mirror of
https://github.com/stefanberger/swtpm.git
synced 2025-12-26 13:28:15 +00:00
Libtpms-based TPM emulator with socket, character device, and Linux CUSE interface.
2b8a668dbb
We quetry the swtpm for TPM specification info that goes into the certificate for the EK. Update the test cases that now see more capabilties being returned by the swtpm. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> |
||
|---|---|---|
| debian | ||
| dist | ||
| etc | ||
| include | ||
| man | ||
| samples | ||
| src | ||
| tests | ||
| .gitignore | ||
| .travis.yml | ||
| bootstrap.sh | ||
| CHANGES | ||
| configure.ac | ||
| COPYING | ||
| DCO1.1.txt | ||
| INSTALL | ||
| install-sh | ||
| LICENSE | ||
| Makefile.am | ||
| README | ||
| run_tests | ||
| TODO | ||
SWTPM - Software TPM Emulator
David Safford safford@us.ibm.com
Stefan Berger stefanb@us.ibm.com
The SWTPM package provides TPM emulators with different front-end interfaces
to libtpms. TPM emulators provide socket interfaces (TCP/IP) and the Linux
CUSE interface for the creation of multiple native /dev/vtpm* devices.
Those can be the targets of multiple QEMU cuse-tpm instances.
The SWTPM package also provides several tools for using the CUSE TPM,
creating certificates for a TPM, and simulating the manufacturing of
a TPM by creating a TPM's EK and platform certificates etc. Please read
the READMEs in the individual tool's directory under src/.
TPM emulators:
--------------
The primary goal of the CUSE TPM is to support running multiple QEMU guests,
each having its own TPM emulator, without modifying QEMU, the kernel, or
libtpms. The approach is to use the QEMU cuse-tpm driver, pointing it to
/dev/vtpm? which is established as a CUSE frontend to libtpms.
The CUSE frontend supports ioctls on the /dev/vtpm? device file, for
handling hardware specific features, such as hardware reset, hardware
shutdown, setting locality, and getting the tpmEstablished bit and
others. There is a getcapability ioctl to query which of these features
are available on a given vtpm.
This has been tested on Fedora 20, as it has everything needed
(cuse, QEMU with TPM passthrough driver, libtpms...) enabled by default.
It is also known to work on RHEL-6.
Building:
Please read INSTALL for how to build and install the package
Notes: If you are running selinux in enforcing mode (the Fedora 20 default),
then you will get many (6?) rounds of errors, and everytime you have to
use the selinux troubleshooter to add policies to allow the vtpm
server to run. You only have to do this for the first VM.
(If you are running ima-appraisal, you will need to sign the
installed executables and libraries (/usr/bin/swtpm and
/usr/bin/swtpm_cuse and /usr/lib/libswtpm_libtpms.so)
In the Guest:
If you are running a fedora20 guest, then you can start out with:
yum install tpm-tools
systemctl start tcsd.service
tpm_createek
tpm_takeown -u -y -z
tpm_getpubek -u -z
-----------------------------------------------------------------------------
Low level details on the executables:
On Fedora 20, CUSE is a module, so you may need to:
modprobe cuse
For each desired vtpm, as root you simply:
export TPM_PATH=<directory to keep vtpm state files>
./swtpm_cuse -M <major> -m <minor> -n <device name>
The process runs as a background daemon.
Initialize two vTPMs' initial state with an EK each:
# mkdir /tmp/myvtpm0
# chown -R tss:root /tmp/myvtpm0
# swtpm_setup --tpm-state /tmp/myvtpm0 --createek
# mkdir /tmp/myvtpm1
# chown -R tss:root /tmp/myvtpm1
# swtpm_setup --tpm-state /tmp/myvtpm1 --createek
Start the vTPM to use it with QEMU:
# export TPM_PATH=/tmp/myvtpm0
# swtpm_cuse -n vtpm0
# export TPM_PATH=/tmp/myvtpm1
# swtpm_cuse -n vtpm1
Running QEMU with the cuse-tpm:
There are two needed options for the passthrough -tpmdev and -device
as shown in these examples. Note that the "path" parameter points to the
native (/dev/vtpm0...) path, while the id and tpmdev are the guest's view.
$ qemu-system-x86_64 -display sdl -enable-kvm -cdrom cdrom.iso \
-m 1024 -boot d -bios bios.bin -boot menu=on -tpmdev \
cuse-tpm,id=tpm0,path=/dev/vtpm0 \
-device tpm-tis,tpmdev=tpm0 test.img
$ qemu-system-x86_64 -display sdl -enable-kvm -cdrom cdrom.iso \
-m 1024 -boot d -bios bios.bin -boot menu=on -tpmdev \
cuse-tpm,id=tpm1,path=/dev/vtpm1 \
-device tpm-tis,tpmdev=tpm1 test2.img
For this to work, qemu patches that are not included in upstream qemu
are needed. Currently those are maintained in
https://github.com/stefanberger/qemu-tpm
Including them upstream has been discussed, most recently at
https://lists.nongnu.org/archive/html/qemu-devel/2016-06/msg00252.html