qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 0/4] tpm: Provide a software vTPM

From: Corey Bryant
Subject: Re: [Qemu-devel] [PATCH 0/4] tpm: Provide a software vTPM
Date: Tue, 19 Nov 2013 16:32:06 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 

On 11/19/2013 02:50 PM, Anthony Liguori wrote:

On Wed, Nov 6, 2013 at 6:38 AM, Corey Bryant <address@hidden> wrote:

This patch series provides support for a software Trusted Platform
Module (otherwise known as a vTPM).  This support is provided via a
new backend that works with the existing QEMU tpm-tis front end.


We do device emulation within QEMU.  This is fundamentally what QEMU does.

Why should we link against an external library instead of providing
TPM emulation within QEMU itself?  What makes TPM so special here?
Because 70k+ LOC *definitely* doesn't have a chance of getting into QEMU, so it makes more sense to link against a library. 



I know the answer to these questions of course.  There isn't a good
reason but there exists vTPM as an external tool for historical
reasons.  I don't think that's a good justification for doing this.
libtpms has had no review by anyone and does not have a community
around it.  Once we link against it, we are responsible for resolving
The source is now more readily available on github and while the community is small, there is a community. Besides, QEMU uses other libraries that have very small communities doesn't it? 


any security issue around it and fixing any bug within it.


Is this really true?  Is QEMU responsible for fixing every bug in glibc?

--
Regards,
Corey Bryant



That's essentially asking us to merge 70k+ LOCS without any review or
validation ahead of time.  That's an unreasonable request.

Regards,

Anthony Liguori


With this patch series, multiple guests can run with their own vTPM.
In comparison, the existing passthrough vTPM does not allow this
because the host TPM cannot be shared.

Note: There is seabios code that is not yet upstream that is
required to run with this support.  It provides support such as
initialization, ACPI table updates, and menu updates.  If anyone
would like to run with that support, let me know and I can send you
a bios.bin.

Following is a sample command line:

qemu-img create -f qcow2 /home/qemu/images/nvram.qcow2 500K

qemu-system-x86_64 ... \
-drive file=/home/qemu/images/nvram.qcow2,if=none,id=nvram0-0-0,format=qcow2 \
-device tpm-tis,tpmdev=tpm-tpm0,id=tpm0 \
-tpmdev libtpms,id=tpm-tpm0,nvram=nvram0-0-0

Corey Bryant (4):
   tpm: Add TPM NVRAM implementation
   tpm: Share tpm_write_fatal_error_response
   tpm: QMP/HMP support for libtpms TPM backend
   tpm: Provide libtpms software TPM backend

  configure                    |   24 ++
  hmp.c                        |    5 +
  hw/tpm/Makefile.objs         |    2 +
  hw/tpm/tpm_libtpms.c         |  885 ++++++++++++++++++++++++++++++++++++++++++
  hw/tpm/tpm_nvram.c           |  340 ++++++++++++++++
  hw/tpm/tpm_nvram.h           |   25 ++
  hw/tpm/tpm_passthrough.c     |   14 -
  hw/tpm/tpm_tis.h             |    1 +
  include/sysemu/tpm_backend.h |    3 +
  qapi-schema.json             |   18 +-
  qemu-options.hx              |   31 ++-
  tpm.c                        |   28 ++-
  12 files changed, 1357 insertions(+), 19 deletions(-)
  create mode 100644 hw/tpm/tpm_libtpms.c
  create mode 100644 hw/tpm/tpm_nvram.c
  create mode 100644 hw/tpm/tpm_nvram.h
reply via email to
[Prev in Thread] Current Thread [Next in Thread]