Re: Sudden need for bhyve TPM Emulation... willing to port swtpm?

Reply: Corvin K�hne : "Re: Sudden need for bhyve TPM Emulation... willing to port swtpm?"
In reply to: Goran_Mekić : "Re: Sudden need for bhyve TPM Emulation... willing to port swtpm?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Corvin K�hne <corvink_at_FreeBSD.org>
Date: Mon, 21 Aug 2023 06:35:54 UTC

On Sun, 2023-08-20 at 19:52 +0200, Goran Mekić wrote:
> On 8/19/23 17:27, Goran Mekić wrote:
> > On 8/19/23 10:27, Goran Mekić wrote:
> > > > > With updated port there's also support for CUSE, which would
> > > > > allow
> > > > > swtpm
> > > > > to be used with pass-through. The problem is that socket and
> > > > > CUSE
> > > > > have
> > > > > problems which I described in upstream issue:
> > > > > https://github.com/stefanberger/swtpm/issues/820. If there
> > > > > are any
> > > > > suggestions how to fix that fuse error, I'd like to hear them
> > > > > and try
> > > > > and fix it.
> > > > > 
> > > > > Regards,
> > > > > meka
> > > 
> > > Hello,
> > > 
> > > I was wrong. Linux CUSE is extension of FUSE while FreeBSD CUSE
> > > has 
> > > totally different implementation, so it can not be used by swtpm.
> > > As 
> > > swtpm has control and server channels, I suppose we need both. To
> > > start both:
> > > 
> > > # swtpm socket --tpmstate dir=/tmp/mytpm1 --ctrl 
> > > type=unixio,path=/tmp/mytpm1/ctrl --tpm2 --log level=20 --server 
> > > type=unixio,path=/tmp/mytpm1/server
> > > 
> > > Now to initialize it one should run
> > > 
> > > # swtpm_ioctl --unix /tmp/mytpm1/swtpm-sock -i
> > > 
> > > If -i is replaced with --stop, swtpm is stopped. Now if I
> > > understand 
> > > correctly, init function of bhyve should do -i, deinit should do 
> > > --stop. If that's correct, I will start implementing init and for
> > > now 
> > > ignore deinit. As swtpm is BSD licenced, I think it is OK for us
> > > to 
> > > reuse parts of swtpm_ioctl code. Anyway, if I'm wrong about
> > > anything, 
> > > please point it out.
> > > 
> > > Regards,
> > > meka
> > > 
> > > 
> > I managed to initialize the swtpm by butchering swtpm_ioctl code
> > and 
> > creating this: https://bsd.to/Dq7c. I know that for bhyve it's not 
> > viable to include from port, but at this point I just want to make 
> > some progress and then I'll see how to properly do it. As swtpm is 
> > BSD-3-Clause licensed, we should probably import it to base, but
> > I'll 
> > worry about that part when at least something starts working.
> > 
> > Regards,
> > meka
> > 
> > 
> To make it easier to progress, I created repository for my TPM 
> playground: https://github.com/mekanix/tpmplay. The code currently 
> somewhat resembles tpm_emul_passthru.c. It implements init, deinit
> and 
> ctrlcmd. I'm confused a bit because swtpm has two sockets, one for 
> control one for data. Looking at tpm_emul_passthru.c I can see one fd
> is 
> used for all commands. If I'm correct, TSS is used for data channel: 
> https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm#socket-interface
> .
> How come pass-through doesn't have ctrl/data channels?
> 
> Regards,
> meka
> 
> 

Hi,

The passthrough implementation is conceptionally similar to qemu's
passthrough implementation. You can take a look at it here:
https://elixir.bootlin.com/qemu/v8.0.4/source/backends/tpm/tpm_passthrough.c
The swtpm implemenation of qemu is found here:
https://elixir.bootlin.com/qemu/latest/source/backends/tpm/tpm_emulator.c
I'd prefer that the swtpm of bhyve is similar to qemu's implemenation
as well. Afaik, qemu doesn't include the swtpm code. Would be nice for
bhyve too.

Looking at the use cases of the ctrl channel (set_locality, stop_tpm,
get_established_flag, ...), none of them are used by the passthrough
implementation or they are dummy implementations.

Note, that most of them, if not all, don't make sense for a passthrough
implementation.


-- 
Kind regards,
Corvin