From nobody Mon Aug 7 08:04:38 2023 X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RK8492Bd9z4m6B0 for ; Mon, 7 Aug 2023 08:04:41 +0000 (UTC) (envelope-from corvink@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RK8491f0zz3DDh; Mon, 7 Aug 2023 08:04:41 +0000 (UTC) (envelope-from corvink@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691395481; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=68VBXw9ktFH+ApcZ2wui8xfnUA6Zd/oqJkXiqZkBDmY=; b=gAdr7MfKIuriqGp/txhS+2fwIdN8XZBZ4WM3MbqvHE4f9a8HTw/PqMCaRwhQXBwZoW5sY1 VCK8FdZzuLMdUdpfN26CaZ9V9ywFZNKxcRI7i91fUzoYkkEmvLUF3xg10WGgpJk3rELyVH skPcnANBASD9H+M9fXbBzEz7CCvbW5tIr+XBEyqiswm+imbFO/JU2F3/gSq1KzTFXKLlV6 G+v+KJOUl049DGSJm5rPi/WmYkezkijJ6nEhx5rdGMdpI9r1rfOloKv4Ksc5KY7cK6k1RS nRwp5FtViH3wcMHD8rFTxLfXSwl/kY2u/M9TTPhshPW8JpLaA61ChOFR4nRy2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691395481; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=68VBXw9ktFH+ApcZ2wui8xfnUA6Zd/oqJkXiqZkBDmY=; b=sq8McrpcSzIUlhQcB6j9EkE4LSX8SzAGN6d9vE7YJr/f4sHpIZ4cskda+iZsVXz+aAOkKe yX0QhKp6D7K2lVTQmcAOPlnlL+UhVgv7tRNhX0Dq7Ht/XEHlW/X3EN7N1OWXOfsqeKLy2u Lf0A+raMxrf79+wxHg6zOvaj35ER7mlM5kODsSdz4q7hbVqngfhHsRxuMwMKtgE2CUwYOw r3toPs22e+N/Zi6/xC7zGU7rapae/PnofCemcprg09ohGvOU5JSEJTVbBOVcnLk6jX1bxt o7mreuHXC2A615u8MT8buFppyGyIc290m6MLZ1MaSM6cz8m/60glsLcJ29o00A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1691395481; a=rsa-sha256; cv=none; b=ffmUPvPSRm/ECuDZk8MDGz5JppmxPEKte/dabiZS+QC7Vb72GKIdG1bTjsBOBqk5VBDf5m dXqPUUdngaioeMN2hDQ5U5mWkaT9Vn7Yygj/COUUd9PVKCdZPbTb8uI8y7xWviIqV7akX3 5YaTWMLh+PWW0JtwS4a51N4loerBHwx7PZC1gtLuKyQTQBbsJQtovQhrqJDqXHP2iMbWmu qcjzZnEXPts54eMXbXLbBrwDJ202ycrW43MzUWe50SIujBuZ/7BhIlt4RlzDbgaQulqxYT E+doGss19S+rVLlaYBBua2VGrUT9V7eFzu3fuZd5bRLJ33S1KQQSCCwJZlS71w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from [172.21.179.48] (unknown [195.226.174.194]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: corvink) by smtp.freebsd.org (Postfix) with ESMTPSA id 4RK848416Lz13SJ; Mon, 7 Aug 2023 08:04:40 +0000 (UTC) (envelope-from corvink@FreeBSD.org) Message-ID: <85ee3beda055c5bc9fae26c07247fe0cea1458e9.camel@FreeBSD.org> Subject: Re: Sudden need for bhyve TPM Emulation... willing to port swtpm? From: Corvin =?ISO-8859-1?Q?K=F6hne?= To: Goran =?iso-8859-2?Q?Meki=E6?= , Michael Dexter , "freebsd-virtualization@freebsd.org" Date: Mon, 07 Aug 2023 10:04:38 +0200 In-Reply-To: <1d4e6558-0c56-5758-d87e-e9bf4aacc0a5@tilda.center> References: <662af723-de9f-36d9-c960-ef08379ca26e@callfortesting.org> <1d4e6558-0c56-5758-d87e-e9bf4aacc0a5@tilda.center> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-x4WA/7BDJaYhC8j9upAc" User-Agent: Evolution 3.48.4 List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-virtualization@freebsd.org X-BeenThere: freebsd-virtualization@freebsd.org MIME-Version: 1.0 --=-x4WA/7BDJaYhC8j9upAc Content-Type: multipart/alternative; boundary="=-PT3HxAg6BgH10g8tIXis" --=-PT3HxAg6BgH10g8tIXis Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2023-08-06 at 18:47 +0200, Goran Meki=C4=87 wrote: > =20 > On 8/2/23 02:28, Michael Dexter wrote: > =20 > > Hello all,=20 > >=20 > > Long-time bhyve-in-production user Jason Tubnor pointed out that a > > recent Windows 11 update breaks the "lab mode" under which Windows > > 11 could be run without a TPM (Trusted Platform Module) chip via a > > registry edit. Corvin has made significant progress with TPM pass- > > through support but it only supports one VM associated with the > > hardware TPM.=20 > >=20 > > This 3-clause BSD-license software TPM project has existed but I > > have never heard it brought up in the bhyve context, possibly > > because of the available workaround:=20 > >=20 > > https://github.com/stefanberger/swtpm=20 > >=20 > > Is anyone be willing to look into porting this to bhyve?=20 > >=20 > > All the best,=20 > >=20 > > Michael=20 > >=20 > Hello, > If anyone can take a look and merge these, it would be a start: > =20 > * libtpms https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272972 > * swtpm https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272973 > =20 > As I never read bhyve code before, I will start glancing it and > trying to figure out stuff from Corvin's previous PR enabling pass- > through for TPM. If anyone has any info to speed me up on this quest, > please speak! Thank you! > Regards, > meka=20 Hi, afaik, qemu is making use of the swtpm project too. So, it'd great to implement it in bhyve. My TPM passthrough emulation is currently under review. See=C2=A0https://reviews.freebsd.org/D32961. I designed it to easily integrate a swtpm in the future. You =C2=A0just hav= e to implement a new tpm backend by adding a new TPM_EMUL_SET. Take a look at the tpm_emul_passthru.c file. Btw: We may have to add additional functions to the TPM_EMUL_SET like a "startup_tpm" function. See=C2=A0https://elixir.bootlin.com/qemu/latest/source/include/sysemu/tpm_b= ackend.h#L52 --=20 Kind regards, Corvin --=-PT3HxAg6BgH10g8tIXis Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable =20
On Sun, 2023-08-06 at 18:47 +0200, Goran Meki=C4=87 wrote:
On = 8/2/23 02:28, Michael Dexter wrote:

Hello all,

Long-time bhyve-in-production user Jason = Tubnor pointed out that a recent Windows 11 update breaks the "lab mode" un= der which Windows 11 could be run without a TPM (Trusted Platform Module) c= hip via a registry edit. Corvin has made significant progress with TPM pass= -through support but it only supports one VM associated with the hardware T= PM.

This 3-clause BSD-license software TPM project has existed bu= t I have never heard it brought up in the bhyve context, possibly because o= f the available workaround:

https://github.com/stefanberge= r/swtpm

Is anyone be willing to look into porting this to bhy= ve?

All the best,

Michael

=
Hello,

If anyone can take a look and merge these, it wou= ld be a start:

As I never read bhyve code befo= re, I will start glancing it and trying to figure out stuff from Corvin's p= revious PR enabling pass-through for TPM. If anyone has any info to speed m= e up on this quest, please speak! Thank you!

Regards,
meka

Hi,

afaik, qem= u is making use of the swtpm project too. So, it'd great to implement it in= bhyve.

My TPM passthrough emulation is currently = under review. See https= ://reviews.freebsd.org/D32961.

I designed it t= o easily integrate a swtpm in the future. You  just have to implement = a new tpm backend by adding a new TPM_EMUL_SET.
Take a look at th= e tpm_emul_passthru.c file.

Btw: We may have to ad= d additional functions to the TPM_EMUL_SET like a "startup_tpm" function. S= ee https://elixir.bootlin.com/qemu/latest/source/inclu= de/sysemu/tpm_backend.h#L52


-- 
Kind regards,
Corvin
--=-PT3HxAg6BgH10g8tIXis-- --=-x4WA/7BDJaYhC8j9upAc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEgvRSla3m2t/H2U9G2FTaVjFeAmoFAmTQpZYACgkQ2FTaVjFe AmpuLw/+NEg/hXPcvheiuhKQ0s2CyK8zLnmv4nuSftjbgem2DCD3PTFoxkbLF/7W F9QCdEjyjmEQbvdBcD23H/BiwfiOztcjuLFq0vrgs9mB+Er98Rj8LZ2RIfJA66lA C7np8QJ//kr1gfJm7dgGIiyt0k8mWHZIRoJI9hfYYtqz0ey6MRwGGcHqzA0WU72/ ajlqvihuqkRVCI2EpX1Mguq9tOmZ84LRDH5I3+GYz3txTGxGAnngkDPUF+0Sh49o Ti/3ZIjXbE4wsM0tO2iIbjlabFmvo9jZlIk0gC0SbAyKHTRLwmza83VsgxkzHxr4 l7NkMqWLhT1ltNH/lH8KukzUT6vqoSkwh0BqUbxVjLNX6lS1lwsGt9o/aNBy0D05 Mwt2O/CPFhGVQvuaYYtgZnHS8cy2sclEVEdUzDU5Jb8alcblW/WIQulBcHfeP+0y ZPABxRYvkME3TYHkKN4MAkluI85YH1zDK80ftnMmyb6a3F9CFbx+dlH+LWAB7Jxf 0C40QQJE0RvaYGylEGUFJ4TBFG9S045Qsv/LZhzABebikkG2/Cd3oumV0QdGaep0 UTOLzsi3CMmD/fA+JHi9h7BamhCE+K/rHDbCP4E/hl2/FVE8xYV1UGIgCmk8vv4n ploofjC83tPnTW+XP6xg+NRBdsKWsPZowTfBl9GTwCLQzDCEMG0= =8YAl -----END PGP SIGNATURE----- --=-x4WA/7BDJaYhC8j9upAc--