Lines Matching +full:- +full:- +full:disable +full:- +full:tpm
1 .. _tpm-device:
4 QEMU TPM Device
7 Guest-side hardware interface
11 -------------
13 The QEMU TPM emulation implements a TPM TIS hardware interface
15 Specific TPM Interface Specification (TIS)", Specification Version
20 0xfed40000-0xfed44fff available to the guest operating system.
22 QEMU files related to TPM TIS interface:
23 - ``hw/tpm/tpm_tis_common.c``
24 - ``hw/tpm/tpm_tis_isa.c``
25 - ``hw/tpm/tpm_tis_sysbus.c``
26 - ``hw/tpm/tpm_tis_i2c.c``
27 - ``hw/tpm/tpm_tis.h``
34 based emulation machines. This device only supports the TPM 2 protocol.
37 -------------
39 QEMU also implements a TPM CRB interface following the Trusted
40 Computing Group's specification "TCG PC Client Platform TPM Profile
45 0xfed40000-0xfed40fff (1 locality) available to the guest
48 QEMU files related to TPM CRB interface:
49 - ``hw/tpm/tpm_crb.c``
52 ---------------
54 pSeries (ppc64) machines offer a tpm-spapr device model.
57 - ``hw/tpm/tpm_spapr.c``
62 The bios/firmware may read the ``"etc/tpm/config"`` fw_cfg entry for
65 The entry of 6 bytes has the following content, in little-endian:
67 .. code-block:: c
78 uint8_t tpm_version; /* TPM version */
85 The TPM device is defined with ACPI ID "PNP0C31". QEMU builds a SSDT
95 buffer where the firmware can write its log into. For TPM 2 only a
105 ------------------
107 QEMU supports the Physical Presence Interface (PPI) for TPM 1.2 and
108 TPM 2. This interface requires ACPI and firmware support. (see the
112 the TPM upon reboot. The PPI specification defines the operation
117 number and sends commands to the TPM. The firmware writes the TPM
125 support on a per-operations basis, and different firmwares may support
128 supports and ACPI can enable the ones that are supported and disable
132 +-------------+--------+--------+-------------------------------------------+
137 +-------------+--------+--------+-------------------------------------------+
140 +-------------+--------+--------+-------------------------------------------+
143 +-------------+--------+--------+-------------------------------------------+
146 +-------------+--------+--------+-------------------------------------------+
150 +-------------+--------+--------+-------------------------------------------+
153 +-------------+--------+--------+-------------------------------------------+
156 +-------------+--------+--------+-------------------------------------------+
159 +-------------+--------+--------+-------------------------------------------+
161 +-------------+--------+--------+-------------------------------------------+
164 +-------------+--------+--------+-------------------------------------------+
166 +-------------+--------+--------+-------------------------------------------+
171 +----------+-------------------------------------------------------------+
175 +----------+-------------------------------------------------------------+
177 +----------+-------------------------------------------------------------+
179 +----------+-------------------------------------------------------------+
181 +----------+-------------------------------------------------------------+
184 +----------+-------------------------------------------------------------+
190 QEMU files related to TPM ACPI tables:
191 - ``hw/i386/acpi-build.c``
192 - ``include/hw/acpi/tpm.h``
194 TPM backend devices
197 The TPM implementation is split into two parts, frontend and
198 backend. The frontend part is the hardware interface, such as the TPM
199 TIS interface described earlier, and the other part is the TPM backend
200 interface. The backend interfaces implement the interaction with a TPM
202 between the front- and backend devices allows a frontend to be
206 QEMU files related to TPM backends:
207 - ``backends/tpm.c``
208 - ``include/sysemu/tpm.h``
209 - ``include/sysemu/tpm_backend.h``
211 The QEMU TPM passthrough device
212 -------------------------------
215 possible to make the hardware TPM device available to a single QEMU
220 The passthrough driver uses the host's TPM device for sending TPM
222 TPM device's sysfs entry for support of command cancellation. Since
223 none of the state of a hardware TPM can be migrated between hosts,
224 virtual machine migration is disabled when the TPM passthrough driver
227 Since the host's TPM device will already be initialized by the host's
230 the firmware should not use the TPM.
233 scenario for a TPM device. The primary reason for this is that two
240 QEMU files related to the TPM passthrough device:
241 - ``backends/tpm/tpm_passthrough.c``
242 - ``backends/tpm/tpm_util.c``
243 - ``include/sysemu/tpm_util.h``
246 Command line to start QEMU with the TPM passthrough device using the host's
247 hardware TPM ``/dev/tpm0``:
249 .. code-block:: console
251 qemu-system-x86_64 -display sdl -accel kvm \
252 -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
253 -tpmdev passthrough,id=tpm0,path=/dev/tpm0 \
254 -device tpm-tis,tpmdev=tpm0 test.img
258 with a Linux kernel that either has the TPM TIS driver built-in or
259 available as a module (assuming a TPM 2 is passed through):
261 .. code-block:: console
263 # dmesg | grep -i tpm
267 # ls -l /dev/tpm*
268 crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0
269 crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0
271 Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs:
272 # find /sys/devices/ -type f | grep pcr-sha
274 /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1
276 /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9
279 The QEMU TPM emulator device
280 ----------------------------
282 The TPM emulator device uses an external TPM emulator called 'swtpm'
283 for sending TPM commands to and receiving responses from. The swtpm
285 TPM emulator with QEMU.
287 The TPM emulator implements a command channel for transferring TPM
292 migrating the TPM state, among other things.
294 The swtpm program behaves like a hardware TPM and therefore needs to
298 instrumented to initialize a TPM 1.2 or TPM 2 device using this
301 QEMU files related to the TPM emulator device:
302 - ``backends/tpm/tpm_emulator.c``
303 - ``backends/tpm/tpm_util.c``
304 - ``include/sysemu/tpm_util.h``
309 .. code-block:: console
312 swtpm socket --tpmstate dir=/tmp/mytpm1 \
313 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
314 --tpm2 \
315 --log level=20
317 Command line to start QEMU with the TPM emulator device communicating
320 .. code-block:: console
322 qemu-system-x86_64 -display sdl -accel kvm \
323 -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
324 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
325 -tpmdev emulator,id=tpm0,chardev=chrtpm \
326 -device tpm-tis,tpmdev=tpm0 test.img
330 .. code-block:: console
332 qemu-system-ppc64 -display sdl -machine pseries,accel=kvm \
333 -m 1024 -bios slof.bin -boot menu=on \
334 -nodefaults -device VGA -device pci-ohci -device usb-kbd \
335 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
336 -tpmdev emulator,id=tpm0,chardev=chrtpm \
337 -device tpm-spapr,tpmdev=tpm0 \
338 -device spapr-vscsi,id=scsi0,reg=0x00002000 \
339 -device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,id=virtio-disk0 \
340 -drive file=test.img,format=raw,if=none,id=drive-virtio-disk0
344 .. code-block:: console
346 qemu-system-aarch64 -machine virt,gic-version=3,acpi=off \
347 -cpu host -m 4G \
348 -nographic -accel kvm \
349 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
350 -tpmdev emulator,id=tpm0,chardev=chrtpm \
351 -device tpm-tis-device,tpmdev=tpm0 \
352 -device virtio-blk-pci,drive=drv0 \
353 -drive format=qcow2,file=hda.qcow2,if=none,id=drv0 \
354 -drive if=pflash,format=raw,file=flash0.img,readonly=on \
355 -drive if=pflash,format=raw,file=flash1.img
357 In case a ast2600-evb bmc machine is emulated and you want to use a TPM device
360 .. code-block:: console
362 qemu-system-arm -M ast2600-evb -nographic \
363 -kernel arch/arm/boot/zImage \
364 -dtb arch/arm/boot/dts/aspeed-ast2600-evb.dtb \
365 -initrd rootfs.cpio \
366 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
367 -tpmdev emulator,id=tpm0,chardev=chrtpm \
368 -device tpm-tis-i2c,tpmdev=tpm0,bus=aspeed.i2c.bus.12,address=0x2e
372 echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device
374 In case SeaBIOS is used as firmware, it should show the TPM menu item
377 .. code-block:: console
380 1. DVD/CD [ata1-0: QEMU DVD-ROM ATAPI-4 DVD/CD]
384 t. TPM Configuration
387 with a Linux kernel that either has the TPM TIS driver built-in or
390 .. code-block:: console
392 # dmesg | grep -i tpm
396 # ls -l /dev/tpm*
397 crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0
398 crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0
400 Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs:
401 # find /sys/devices/ -type f | grep pcr-sha
403 /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1
405 /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9
408 Migration with the TPM emulator
411 The TPM emulator supports the following types of virtual machine
414 - VM save / restore (migration into a file)
415 - Network migration
416 - Snapshotting (migration into storage like QoW2 or QED)
422 .. code-block:: console
425 swtpm socket --tpmstate dir=/tmp/mytpm1 \
426 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
427 --tpm2 \
428 --log level=20
432 .. code-block:: console
434 qemu-system-x86_64 -display sdl -accel kvm \
435 -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
436 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
437 -tpmdev emulator,id=tpm0,chardev=chrtpm \
438 -device tpm-tis,tpmdev=tpm0 \
439 -monitor stdio \
442 Verify that the attached TPM is working as expected using applications
448 .. code-block:: console
457 parameters as before. If previously a TPM 2 [--tpm2] was saved, --tpm2
463 .. code-block:: console
465 swtpm socket --tpmstate dir=/tmp/mytpm1 \
466 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
467 --log level=20 --tpm2
470 '-incoming' option.
472 .. code-block:: console
474 qemu-system-x86_64 -display sdl -accel kvm \
475 -m 1024 -boot d -bios bios-256k.bin -boot menu=on \
476 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \
477 -tpmdev emulator,id=tpm0,chardev=chrtpm \
478 -device tpm-tis,tpmdev=tpm0 \
479 -incoming "exec:cat < testvm.bin" \
483 -------------------------
492 - QEMU command line parameters should be identical apart from the
493 '-incoming' option on VM restore
495 - swtpm command line parameters should be identical
499 - QEMU command line parameters should be identical apart from the
500 '-incoming' option on the destination side
502 - swtpm command line parameters should point to two different
503 directories on the source and destination swtpm (--tpmstate dir=...)
509 - QEMU command line parameters should be identical apart from the
510 '-incoming' option on the destination side
512 - swtpm command line parameters should be identical
515 - QEMU command line parameters should be identical
517 - swtpm command line parameters should be identical
523 - the versions of the swtpm on the source and destination sides are
526 - downgrading of TPM state may not be supported
528 - the source and destination libtpms were compiled with different
529 compile-time options and the destination side refuses to accept the
532 - different migration keys are used on the source and destination side
534 (swtpm ... --migration-key ... )
538 …https://trustedcomputinggroup.org/pc-client-work-group-pc-client-specific-tpm-interface-specificat…
541 https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/
545 https://trustedcomputinggroup.org/tcg-acpi-specification/
548 https://trustedcomputinggroup.org/resource/tcg-physical-presence-interface-specification/