PaladuguInside the guest install `tpm2-tools` package. This package provides some 67324c5debSPraveen K Paladugucommands to run against TPM that supports 2.0 version. 68324c5debSPraveen K Paladugu 69324c5debSPraveen K Paladugu_Examples_ 70324c5debSPraveen K Paladugu``` 71324c5debSPraveen K Paladugu// Run Self Test 72324c5debSPraveen K Paladugu# tpm2_selftest -f 73324c5debSPraveen K Paladugu# echo $? 74324c5debSPraveen K Paladugu0 75324c5debSPraveen K Paladugu 76324c5debSPraveen K Paladugu 77324c5debSPraveen K Paladugu# echo "hello" > input.txt 78324c5debSPraveen K Paladugu// this command generates hash of the input file using all the algos supported by TPM 79324c5debSPraveen K Paladugu 80324c5debSPraveen K Paladugu# tpm2_pcrevent input.txt 81324c5debSPraveen K Paladugusha1: f572d396fae9206628714fb2ce00f72e94f2258f 82324c5debSPraveen K Paladugusha256: 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03 83324c5debSPraveen K Paladugusha384: 1d0f284efe3edea4b9ca3bd514fa134b17eae361ccc7a1eefeff801b9bd6604e01f21f6bf249ef030599f0c 84324c5debSPraveen K Paladugu218f2ba8c 85324c5debSPraveen K Paladugusha512: e7c22b994c59d9cf2b48e549b1e24666636045930d3da7c1acb299d1c3b7f931f94aae41edda2c2b207a36e 86324c5debSPraveen K Paladugu10f8bcb8d45223e54878f5b316e7ce3b6bc019629 87324c5debSPraveen K Paladugu 88324c5debSPraveen K Paladugu// verify one of the hashes 89324c5debSPraveen K Paladugu# sha256sum input.txt 90324c5debSPraveen K Paladugu5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03 input.txt 91324c5debSPraveen K Paladugu``` 92324c5debSPraveen K Paladugu 93324c5debSPraveen K Paladugu### Bundled Functional Test 94324c5debSPraveen K Paladugu 95324c5debSPraveen K PaladuguBuild time dependencies for `tpm2-tss` are captured in [INSTALL](https://github.com/tpm2-software/tpm2-tss/blob/master/INSTALL.md). 96324c5debSPraveen K Paladugu 97324c5debSPraveen K Paladugu``` 98324c5debSPraveen K Paladugu# git clone https://github.com/tpm2-software/tpm2-tss.git 99324c5debSPraveen K Paladugu# cd tpm2-tss 100324c5debSPraveen K Paladugu# ./configure --enable-integration --with-devicetests="mandatory,optional" --with-device=/dev/tpm0 101324c5debSPraveen K Paladugu# sudo make check-device 102324c5debSPraveen K Paladugu. 103324c5debSPraveen K Paladugu. 104324c5debSPraveen K Paladugu. 105324c5debSPraveen K Paladugu. 106324c5debSPraveen K Paladugu============================================================================ 107324c5debSPraveen K PaladuguTestsuite summary for tpm2-tss 3.2.0-74-ge03617d9 108324c5debSPraveen K Paladugu============================================================================ 109324c5debSPraveen K Paladugu# TOTAL: 154 110324c5debSPraveen K Paladugu# PASS: 88 111324c5debSPraveen K Paladugu# SKIP: 7 112324c5debSPraveen K Paladugu# XFAIL: 0 113324c5debSPraveen K Paladugu# FAIL: 59 114324c5debSPraveen K Paladugu# XPASS: 0 115324c5debSPraveen K Paladugu# ERROR: 0 116324c5debSPraveen K Paladugu============================================================================ 117324c5debSPraveen K PaladuguSee ./test-suite.log 118324c5debSPraveen K PaladuguPlease report to https://github.com/tpm2-software/tpm2-tss/issues 119324c5debSPraveen K Paladugu============================================================================ 120324c5debSPraveen K Paladugu``` 121324c5debSPraveen K PaladuguThe same set of failures are noticed while running these tests on `Qemu` with 122324c5debSPraveen K Paladuguits TPM implementation. 123