From nobody Mon Aug 21 06:35:54 2023 X-Original-To: virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RTjRK5Ly9z4qJKD for ; Mon, 21 Aug 2023 06:35:57 +0000 (UTC) (envelope-from corvink@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RTjRK39jkz3PSH; Mon, 21 Aug 2023 06:35:57 +0000 (UTC) (envelope-from corvink@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1692599757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=MyrLMj9CoX6vYNkc3xSXLxuCnXcHc6GpuxMD5IpnXTI=; b=ynwaU7BCKD4ECEinnxu022SKLW0USDtRl6XFCvG5pmxJ7U5CLJLr8mtnl0j3+uEBE5E4Fy CUI28QOn9M7FB+4TM8vi2/riBw0UpneCYiEaHrkrgjYx/zIJojOTp0J3HaPVYyVuFBxLhz 9QELJSoiK2ovYnEQ1NP99yqJO5D7fdbMuyP5dEXZCQizdm2HvGWkc4iHJppJOF/bfGKnDY DQ8NthjXlBVOY4qeYW6cayjUm9UhYIL00DdW3uyWlwEB0Edp10vGhXSQ4PekTmbUPwoZ0N Qzk6gjjUmv5XMbWbTEStwDmGRWb6uwwjOdSad2LArLqjR2jWDeO8tm6gG2ELqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1692599757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=MyrLMj9CoX6vYNkc3xSXLxuCnXcHc6GpuxMD5IpnXTI=; b=KaXwQp4qq8ml7/iVVf+qK0l2e17mBs6xHlS2SX2qf91uBvjMgdenPhDcLD2/SXeXg+V3M8 wXPeT3ytxGAInp5tCHqSMXtTI349YrZ02h8Urp29GV0IEg39u/udFJuSDqvIvSoh46PMFZ uOiKk16XAz86mAtPwS72qjl0j4/jZUQYevox1tCrnfpiqR6QaGH1JPrqkq4kHVr1MO1Ok+ +7VAGz46s3NwctkJUiQI2eDihr3I1ROBkTPAHTBygs7qSns9wIhWeIMC4Auy1/HNe2QrQH gA4qaySJ2mqhOi06xRl7gpDnUplJmv3HvYCg7/bn/8ct+L4AO379CSIGbovq7Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1692599757; a=rsa-sha256; cv=none; b=L36MOWmTMrV9fy1/1oZVzT8EtPBrTs6jkeM8JvAkgMB1oYr17WvUZRfjz0VlvtM1yU1Zbh VdMBAUGfJ8kMipUXF9AFqm3xT0S5JIxA9QbrgHvtxLBqvczYdhfKNqlxtkwv62yJeDDKMM AUAEjCno6fyp0YWbcgeE1JYemjtz7Lc5MuAM3pMsY/RwGc/7Ddk4+Q3QaWdYnPYzvhfFHF m+BpzsAwW2xfwBsMo9XTcFJjjOx3fR8pvawCekagyWuWsbIJA7eyuvPlEp5zfxtt9VIXTp +lz+lcshNE46rkxV3koSRjq1yQGDvI9WYvBOfXGa/KwXy1/ryv7ncXmJ9O+S8g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from [172.21.179.63] (unknown [195.226.174.194]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: corvink) by smtp.freebsd.org (Postfix) with ESMTPSA id 4RTjRJ6VJzz1RZd; Mon, 21 Aug 2023 06:35:56 +0000 (UTC) (envelope-from corvink@FreeBSD.org) Message-ID: <1a0a0a4fd3f71a281876d9cb726fc59a45501b06.camel@FreeBSD.org> Subject: Re: Sudden need for bhyve TPM Emulation... willing to port swtpm? From: Corvin =?ISO-8859-1?Q?K=F6hne?= To: Goran =?iso-8859-2?Q?Meki=E6?= , virtualization@freebsd.org Date: Mon, 21 Aug 2023 08:35:54 +0200 In-Reply-To: <4cf9b819-2a41-8bc1-16a7-60a1eac04e28@tilda.center> References: <662af723-de9f-36d9-c960-ef08379ca26e@callfortesting.org> <1d4e6558-0c56-5758-d87e-e9bf4aacc0a5@tilda.center> <85ee3beda055c5bc9fae26c07247fe0cea1458e9.camel@FreeBSD.org> <2f1539fc-f8b2-2ec5-9c68-c60f68e66c0e@tilda.center> <2c1205c0fc48e8c6ac103d3f3ca0c722a7cd3c6e.camel@FreeBSD.org> <06ae27b6-7a38-ff73-8d9b-70b6be517ccc@tilda.center> <82499999351da778ffb9735f76ecc5d522305273.camel@FreeBSD.org> <2d2f8c74-47d0-ebb1-154f-3aab68d8a084@tilda.center> <4cf9b819-2a41-8bc1-16a7-60a1eac04e28@tilda.center> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-mDIwsmfdWE//J3VgenKc" User-Agent: Evolution 3.48.4 List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-virtualization@freebsd.org X-BeenThere: freebsd-virtualization@freebsd.org MIME-Version: 1.0 --=-mDIwsmfdWE//J3VgenKc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2023-08-20 at 19:52 +0200, Goran Meki=C4=87 wrote: > On 8/19/23 17:27, Goran Meki=C4=87 wrote: > > On 8/19/23 10:27, Goran Meki=C4=87 wrote: > > > > > With updated port there's also support for CUSE, which would > > > > > allow > > > > > swtpm > > > > > to be used with pass-through. The problem is that socket and > > > > > CUSE > > > > > have > > > > > problems which I described in upstream issue: > > > > > https://github.com/stefanberger/swtpm/issues/820. If there > > > > > are any > > > > > suggestions how to fix that fuse error, I'd like to hear them > > > > > and try > > > > > and fix it. > > > > >=20 > > > > > Regards, > > > > > meka > > >=20 > > > Hello, > > >=20 > > > I was wrong. Linux CUSE is extension of FUSE while FreeBSD CUSE > > > has=20 > > > totally different implementation, so it can not be used by swtpm. > > > As=20 > > > swtpm has control and server channels, I suppose we need both. To > > > start both: > > >=20 > > > # swtpm socket --tpmstate dir=3D/tmp/mytpm1 --ctrl=20 > > > type=3Dunixio,path=3D/tmp/mytpm1/ctrl --tpm2 --log level=3D20 --serve= r=20 > > > type=3Dunixio,path=3D/tmp/mytpm1/server > > >=20 > > > Now to initialize it one should run > > >=20 > > > # swtpm_ioctl --unix /tmp/mytpm1/swtpm-sock -i > > >=20 > > > If -i is replaced with --stop, swtpm is stopped. Now if I > > > understand=20 > > > correctly, init function of bhyve should do -i, deinit should do=20 > > > --stop. If that's correct, I will start implementing init and for > > > now=20 > > > ignore deinit. As swtpm is BSD licenced, I think it is OK for us > > > to=20 > > > reuse parts of swtpm_ioctl code. Anyway, if I'm wrong about > > > anything,=20 > > > please point it out. > > >=20 > > > Regards, > > > meka > > >=20 > > >=20 > > I managed to initialize the swtpm by butchering swtpm_ioctl code > > and=20 > > creating this: https://bsd.to/Dq7c. I know that for bhyve it's not=20 > > viable to include from port, but at this point I just want to make=20 > > some progress and then I'll see how to properly do it. As swtpm is=20 > > BSD-3-Clause licensed, we should probably import it to base, but > > I'll=20 > > worry about that part when at least something starts working. > >=20 > > Regards, > > meka > >=20 > >=20 > To make it easier to progress, I created repository for my TPM=20 > playground: https://github.com/mekanix/tpmplay. The code currently=20 > somewhat resembles tpm_emul_passthru.c. It implements init, deinit > and=20 > ctrlcmd. I'm confused a bit because swtpm has two sockets, one for=20 > control one for data. Looking at tpm_emul_passthru.c I can see one fd > is=20 > used for all commands. If I'm correct, TSS is used for data channel:=20 > https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm#s= ocket-interface > . > How come pass-through doesn't have ctrl/data channels? >=20 > Regards, > meka >=20 >=20 Hi, The passthrough implementation is conceptionally similar to qemu's passthrough implementation. You can take a look at it here: https://elixir.bootlin.com/qemu/v8.0.4/source/backends/tpm/tpm_passthrough.= c The swtpm implemenation of qemu is found here: https://elixir.bootlin.com/qemu/latest/source/backends/tpm/tpm_emulator.c I'd prefer that the swtpm of bhyve is similar to qemu's implemenation as well. Afaik, qemu doesn't include the swtpm code. Would be nice for bhyve too. Looking at the use cases of the ctrl channel (set_locality, stop_tpm, get_established_flag, ...), none of them are used by the passthrough implementation or they are dummy implementations. Note, that most of them, if not all, don't make sense for a passthrough implementation. --=20 Kind regards, Corvin --=-mDIwsmfdWE//J3VgenKc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEgvRSla3m2t/H2U9G2FTaVjFeAmoFAmTjBcoACgkQ2FTaVjFe AmrDbw/+P69+s+1WsGVMdsElHYxHmjkyTNYSYsp89dmc5e+lB9GBfx02lfMUZf8V b686NwDzzXOffturXz1IdMF6sNWQvnr0Gbk0+JNmsV4aWN3d1B5Jo5N5PBEpgItE XxJzza6gqz1/RfPjcqO8DmZerGq59N4/kPCFOm1rcC6TH1sMYrMSzIqlUiKlS9yf GW9AN8/jBtU1WnRFUEJfqaU00ylKkq2cvNKWDeLp4jmpMEr0YadbWnlxtM/N15iO ZOIJ2C3VYv6cmUPOnaa+MUHQyW2Q1OK7B3peY8cMdrOwEPrQU1Hzkr8R7zS+tCLV PpVJuG7VfL/QKBTxJTch3VNi7faoa23sdyhmXRqwm19CoKGPx94a2sSxqZYTCIXU PL5V9CpZRtwLwCzJDSnl5eNd8OuqRz5mYA4laBcDyN/B/JnNXUx7cfNaxj9xTrQ9 9sk/8Xc2hvAIeCYStIJlKI4jhJs4/ay0vqTEc8U7b1H6ZFrjU+oM9Go9/p5J1Syi vLCc4e1aZ6l7fQnTEDS8vt+mrfuu0u46Sfwb+SDSCAaBhvlRsniL1otfY9MsgLo9 oIk8YiQlpr7P1/D6xLXh4YfEIHL5PJqa/n3T0nIVLtMaAwlJJLKZBL2E/y95ej87 0g/yI4/krJ16+JrgMkuA1cWWaHeEfVhbaCr/M4uN1KsJzvtODds= =Ezbg -----END PGP SIGNATURE----- --=-mDIwsmfdWE//J3VgenKc--