1=============== 2QEMU TPM Device 3=============== 4 5Guest-side hardware interface 6============================= 7 8TIS interface 9------------- 10 11The QEMU TPM emulation implements a TPM TIS hardware interface 12following the Trusted Computing Group's specification "TCG PC Client 13Specific TPM Interface Specification (TIS)", Specification Version 141.3, 21 March 2013. (see the `TIS specification`_, or a later version 15of it). 16 17The TIS interface makes a memory mapped IO region in the area 180xfed40000-0xfed44fff available to the guest operating system. 19 20QEMU files related to TPM TIS interface: 21 - ``hw/tpm/tpm_tis_common.c`` 22 - ``hw/tpm/tpm_tis_isa.c`` 23 - ``hw/tpm/tpm_tis_sysbus.c`` 24 - ``hw/tpm/tpm_tis_i2c.c`` 25 - ``hw/tpm/tpm_tis.h`` 26 27Both an ISA device and a sysbus device are available. The former is 28used with pc/q35 machine while the latter can be instantiated in the 29Arm virt machine. 30 31An I2C device support is also provided which can be instantiated in the Arm 32based emulation machines. This device only supports the TPM 2 protocol. 33 34CRB interface 35------------- 36 37QEMU also implements a TPM CRB interface following the Trusted 38Computing Group's specification "TCG PC Client Platform TPM Profile 39(PTP) Specification", Family "2.0", Level 00 Revision 01.03 v22, May 4022, 2017. (see the `CRB specification`_, or a later version of it) 41 42The CRB interface makes a memory mapped IO region in the area 430xfed40000-0xfed40fff (1 locality) available to the guest 44operating system. 45 46QEMU files related to TPM CRB interface: 47 - ``hw/tpm/tpm_crb.c`` 48 49SPAPR interface 50--------------- 51 52pSeries (ppc64) machines offer a tpm-spapr device model. 53 54QEMU files related to the SPAPR interface: 55 - ``hw/tpm/tpm_spapr.c`` 56 57fw_cfg interface 58================ 59 60The bios/firmware may read the ``"etc/tpm/config"`` fw_cfg entry for 61configuring the guest appropriately. 62 63The entry of 6 bytes has the following content, in little-endian: 64 65.. code-block:: c 66 67 #define TPM_VERSION_UNSPEC 0 68 #define TPM_VERSION_1_2 1 69 #define TPM_VERSION_2_0 2 70 71 #define TPM_PPI_VERSION_NONE 0 72 #define TPM_PPI_VERSION_1_30 1 73 74 struct FwCfgTPMConfig { 75 uint32_t tpmppi_address; /* PPI memory location */ 76 uint8_t tpm_version; /* TPM version */ 77 uint8_t tpmppi_version; /* PPI version */ 78 }; 79 80ACPI interface 81============== 82 83The TPM device is defined with ACPI ID "PNP0C31". QEMU builds a SSDT 84and passes it into the guest through the fw_cfg device. The device 85description contains the base address of the TIS interface 0xfed40000 86and the size of the MMIO area (0x5000). In case a TPM2 is used by 87QEMU, a TPM2 ACPI table is also provided. The device is described to 88be used in polling mode rather than interrupt mode primarily because 89no unused IRQ could be found. 90 91To support measurement logs to be written by the firmware, 92e.g. SeaBIOS, a TCPA table is implemented. This table provides a 64kb 93buffer where the firmware can write its log into. For TPM 2 only a 94more recent version of the TPM2 table provides support for 95measurements logs and a TCPA table does not need to be created. 96 97The TCPA and TPM2 ACPI tables follow the Trusted Computing Group 98specification "TCG ACPI Specification" Family "1.2" and "2.0", Level 9900 Revision 00.37. (see the `ACPI specification`_, or a later version 100of it) 101 102ACPI PPI Interface 103------------------ 104 105QEMU supports the Physical Presence Interface (PPI) for TPM 1.2 and 106TPM 2. This interface requires ACPI and firmware support. (see the 107`PPI specification`_) 108 109PPI enables a system administrator (root) to request a modification to 110the TPM upon reboot. The PPI specification defines the operation 111requests and the actions the firmware has to take. The system 112administrator passes the operation request number to the firmware 113through an ACPI interface which writes this number to a memory 114location that the firmware knows. Upon reboot, the firmware finds the 115number and sends commands to the TPM. The firmware writes the TPM 116result code and the operation request number to a memory location that 117ACPI can read from and pass the result on to the administrator. 118 119The PPI specification defines a set of mandatory and optional 120operations for the firmware to implement. The ACPI interface also 121allows an administrator to list the supported operations. In QEMU the 122ACPI code is generated by QEMU, yet the firmware needs to implement 123support on a per-operations basis, and different firmwares may support 124a different subset. Therefore, QEMU introduces the virtual memory 125device for PPI where the firmware can indicate which operations it 126supports and ACPI can enable the ones that are supported and disable 127all others. This interface lies in main memory and has the following 128layout: 129 130 +-------------+--------+--------+-------------------------------------------+ 131 | Field | Length | Offset | Description | 132 +=============+========+========+===========================================+ 133 | ``func`` | 0x100 | 0x000 | Firmware sets values for each supported | 134 | | | | operation. See defined values below. | 135 +-------------+--------+--------+-------------------------------------------+ 136 | ``ppin`` | 0x1 | 0x100 | SMI interrupt to use. Set by firmware. | 137 | | | | Not supported. | 138 +-------------+--------+--------+-------------------------------------------+ 139 | ``ppip`` | 0x4 | 0x101 | ACPI function index to pass to SMM code. | 140 | | | | Set by ACPI. Not supported. | 141 +-------------+--------+--------+-------------------------------------------+ 142 | ``pprp`` | 0x4 | 0x105 | Result of last executed operation. Set by | 143 | | | | firmware. See function index 5 for values.| 144 +-------------+--------+--------+-------------------------------------------+ 145 | ``pprq`` | 0x4 | 0x109 | Operation request number to execute. See | 146 | | | | 'Physical Presence Interface Operation | 147 | | | | Summary' tables in specs. Set by ACPI. | 148 +-------------+--------+--------+-------------------------------------------+ 149 | ``pprm`` | 0x4 | 0x10d | Operation request optional parameter. | 150 | | | | Values depend on operation. Set by ACPI. | 151 +-------------+--------+--------+-------------------------------------------+ 152 | ``lppr`` | 0x4 | 0x111 | Last executed operation request number. | 153 | | | | Copied from pprq field by firmware. | 154 +-------------+--------+--------+-------------------------------------------+ 155 | ``fret`` | 0x4 | 0x115 | Result code from SMM function. | 156 | | | | Not supported. | 157 +-------------+--------+--------+-------------------------------------------+ 158 | ``res1`` | 0x40 | 0x119 | Reserved for future use | 159 +-------------+--------+--------+-------------------------------------------+ 160 |``next_step``| 0x1 | 0x159 | Operation to execute after reboot by | 161 | | | | firmware. Used by firmware. | 162 +-------------+--------+--------+-------------------------------------------+ 163 | ``movv`` | 0x1 | 0x15a | Memory overwrite variable | 164 +-------------+--------+--------+-------------------------------------------+ 165 166The following values are supported for the ``func`` field. They 167correspond to the values used by ACPI function index 8. 168 169 +----------+-------------------------------------------------------------+ 170 | Value | Description | 171 +==========+=============================================================+ 172 | 0 | Operation is not implemented. | 173 +----------+-------------------------------------------------------------+ 174 | 1 | Operation is only accessible through firmware. | 175 +----------+-------------------------------------------------------------+ 176 | 2 | Operation is blocked for OS by firmware configuration. | 177 +----------+-------------------------------------------------------------+ 178 | 3 | Operation is allowed and physically present user required. | 179 +----------+-------------------------------------------------------------+ 180 | 4 | Operation is allowed and physically present user is not | 181 | | required. | 182 +----------+-------------------------------------------------------------+ 183 184The location of the table is given by the fw_cfg ``tpmppi_address`` 185field. The PPI memory region size is 0x400 (``TPM_PPI_ADDR_SIZE``) to 186leave enough room for future updates. 187 188QEMU files related to TPM ACPI tables: 189 - ``hw/i386/acpi-build.c`` 190 - ``include/hw/acpi/tpm.h`` 191 192TPM backend devices 193=================== 194 195The TPM implementation is split into two parts, frontend and 196backend. The frontend part is the hardware interface, such as the TPM 197TIS interface described earlier, and the other part is the TPM backend 198interface. The backend interfaces implement the interaction with a TPM 199device, which may be a physical or an emulated device. The split 200between the front- and backend devices allows a frontend to be 201connected with any available backend. This enables the TIS interface 202to be used with the passthrough backend or the swtpm backend. 203 204QEMU files related to TPM backends: 205 - ``backends/tpm.c`` 206 - ``include/sysemu/tpm.h`` 207 - ``include/sysemu/tpm_backend.h`` 208 209The QEMU TPM passthrough device 210------------------------------- 211 212In case QEMU is run on Linux as the host operating system it is 213possible to make the hardware TPM device available to a single QEMU 214guest. In this case the user must make sure that no other program is 215using the device, e.g., /dev/tpm0, before trying to start QEMU with 216it. 217 218The passthrough driver uses the host's TPM device for sending TPM 219commands and receiving responses from. Besides that it accesses the 220TPM device's sysfs entry for support of command cancellation. Since 221none of the state of a hardware TPM can be migrated between hosts, 222virtual machine migration is disabled when the TPM passthrough driver 223is used. 224 225Since the host's TPM device will already be initialized by the host's 226firmware, certain commands, e.g. ``TPM_Startup()``, sent by the 227virtual firmware for device initialization, will fail. In this case 228the firmware should not use the TPM. 229 230Sharing the device with the host is generally not a recommended usage 231scenario for a TPM device. The primary reason for this is that two 232operating systems can then access the device's single set of 233resources, such as platform configuration registers 234(PCRs). Applications or kernel security subsystems, such as the Linux 235Integrity Measurement Architecture (IMA), are not expecting to share 236PCRs. 237 238QEMU files related to the TPM passthrough device: 239 - ``backends/tpm/tpm_passthrough.c`` 240 - ``backends/tpm/tpm_util.c`` 241 - ``include/sysemu/tpm_util.h`` 242 243 244Command line to start QEMU with the TPM passthrough device using the host's 245hardware TPM ``/dev/tpm0``: 246 247.. code-block:: console 248 249 qemu-system-x86_64 -display sdl -accel kvm \ 250 -m 1024 -boot d -bios bios-256k.bin -boot menu=on \ 251 -tpmdev passthrough,id=tpm0,path=/dev/tpm0 \ 252 -device tpm-tis,tpmdev=tpm0 test.img 253 254 255The following commands should result in similar output inside the VM 256with a Linux kernel that either has the TPM TIS driver built-in or 257available as a module (assuming a TPM 2 is passed through): 258 259.. code-block:: console 260 261 # dmesg | grep -i tpm 262 [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ 263 BXPC 0000001 BXPC 00000001) 264 265 # ls -l /dev/tpm* 266 crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 267 crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 268 269 Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: 270 # find /sys/devices/ -type f | grep pcr-sha 271 ... 272 /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 273 ... 274 /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 275 ... 276 277The QEMU TPM emulator device 278---------------------------- 279 280The TPM emulator device uses an external TPM emulator called 'swtpm' 281for sending TPM commands to and receiving responses from. The swtpm 282program must have been started before trying to access it through the 283TPM emulator with QEMU. 284 285The TPM emulator implements a command channel for transferring TPM 286commands and responses as well as a control channel over which control 287commands can be sent. (see the `SWTPM protocol`_ specification) 288 289The control channel serves the purpose of resetting, initializing, and 290migrating the TPM state, among other things. 291 292The swtpm program behaves like a hardware TPM and therefore needs to 293be initialized by the firmware running inside the QEMU virtual 294machine. One necessary step for initializing the device is to send 295the TPM_Startup command to it. SeaBIOS, for example, has been 296instrumented to initialize a TPM 1.2 or TPM 2 device using this 297command. 298 299QEMU files related to the TPM emulator device: 300 - ``backends/tpm/tpm_emulator.c`` 301 - ``backends/tpm/tpm_util.c`` 302 - ``include/sysemu/tpm_util.h`` 303 304The following commands start the swtpm with a UnixIO control channel over 305a socket interface. They do not need to be run as root. 306 307.. code-block:: console 308 309 mkdir /tmp/mytpm1 310 swtpm socket --tpmstate dir=/tmp/mytpm1 \ 311 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ 312 --tpm2 \ 313 --log level=20 314 315Command line to start QEMU with the TPM emulator device communicating 316with the swtpm (x86): 317 318.. code-block:: console 319 320 qemu-system-x86_64 -display sdl -accel kvm \ 321 -m 1024 -boot d -bios bios-256k.bin -boot menu=on \ 322 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ 323 -tpmdev emulator,id=tpm0,chardev=chrtpm \ 324 -device tpm-tis,tpmdev=tpm0 test.img 325 326In case a pSeries machine is emulated, use the following command line: 327 328.. code-block:: console 329 330 qemu-system-ppc64 -display sdl -machine pseries,accel=kvm \ 331 -m 1024 -bios slof.bin -boot menu=on \ 332 -nodefaults -device VGA -device pci-ohci -device usb-kbd \ 333 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ 334 -tpmdev emulator,id=tpm0,chardev=chrtpm \ 335 -device tpm-spapr,tpmdev=tpm0 \ 336 -device spapr-vscsi,id=scsi0,reg=0x00002000 \ 337 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,id=virtio-disk0 \ 338 -drive file=test.img,format=raw,if=none,id=drive-virtio-disk0 339 340In case an Arm virt machine is emulated, use the following command line: 341 342.. code-block:: console 343 344 qemu-system-aarch64 -machine virt,gic-version=3,accel=kvm \ 345 -cpu host -m 4G \ 346 -nographic -no-acpi \ 347 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ 348 -tpmdev emulator,id=tpm0,chardev=chrtpm \ 349 -device tpm-tis-device,tpmdev=tpm0 \ 350 -device virtio-blk-pci,drive=drv0 \ 351 -drive format=qcow2,file=hda.qcow2,if=none,id=drv0 \ 352 -drive if=pflash,format=raw,file=flash0.img,readonly=on \ 353 -drive if=pflash,format=raw,file=flash1.img 354 355In case a ast2600-evb bmc machine is emulated and you want to use a TPM device 356attached to I2C bus, use the following command line: 357 358.. code-block:: console 359 360 qemu-system-arm -M ast2600-evb -nographic \ 361 -kernel arch/arm/boot/zImage \ 362 -dtb arch/arm/boot/dts/aspeed-ast2600-evb.dtb \ 363 -initrd rootfs.cpio \ 364 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ 365 -tpmdev emulator,id=tpm0,chardev=chrtpm \ 366 -device tpm-tis-i2c,tpmdev=tpm0,bus=aspeed.i2c.bus.12,address=0x2e 367 368 For testing, use this command to load the driver to the correct address 369 370 echo tpm_tis_i2c 0x2e > /sys/bus/i2c/devices/i2c-12/new_device 371 372In case SeaBIOS is used as firmware, it should show the TPM menu item 373after entering the menu with 'ESC'. 374 375.. code-block:: console 376 377 Select boot device: 378 1. DVD/CD [ata1-0: QEMU DVD-ROM ATAPI-4 DVD/CD] 379 [...] 380 5. Legacy option rom 381 382 t. TPM Configuration 383 384The following commands should result in similar output inside the VM 385with a Linux kernel that either has the TPM TIS driver built-in or 386available as a module: 387 388.. code-block:: console 389 390 # dmesg | grep -i tpm 391 [ 0.012560] ACPI: TPM2 0x000000000BFFD1900 00004C (v04 BOCHS \ 392 BXPC 0000001 BXPC 00000001) 393 394 # ls -l /dev/tpm* 395 crw-rw----. 1 tss root 10, 224 Sep 6 12:36 /dev/tpm0 396 crw-rw----. 1 tss rss 253, 65536 Sep 6 12:36 /dev/tpmrm0 397 398 Starting with Linux 5.12 there are PCR entries for TPM 2 in sysfs: 399 # find /sys/devices/ -type f | grep pcr-sha 400 ... 401 /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/1 402 ... 403 /sys/devices/LNXSYSTEM:00/LNXSYBUS:00/MSFT0101:00/tpm/tpm0/pcr-sha256/9 404 ... 405 406Migration with the TPM emulator 407=============================== 408 409The TPM emulator supports the following types of virtual machine 410migration: 411 412- VM save / restore (migration into a file) 413- Network migration 414- Snapshotting (migration into storage like QoW2 or QED) 415 416The following command sequences can be used to test VM save / restore. 417 418In a 1st terminal start an instance of a swtpm using the following command: 419 420.. code-block:: console 421 422 mkdir /tmp/mytpm1 423 swtpm socket --tpmstate dir=/tmp/mytpm1 \ 424 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ 425 --tpm2 \ 426 --log level=20 427 428In a 2nd terminal start the VM: 429 430.. code-block:: console 431 432 qemu-system-x86_64 -display sdl -accel kvm \ 433 -m 1024 -boot d -bios bios-256k.bin -boot menu=on \ 434 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ 435 -tpmdev emulator,id=tpm0,chardev=chrtpm \ 436 -device tpm-tis,tpmdev=tpm0 \ 437 -monitor stdio \ 438 test.img 439 440Verify that the attached TPM is working as expected using applications 441inside the VM. 442 443To store the state of the VM use the following command in the QEMU 444monitor in the 2nd terminal: 445 446.. code-block:: console 447 448 (qemu) migrate "exec:cat > testvm.bin" 449 (qemu) quit 450 451At this point a file called ``testvm.bin`` should exists and the swtpm 452and QEMU processes should have ended. 453 454To test 'VM restore' you have to start the swtpm with the same 455parameters as before. If previously a TPM 2 [--tpm2] was saved, --tpm2 456must now be passed again on the command line. 457 458In the 1st terminal restart the swtpm with the same command line as 459before: 460 461.. code-block:: console 462 463 swtpm socket --tpmstate dir=/tmp/mytpm1 \ 464 --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \ 465 --log level=20 --tpm2 466 467In the 2nd terminal restore the state of the VM using the additional 468'-incoming' option. 469 470.. code-block:: console 471 472 qemu-system-x86_64 -display sdl -accel kvm \ 473 -m 1024 -boot d -bios bios-256k.bin -boot menu=on \ 474 -chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock \ 475 -tpmdev emulator,id=tpm0,chardev=chrtpm \ 476 -device tpm-tis,tpmdev=tpm0 \ 477 -incoming "exec:cat < testvm.bin" \ 478 test.img 479 480Troubleshooting migration 481------------------------- 482 483There are several reasons why migration may fail. In case of problems, 484please ensure that the command lines adhere to the following rules 485and, if possible, that identical versions of QEMU and swtpm are used 486at all times. 487 488VM save and restore: 489 490 - QEMU command line parameters should be identical apart from the 491 '-incoming' option on VM restore 492 493 - swtpm command line parameters should be identical 494 495VM migration to 'localhost': 496 497 - QEMU command line parameters should be identical apart from the 498 '-incoming' option on the destination side 499 500 - swtpm command line parameters should point to two different 501 directories on the source and destination swtpm (--tpmstate dir=...) 502 (especially if different versions of libtpms were to be used on the 503 same machine). 504 505VM migration across the network: 506 507 - QEMU command line parameters should be identical apart from the 508 '-incoming' option on the destination side 509 510 - swtpm command line parameters should be identical 511 512VM Snapshotting: 513 - QEMU command line parameters should be identical 514 515 - swtpm command line parameters should be identical 516 517 518Besides that, migration failure reasons on the swtpm level may include 519the following: 520 521 - the versions of the swtpm on the source and destination sides are 522 incompatible 523 524 - downgrading of TPM state may not be supported 525 526 - the source and destination libtpms were compiled with different 527 compile-time options and the destination side refuses to accept the 528 state 529 530 - different migration keys are used on the source and destination side 531 and the destination side cannot decrypt the migrated state 532 (swtpm ... --migration-key ... ) 533 534 535.. _TIS specification: 536 https://trustedcomputinggroup.org/pc-client-work-group-pc-client-specific-tpm-interface-specification-tis/ 537 538.. _CRB specification: 539 https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/ 540 541 542.. _ACPI specification: 543 https://trustedcomputinggroup.org/tcg-acpi-specification/ 544 545.. _PPI specification: 546 https://trustedcomputinggroup.org/resource/tcg-physical-presence-interface-specification/ 547 548.. _SWTPM protocol: 549 https://github.com/stefanberger/swtpm/blob/master/man/man3/swtpm_ioctls.pod 550