Date: Mon, 21 Aug 2023 08:35:54 +0200 From: Corvin =?ISO-8859-1?Q?K=F6hne?= <corvink@FreeBSD.org> To: Goran =?iso-8859-2?Q?Meki=E6?= <meka@tilda.center>, virtualization@freebsd.org Subject: Re: Sudden need for bhyve TPM Emulation... willing to port swtpm? Message-ID: <1a0a0a4fd3f71a281876d9cb726fc59a45501b06.camel@FreeBSD.org> In-Reply-To: <4cf9b819-2a41-8bc1-16a7-60a1eac04e28@tilda.center> References: <662af723-de9f-36d9-c960-ef08379ca26e@callfortesting.org> <1d4e6558-0c56-5758-d87e-e9bf4aacc0a5@tilda.center> <85ee3beda055c5bc9fae26c07247fe0cea1458e9.camel@FreeBSD.org> <2f1539fc-f8b2-2ec5-9c68-c60f68e66c0e@tilda.center> <2c1205c0fc48e8c6ac103d3f3ca0c722a7cd3c6e.camel@FreeBSD.org> <06ae27b6-7a38-ff73-8d9b-70b6be517ccc@tilda.center> <82499999351da778ffb9735f76ecc5d522305273.camel@FreeBSD.org> <2d2f8c74-47d0-ebb1-154f-3aab68d8a084@tilda.center> <cffa6e51-7b60-2676-d0bb-a7bea6f120da@tilda.center> <4cf9b819-2a41-8bc1-16a7-60a1eac04e28@tilda.center>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-mDIwsmfdWE//J3VgenKc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2023-08-20 at 19:52 +0200, Goran Meki=C4=87 wrote: > On 8/19/23 17:27, Goran Meki=C4=87 wrote: > > On 8/19/23 10:27, Goran Meki=C4=87 wrote: > > > > > With updated port there's also support for CUSE, which would > > > > > allow > > > > > swtpm > > > > > to be used with pass-through. The problem is that socket and > > > > > CUSE > > > > > have > > > > > problems which I described in upstream issue: > > > > > https://github.com/stefanberger/swtpm/issues/820. If there > > > > > are any > > > > > suggestions how to fix that fuse error, I'd like to hear them > > > > > and try > > > > > and fix it. > > > > >=20 > > > > > Regards, > > > > > meka > > >=20 > > > Hello, > > >=20 > > > I was wrong. Linux CUSE is extension of FUSE while FreeBSD CUSE > > > has=20 > > > totally different implementation, so it can not be used by swtpm. > > > As=20 > > > swtpm has control and server channels, I suppose we need both. To > > > start both: > > >=20 > > > # swtpm socket --tpmstate dir=3D/tmp/mytpm1 --ctrl=20 > > > type=3Dunixio,path=3D/tmp/mytpm1/ctrl --tpm2 --log level=3D20 --serve= r=20 > > > type=3Dunixio,path=3D/tmp/mytpm1/server > > >=20 > > > Now to initialize it one should run > > >=20 > > > # swtpm_ioctl --unix /tmp/mytpm1/swtpm-sock -i > > >=20 > > > If -i is replaced with --stop, swtpm is stopped. Now if I > > > understand=20 > > > correctly, init function of bhyve should do -i, deinit should do=20 > > > --stop. If that's correct, I will start implementing init and for > > > now=20 > > > ignore deinit. As swtpm is BSD licenced, I think it is OK for us > > > to=20 > > > reuse parts of swtpm_ioctl code. Anyway, if I'm wrong about > > > anything,=20 > > > please point it out. > > >=20 > > > Regards, > > > meka > > >=20 > > >=20 > > I managed to initialize the swtpm by butchering swtpm_ioctl code > > and=20 > > creating this: https://bsd.to/Dq7c. I know that for bhyve it's not=20 > > viable to include from port, but at this point I just want to make=20 > > some progress and then I'll see how to properly do it. As swtpm is=20 > > BSD-3-Clause licensed, we should probably import it to base, but > > I'll=20 > > worry about that part when at least something starts working. > >=20 > > Regards, > > meka > >=20 > >=20 > To make it easier to progress, I created repository for my TPM=20 > playground: https://github.com/mekanix/tpmplay. The code currently=20 > somewhat resembles tpm_emul_passthru.c. It implements init, deinit > and=20 > ctrlcmd. I'm confused a bit because swtpm has two sockets, one for=20 > control one for data. Looking at tpm_emul_passthru.c I can see one fd > is=20 > used for all commands. If I'm correct, TSS is used for data channel:=20 > https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm#s= ocket-interface > . > How come pass-through doesn't have ctrl/data channels? >=20 > Regards, > meka >=20 >=20 Hi, The passthrough implementation is conceptionally similar to qemu's passthrough implementation. You can take a look at it here: https://elixir.bootlin.com/qemu/v8.0.4/source/backends/tpm/tpm_passthrough.= c The swtpm implemenation of qemu is found here: https://elixir.bootlin.com/qemu/latest/source/backends/tpm/tpm_emulator.c I'd prefer that the swtpm of bhyve is similar to qemu's implemenation as well. Afaik, qemu doesn't include the swtpm code. Would be nice for bhyve too. Looking at the use cases of the ctrl channel (set_locality, stop_tpm, get_established_flag, ...), none of them are used by the passthrough implementation or they are dummy implementations. Note, that most of them, if not all, don't make sense for a passthrough implementation. --=20 Kind regards, Corvin --=-mDIwsmfdWE//J3VgenKc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEgvRSla3m2t/H2U9G2FTaVjFeAmoFAmTjBcoACgkQ2FTaVjFe AmrDbw/+P69+s+1WsGVMdsElHYxHmjkyTNYSYsp89dmc5e+lB9GBfx02lfMUZf8V b686NwDzzXOffturXz1IdMF6sNWQvnr0Gbk0+JNmsV4aWN3d1B5Jo5N5PBEpgItE XxJzza6gqz1/RfPjcqO8DmZerGq59N4/kPCFOm1rcC6TH1sMYrMSzIqlUiKlS9yf GW9AN8/jBtU1WnRFUEJfqaU00ylKkq2cvNKWDeLp4jmpMEr0YadbWnlxtM/N15iO ZOIJ2C3VYv6cmUPOnaa+MUHQyW2Q1OK7B3peY8cMdrOwEPrQU1Hzkr8R7zS+tCLV PpVJuG7VfL/QKBTxJTch3VNi7faoa23sdyhmXRqwm19CoKGPx94a2sSxqZYTCIXU PL5V9CpZRtwLwCzJDSnl5eNd8OuqRz5mYA4laBcDyN/B/JnNXUx7cfNaxj9xTrQ9 9sk/8Xc2hvAIeCYStIJlKI4jhJs4/ay0vqTEc8U7b1H6ZFrjU+oM9Go9/p5J1Syi vLCc4e1aZ6l7fQnTEDS8vt+mrfuu0u46Sfwb+SDSCAaBhvlRsniL1otfY9MsgLo9 oIk8YiQlpr7P1/D6xLXh4YfEIHL5PJqa/n3T0nIVLtMaAwlJJLKZBL2E/y95ej87 0g/yI4/krJ16+JrgMkuA1cWWaHeEfVhbaCr/M4uN1KsJzvtODds= =Ezbg -----END PGP SIGNATURE----- --=-mDIwsmfdWE//J3VgenKc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1a0a0a4fd3f71a281876d9cb726fc59a45501b06.camel>