From nobody Mon Aug 21 06:45:42 2023 X-Original-To: virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RTjfc4pNlz4qK0f for ; Mon, 21 Aug 2023 06:45:44 +0000 (UTC) (envelope-from corvink@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RTjfc4HG5z3Ryk; Mon, 21 Aug 2023 06:45:44 +0000 (UTC) (envelope-from corvink@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1692600344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=pENlj1FOAyvbjFWqwrb8dTOpCcOuK1cJdaCohcEqG4k=; b=rcjfZAq9Cl6zhkJF8EnjxD/eIzZM/bD7Uk8ww5TlhZgMfD5gA/LGdBTwYeLXA7Z8l+N+f7 i1uhAoELM4Kv+5xVy3MtGI2xwLvbCc/Qwgac64xdv8MjIXF5+ZBGQzcmN12ftEVzbl5jr2 +e/UEISg0GGlR3CHXu6Q/J6BrRiCBHyB+DPhttMJwwtl2viSS79kuB0cgh1JMjQcLTQQYn 2GZP5OSoUjPwmfr4uiYAspBfP0S+3cc1JXYBZ9nBWq/MiwBHPCavy9hucvL1jopv2OQMVO 2vWnRPX85wr62zWJfGPeUvOuCW4q+fi4dNvaRV1UQOoDBqSlZOZ3XDGu30CCPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1692600344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=pENlj1FOAyvbjFWqwrb8dTOpCcOuK1cJdaCohcEqG4k=; b=nwHTqguwxtWPMEMNfnh8XrNyEeC5zmqGo8Cms+n+gcUG+9lYl8OOD9oyvfkpPB5dKKLiQB sQvSYDJJyX85XGAjVC7lN4livOVQJHpr3urJnQQ3tsviaYlGjoVmA8S0/ec2OTVdSoeFnj TRqEan1TM9KXj7mkZ8F/q/8WyNmG0n+AcxzEZM+XVW9/2zY1FM5sSbOnjerjQnurA4n81n MjLbd/VT8pWUYXi4j/P3trMfGPd2MRpOLz+80bSHjEG7pO68Yb5xRDdhYTYu0DPdQiNNSj LKDjWhP0zHtd5g1UlYj0bPEixYaz4eMKIckgR1nJ+w/0E2cjhtO8wJrZW7BaJA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1692600344; a=rsa-sha256; cv=none; b=v+J0fYlwqBzgCx50CRIALTxWDvkSk4qw+mKM/TUlVZNZ8e/7XExVDdffWfOtOX0uG99Xzc 2tu3Hh691N+j4zy3lPGL3/AM5aCHwHquvNzacDMe8/3/ziiuz50ydtFpMsRLPt0i5yo0DC Rg8K17ckrGDDAnB3eQPEaYofjqBuSkmChZes8LJxzvvJR3UFXmHkR4qNuzEN+1drW9INBU Dl/vw0gI1EYUpwzDmPyoLdWTrggFRITssFK+im3ZKqlwuGAKYWzsPNG3HAX4eWyOFeeNwr mVIyiI2OVlt4mlGAduMlE72JoO2mKFUddzj2a4sWuCuKs/2P571WPCLtqHB+TQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from [172.21.179.63] (unknown [195.226.174.194]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) (Authenticated sender: corvink) by smtp.freebsd.org (Postfix) with ESMTPSA id 4RTjfc05vWz1S2D; Mon, 21 Aug 2023 06:45:43 +0000 (UTC) (envelope-from corvink@FreeBSD.org) Message-ID: <17c2de9cdefd2d04b65038ddff17b584f48833ea.camel@FreeBSD.org> Subject: Re: Sudden need for bhyve TPM Emulation... willing to port swtpm? From: Corvin =?ISO-8859-1?Q?K=F6hne?= To: Goran =?iso-8859-2?Q?Meki=E6?= , virtualization@freebsd.org Date: Mon, 21 Aug 2023 08:45:42 +0200 In-Reply-To: <1a0a0a4fd3f71a281876d9cb726fc59a45501b06.camel@FreeBSD.org> References: <662af723-de9f-36d9-c960-ef08379ca26e@callfortesting.org> <1d4e6558-0c56-5758-d87e-e9bf4aacc0a5@tilda.center> <85ee3beda055c5bc9fae26c07247fe0cea1458e9.camel@FreeBSD.org> <2f1539fc-f8b2-2ec5-9c68-c60f68e66c0e@tilda.center> <2c1205c0fc48e8c6ac103d3f3ca0c722a7cd3c6e.camel@FreeBSD.org> <06ae27b6-7a38-ff73-8d9b-70b6be517ccc@tilda.center> <82499999351da778ffb9735f76ecc5d522305273.camel@FreeBSD.org> <2d2f8c74-47d0-ebb1-154f-3aab68d8a084@tilda.center> <4cf9b819-2a41-8bc1-16a7-60a1eac04e28@tilda.center> <1a0a0a4fd3f71a281876d9cb726fc59a45501b06.camel@FreeBSD.org> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-Rv3eDWkqFvI8vXtk/mZ1" User-Agent: Evolution 3.48.4 List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-virtualization@freebsd.org X-BeenThere: freebsd-virtualization@freebsd.org MIME-Version: 1.0 --=-Rv3eDWkqFvI8vXtk/mZ1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2023-08-21 at 08:35 +0200, Corvin K=C3=B6hne wrote: > On Sun, 2023-08-20 at 19:52 +0200, Goran Meki=C4=87 wrote: > > On 8/19/23 17:27, Goran Meki=C4=87 wrote: > > > On 8/19/23 10:27, Goran Meki=C4=87 wrote: > > > > > > With updated port there's also support for CUSE, which > > > > > > would > > > > > > allow > > > > > > swtpm > > > > > > to be used with pass-through. The problem is that socket > > > > > > and > > > > > > CUSE > > > > > > have > > > > > > problems which I described in upstream issue: > > > > > > https://github.com/stefanberger/swtpm/issues/820. If there > > > > > > are any > > > > > > suggestions how to fix that fuse error, I'd like to hear > > > > > > them > > > > > > and try > > > > > > and fix it. > > > > > >=20 > > > > > > Regards, > > > > > > meka > > > >=20 > > > > Hello, > > > >=20 > > > > I was wrong. Linux CUSE is extension of FUSE while FreeBSD CUSE > > > > has=20 > > > > totally different implementation, so it can not be used by > > > > swtpm. > > > > As=20 > > > > swtpm has control and server channels, I suppose we need both. > > > > To > > > > start both: > > > >=20 > > > > # swtpm socket --tpmstate dir=3D/tmp/mytpm1 --ctrl=20 > > > > type=3Dunixio,path=3D/tmp/mytpm1/ctrl --tpm2 --log level=3D20 -- > > > > server=20 > > > > type=3Dunixio,path=3D/tmp/mytpm1/server > > > >=20 > > > > Now to initialize it one should run > > > >=20 > > > > # swtpm_ioctl --unix /tmp/mytpm1/swtpm-sock -i > > > >=20 > > > > If -i is replaced with --stop, swtpm is stopped. Now if I > > > > understand=20 > > > > correctly, init function of bhyve should do -i, deinit should > > > > do=20 > > > > --stop. If that's correct, I will start implementing init and > > > > for > > > > now=20 > > > > ignore deinit. As swtpm is BSD licenced, I think it is OK for > > > > us > > > > to=20 > > > > reuse parts of swtpm_ioctl code. Anyway, if I'm wrong about > > > > anything,=20 > > > > please point it out. > > > >=20 > > > > Regards, > > > > meka > > > >=20 > > > >=20 > > > I managed to initialize the swtpm by butchering swtpm_ioctl code > > > and=20 > > > creating this: https://bsd.to/Dq7c. I know that for bhyve it's > > > not=20 > > > viable to include from port, but at this point I just want to > > > make=20 > > > some progress and then I'll see how to properly do it. As swtpm > > > is=20 > > > BSD-3-Clause licensed, we should probably import it to base, but > > > I'll=20 > > > worry about that part when at least something starts working. > > >=20 > > > Regards, > > > meka > > >=20 > > >=20 > > To make it easier to progress, I created repository for my TPM=20 > > playground: https://github.com/mekanix/tpmplay. The code currently=20 > > somewhat resembles tpm_emul_passthru.c. It implements init, deinit > > and=20 > > ctrlcmd. I'm confused a bit because swtpm has two sockets, one for=20 > > control one for data. Looking at tpm_emul_passthru.c I can see one > > fd > > is=20 > > used for all commands. If I'm correct, TSS is used for data > > channel:=20 > > https://github.com/stefanberger/swtpm/wiki/Using-the-IBM-TSS-with-swtpm= #socket-interface > > . > > How come pass-through doesn't have ctrl/data channels? > >=20 > > Regards, > > meka > >=20 > >=20 >=20 > Hi, >=20 > The passthrough implementation is conceptionally similar to qemu's > passthrough implementation. You can take a look at it here: > https://elixir.bootlin.com/qemu/v8.0.4/source/backends/tpm/tpm_passthroug= h.c > The swtpm implemenation of qemu is found here: > https://elixir.bootlin.com/qemu/latest/source/backends/tpm/tpm_emulator.c > I'd prefer that the swtpm of bhyve is similar to qemu's implemenation > as well. Afaik, qemu doesn't include the swtpm code. Would be nice > for > bhyve too. >=20 > Looking at the use cases of the ctrl channel (set_locality, stop_tpm, > get_established_flag, ...), none of them are used by the passthrough > implementation or they are dummy implementations. >=20 > Note, that most of them, if not all, don't make sense for a > passthrough > implementation. >=20 >=20 Btw. you can also look into qemu's doc on how it starts a tpm emulator: https://qemu-project.gitlab.io/qemu/specs/tpm.html#the-qemu-tpm-emulator-de= vice --=20 Kind regards, Corvin --=-Rv3eDWkqFvI8vXtk/mZ1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEgvRSla3m2t/H2U9G2FTaVjFeAmoFAmTjCBYACgkQ2FTaVjFe AmrF3w//WJCCC3dbEgIeZrQh2+I6lE6fb1KpHNJc41LaBzhpMFp9sriQiywhzfOT V07O9OpTGK0x5KNY23tvKOWJilRfLkuPG/fyGny+fZ5AE/q7aLhzwCvx/epyGhsd z03c3Pi8ZmFcsLGXLhrv4KThBPkgz6L7O8g2YcLJCqfPOcdgJ7NxQ3auXujp+/MW 1cEE3gvMIlA5k2f0UpkSNMtWJdVRpL0HrMcgTAth60FU1auPh5+JPsiLxk65W7an yQEv45UBef3CH9xfW40Bzz4OnxSCfVAIvzLvlziEmHxHuPtgEjDkwSSmTHyqmOla sf/ueyJxrL2tgulCc9VrjVgIalRMO0qY9YsHwjkNKxlaf9VB/FyLKsO/6P9eB+p0 xwiwIxJykY70iKpv/DXIWem77x42H6VJg9pN4rOIl/BOVp11BnmAjZZRGp21BI3A YSN3Yy1apUHO5Nyq6qnn9yJXxEu1pnwXfVbVjrDQQFm8DHp542wFUVQhbsvShNcv 7zE16Pd8wAJpn0oqYksAH5HmeJqwUcdoilQp2BasWU0MJJLw1eYjHBsE70H5Wm/h hVvehLDhK0ingnzMHBCGHtqpLGzDQYJJz/EBl4ctvexnl5Bpeef4G798WuB0M1y/ t4KaAcEFbi14WGnU+RX4yfIsBg/iJF0WWIJyG2KQkDM4hrYf5oY= =mz8T -----END PGP SIGNATURE----- --=-Rv3eDWkqFvI8vXtk/mZ1--