xref: /cloud-hypervisor/docs/tpm.md (revision 6f8bd27cf7629733582d930519e98d19e90afb16) 
1# TPM
2Tpm in Cloud-Hypervisor is emulated using `swtpm` as the backend. [swtpm](https://github.com/stefanberger/swtpm) is the link to swtpm project.
3
4Current implementation only supports TPM `2.0` version. At the moment only
5`CRB Interface` is implemented. This interface is described in
6[TCG PC Client Platform TPM Profile Specification for TPM 2.0, Revision 01.05 v4](https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p05p_r14_pub.pdf).
7
8
9## Usage
10`--tpm`, an optional argument, can be passed to enable tpm device.
11This argument takes an UNIX domain Socket as a `socket` value.
12
13_Example_
14
15An Example invocation with `--tpm` argument:
16
17```
18 ./cloud-hypervisor/target/release/cloud-hypervisor \
19	--kernel ./hypervisor-fw \
20	--disk path=focal-server-cloudimg-amd64.raw \
21	--cpus boot=4 \
22	--memory size=1024M \
23	--net "tap=,mac=,ip=,mask=" \
24	--tpm socket="/var/run/swtpm.socket"
25```
26
27## swtpm
28Before invoking cloud-hypervisor with `--tpm` argument, a `swtpm`
29process should be started to listen at the input socket. Below is an
30example invocation of swtpm process.
31
32```
33swtpm socket --tpmstate dir=/var/run/swtpm \
34	--ctrl type=unixio,path="/var/run/swtpm.socket" \
35	--flags startup-clear \
36	--tpm2
37```
38
39## Guest
40After starting a guest with the above commands, ensure below listed modules are
41loaded in the guest:
42
43```
44# lsmod | grep tpm
45tpm_crb                20480  0
46tpm                    81920  1 tpm_crb
47```
48
49Below is the IO Memory map configured in the guest:
50
51```
52# cat /proc/iomem  | grep MSFT
53fed40000-fed40fff : MSFT0101:00
54  fed40000-fed40fff : MSFT0101:00
55```
56Below are the devices created in the guest:
57
58```
59# ls /dev/tpm*
60/dev/tpm0  /dev/tpmrm0
61```
62
63
64## Testing
65
66Inside the guest install `tpm2-tools` package. This package provides some
67commands to run against TPM that supports 2.0 version.
68
69_Examples_
70```
71// Run Self Test
72# tpm2_selftest -f
73# echo $?
740
75
76
77# echo "hello" > input.txt
78// this command generates hash of the input file using all the algos supported by TPM
79
80# tpm2_pcrevent input.txt
81sha1: f572d396fae9206628714fb2ce00f72e94f2258f
82sha256: 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03
83sha384: 1d0f284efe3edea4b9ca3bd514fa134b17eae361ccc7a1eefeff801b9bd6604e01f21f6bf249ef030599f0c
84218f2ba8c
85sha512: e7c22b994c59d9cf2b48e549b1e24666636045930d3da7c1acb299d1c3b7f931f94aae41edda2c2b207a36e
8610f8bcb8d45223e54878f5b316e7ce3b6bc019629
87
88// verify one of the hashes
89# sha256sum input.txt
905891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03  input.txt
91```
92
93### Bundled Functional Test
94
95Build time dependencies for `tpm2-tss` are captured in [INSTALL](https://github.com/tpm2-software/tpm2-tss/blob/master/INSTALL.md).
96
97```
98# git clone https://github.com/tpm2-software/tpm2-tss.git
99# cd tpm2-tss
100# ./configure --enable-integration --with-devicetests="mandatory,optional" --with-device=/dev/tpm0
101# sudo make check-device
102.
103.
104.
105.
106============================================================================
107Testsuite summary for tpm2-tss 3.2.0-74-ge03617d9
108============================================================================
109# TOTAL: 154
110# PASS:  88
111# SKIP:  7
112# XFAIL: 0
113# FAIL:  59
114# XPASS: 0
115# ERROR: 0
116============================================================================
117See ./test-suite.log
118Please report to https://github.com/tpm2-software/tpm2-tss/issues
119============================================================================
120```
121The same set of failures are noticed while running these tests on `Qemu` with
122its TPM implementation.
123