Re: Sudden need for bhyve TPM Emulation... willing to port swtpm?
- In reply to: Corvin Köhne : "Re: Sudden need for bhyve TPM Emulation... willing to port swtpm?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 21 Aug 2023 06:45:42 UTC
On Mon, 2023-08-21 at 08:35 +0200, Corvin Köhne wrote: > On Sun, 2023-08-20 at 19:52 +0200, Goran Mekić wrote: > > On 8/19/23 17:27, Goran Mekić wrote: > > > On 8/19/23 10:27, Goran Mekić wrote: > > > > > > With updated port there's also support for CUSE, which > > > > > > would > > > > > > allow > > > > > > swtpm > > > > > > to be used with pass-through. The problem is that socket > > > > > > and > > > > > > CUSE > > > > > > have > > > > > > problems which I described in upstream issue: > > > > > > https://github.com/stefanberger/swtpm/issues/820. If there > > > > > > are any > > > > > > suggestions how to fix that fuse error, I'd like to hear > > > > > > them > > > > > > and try > > > > > > and fix it. > > > > > > > > > > > > Regards, > > > > > > meka > > > > > > > > Hello, > > > > > > > > I was wrong. Linux CUSE is extension of FUSE while FreeBSD CUSE > > > > has > > > > totally different implementation, so it can not be used by > > > > swtpm. > > > > As > > > > swtpm has control and server channels, I suppose we need both. > > > > To > > > > start both: > > > > > > > > # swtpm socket --tpmstate dir=/tmp/mytpm1 --ctrl > > > > type=unixio,path=/tmp/mytpm1/ctrl --tpm2 --log level=20 -- > > > > server > > > > type=unixio,path=/tmp/mytpm1/server > > > > > > > > Now to initialize it one should run > > > > > > > > # swtpm_ioctl --unix /tmp/mytpm1/swtpm-sock -i > > > > > > > > If -i is replaced with --stop, swtpm is stopped. Now if I > > > > understand > > > > correctly, init function of bhyve should do -i, deinit should > > > > do > > > > --stop. If that's correct, I will start implementing init and > > > > for > > > > now > > > > ignore deinit. As swtpm is BSD licenced, I think it is OK for > > > > us > > > > to > > > > reuse parts of swtpm_ioctl code. Anyway, if I'm wrong about > > > > anything, > > > > please point it out. > > > > > > > > Regards, > > > > meka > > > > > > > > > > > I managed to initialize the swtpm by butchering swtpm_ioctl code > > > and > > > creating this: https://bsd.to/Dq7c. I know that for bhyve it's > > > not > > > viable to include from port, but at this point I just want to > > > make > > > some progress and then I'll see how to properly do it. As swtpm > > > is > > > BSD-3-Clause licensed, we should probably import it to base, but > > > I'll > > > worry about that part when at least something starts working. > > > > > > Regards, > > > meka > > > > > > > > To make it easier to progress, I created repository for my TPM > > playground: https://github.com/mekanix/tpmplay. The code currently > > somewhat resembles tpm_emul_passthru.c. It implements init, deinit > > and > > ctrlcmd. I'm confused a bit because swtpm has two sockets, one for > > control one for data. Looking at tpm_emul_passthru.c I can see one > > fd > > is > > used for all commands. If I'm correct, TSS is used for data > > channel: > > https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm#socket-interface > > . > > How come pass-through doesn't have ctrl/data channels? > > > > Regards, > > meka > > > > > > Hi, > > The passthrough implementation is conceptionally similar to qemu's > passthrough implementation. You can take a look at it here: > https://elixir.bootlin.com/qemu/v8.0.4/source/backends/tpm/tpm_passthrough.c > The swtpm implemenation of qemu is found here: > https://elixir.bootlin.com/qemu/latest/source/backends/tpm/tpm_emulator.c > I'd prefer that the swtpm of bhyve is similar to qemu's implemenation > as well. Afaik, qemu doesn't include the swtpm code. Would be nice > for > bhyve too. > > Looking at the use cases of the ctrl channel (set_locality, stop_tpm, > get_established_flag, ...), none of them are used by the passthrough > implementation or they are dummy implementations. > > Note, that most of them, if not all, don't make sense for a > passthrough > implementation. > > Btw. you can also look into qemu's doc on how it starts a tpm emulator: https://qemu-project.gitlab.io/qemu/specs/tpm.html#the-qemu-tpm-emulator-device -- Kind regards, Corvin