Patchwork [V19,5/7] Add a TPM Passthrough backend driver implementation

login
register
mail settings
Submitter Stefan Berger
Date June 4, 2012, 7:37 p.m.
Message ID <1338838668-7544-6-git-send-email-stefanb@linux.vnet.ibm.com>
Download mbox | patch
Permalink /patch/162867/
State New
Headers show

Comments

Stefan Berger - June 4, 2012, 7:37 p.m.
From Andreas Niederl's original posting with adaptations where necessary:

This patch is based of off version 9 of Stefan Berger's patch series
  "Qemu Trusted Platform Module (TPM) integration"
and adds a new backend driver for it.

This patch adds a passthrough backend driver for passing commands sent to the
emulated TPM device directly to a TPM device opened on the host machine.

Thus it is possible to use a hardware TPM device in a system running on QEMU,
providing the ability to access a TPM in a special state (e.g. after a Trusted
Boot).

This functionality is being used in the acTvSM Trusted Virtualization Platform
which is available on [1].

Usage example:
  qemu-system-x86_64 -tpmdev passthrough,id=tpm0,path=/dev/tpm0 \
                     -device tpm-tis,tpmdev=tpm0 \
                     -cdrom test.iso -boot d

Some notes about the host TPM:
The TPM needs to be enabled and activated. If that's not the case one
has to go through the BIOS/UEFI and enable and activate that TPM for TPM
commands to work as expected.
It may be necessary to boot the kernel using tpm_tis.force=1 in the boot
command line or 'modprobe tpm_tis force=1' in case of using it as a module.

Regards,
Andreas Niederl, Stefan Berger

[1] http://trustedjava.sourceforge.net/

Signed-off-by: Andreas Niederl <andreas.niederl@iaik.tugraz.at>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 Makefile.target      |    3 +-
 configure            |    3 +
 hw/tpm_backend.c     |   58 ++++++++
 hw/tpm_backend.h     |   43 ++++++
 hw/tpm_passthrough.c |  398 ++++++++++++++++++++++++++++++++++++++++++++++++++
 qemu-options.hx      |   38 +++++-
 tpm.c                |   18 +++
 tpm.h                |   33 ++++
 vl.c                 |    2 +
 9 files changed, 594 insertions(+), 2 deletions(-)
 create mode 100644 hw/tpm_backend.c
 create mode 100644 hw/tpm_backend.h
 create mode 100644 hw/tpm_passthrough.c
Corey Bryant - Sept. 27, 2012, 2:28 p.m.
On 06/04/2012 03:37 PM, Stefan Berger wrote:
>>From Andreas Niederl's original posting with adaptations where necessary:
>
> This patch is based of off version 9 of Stefan Berger's patch series
>    "Qemu Trusted Platform Module (TPM) integration"
> and adds a new backend driver for it.
>
> This patch adds a passthrough backend driver for passing commands sent to the
> emulated TPM device directly to a TPM device opened on the host machine.
>
> Thus it is possible to use a hardware TPM device in a system running on QEMU,
> providing the ability to access a TPM in a special state (e.g. after a Trusted
> Boot).
>
> This functionality is being used in the acTvSM Trusted Virtualization Platform
> which is available on [1].
>
> Usage example:
>    qemu-system-x86_64 -tpmdev passthrough,id=tpm0,path=/dev/tpm0 \
>                       -device tpm-tis,tpmdev=tpm0 \
>                       -cdrom test.iso -boot d
>
> Some notes about the host TPM:
> The TPM needs to be enabled and activated. If that's not the case one
> has to go through the BIOS/UEFI and enable and activate that TPM for TPM
> commands to work as expected.
> It may be necessary to boot the kernel using tpm_tis.force=1 in the boot
> command line or 'modprobe tpm_tis force=1' in case of using it as a module.
>
> Regards,
> Andreas Niederl, Stefan Berger
>
> [1] http://trustedjava.sourceforge.net/
>
> Signed-off-by: Andreas Niederl <andreas.niederl@iaik.tugraz.at>
> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
> ---
>   Makefile.target      |    3 +-
>   configure            |    3 +
>   hw/tpm_backend.c     |   58 ++++++++
>   hw/tpm_backend.h     |   43 ++++++
>   hw/tpm_passthrough.c |  398 ++++++++++++++++++++++++++++++++++++++++++++++++++
>   qemu-options.hx      |   38 +++++-
>   tpm.c                |   18 +++
>   tpm.h                |   33 ++++
>   vl.c                 |    2 +
>   9 files changed, 594 insertions(+), 2 deletions(-)
>   create mode 100644 hw/tpm_backend.c
>   create mode 100644 hw/tpm_backend.h
>   create mode 100644 hw/tpm_passthrough.c
>
> diff --git a/Makefile.target b/Makefile.target
> index cdf108a..ef063c8 100644
> --- a/Makefile.target
> +++ b/Makefile.target
> @@ -193,7 +193,8 @@ obj-$(CONFIG_NO_KVM) += kvm-stub.o
>   obj-$(CONFIG_VGA) += vga.o
>   obj-y += memory.o savevm.o cputlb.o
>   obj-y += tpm.o
> -obj-$(CONFIG_TPM) += tpm_tis.o
> +obj-$(CONFIG_TPM) += tpm_tis.o tpm_backend.o
> +obj-$(CONFIG_TPM_PASSTHROUGH) += tpm_passthrough.o
>   LIBS+=-lz
>
>   obj-i386-$(CONFIG_KVM) += hyperv.o
> diff --git a/configure b/configure
> index d805c20..804d8c8 100755
> --- a/configure
> +++ b/configure
> @@ -3918,6 +3918,9 @@ fi
>
>   if test "$tpm" = "yes"; then
>     if test "$target_softmmu" = "yes" ; then
> +    if test "$linux" = "yes" ; then
> +      echo "CONFIG_TPM_PASSTHROUGH=y" >> $config_host_mak
> +    fi
>       echo "CONFIG_TPM=y" >> $config_host_mak
>     fi
>   fi
> diff --git a/hw/tpm_backend.c b/hw/tpm_backend.c
> new file mode 100644
> index 0000000..4cf0809
> --- /dev/null
> +++ b/hw/tpm_backend.c
> @@ -0,0 +1,58 @@
> +/*
> + *  common TPM backend driver functions
> + *
> + *  Copyright (c) 2012 IBM Corporation
> + *  Authors:
> + *    Stefan Berger <stefanb@us.ibm.com>
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>
> + */
> +
> +#include "tpm.h"
> +#include "qemu-thread.h"
> +#include "hw/tpm_backend.h"
> +
> +void tpm_backend_thread_deliver_request(TPMBackendThread *tbt)
> +{
> +   g_thread_pool_push(tbt->pool, (gpointer)TPM_BACKEND_CMD_PROCESS_CMD, NULL);
> +}
> +
> +void tpm_backend_thread_create(TPMBackendThread *tbt,
> +                               GFunc func, gpointer user_data)
> +{
> +    if (!tbt->pool) {
> +        tbt->pool = g_thread_pool_new(func, user_data, 1, TRUE, NULL);
> +        g_thread_pool_push(tbt->pool, (gpointer)TPM_BACKEND_CMD_INIT, NULL);
> +    }
> +}
> +
> +void tpm_backend_thread_end(TPMBackendThread *tbt)
> +{
> +    if (tbt->pool) {
> +        g_thread_pool_push(tbt->pool, (gpointer)TPM_BACKEND_CMD_END, NULL);
> +        g_thread_pool_free(tbt->pool, FALSE, TRUE);
> +        tbt->pool = NULL;
> +    }
> +}
> +
> +void tpm_backend_thread_tpm_reset(TPMBackendThread *tbt,
> +                                  GFunc func, gpointer user_data)
> +{
> +    if (!tbt->pool) {
> +        tpm_backend_thread_create(tbt, func, user_data);
> +    } else {
> +        g_thread_pool_push(tbt->pool, (gpointer)TPM_BACKEND_CMD_TPM_RESET,
> +                           NULL);
> +    }
> +}
> diff --git a/hw/tpm_backend.h b/hw/tpm_backend.h
> new file mode 100644
> index 0000000..f5fe198
> --- /dev/null
> +++ b/hw/tpm_backend.h
> @@ -0,0 +1,43 @@
> +/*
> + *  common TPM backend driver functions
> + *
> + *  Copyright (c) 2012 IBM Corporation
> + *  Authors:
> + *    Stefan Berger <stefanb@us.ibm.com>
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>
> + */
> +
> +#ifndef HW_TPM_BACKEND_H
> +#define HW_TPM_BACKEND_H
> +
> +typedef struct TPMBackendThread {
> +    GThreadPool *pool;
> +} TPMBackendThread;
> +
> +void tpm_backend_thread_deliver_request(TPMBackendThread *tbt);
> +void tpm_backend_thread_create(TPMBackendThread *tbt,
> +                               GFunc func, gpointer user_data);
> +void tpm_backend_thread_end(TPMBackendThread *tbt);
> +void tpm_backend_thread_tpm_reset(TPMBackendThread *tbt,
> +                                  GFunc func, gpointer user_data);
> +
> +typedef enum TPMBackendCmd {
> +    TPM_BACKEND_CMD_INIT = 1,
> +    TPM_BACKEND_CMD_PROCESS_CMD,
> +    TPM_BACKEND_CMD_END,
> +    TPM_BACKEND_CMD_TPM_RESET,
> +} TPMBackendCmd;
> +
> +#endif /* HW_TPM_BACKEND_H */
> diff --git a/hw/tpm_passthrough.c b/hw/tpm_passthrough.c
> new file mode 100644
> index 0000000..8914705
> --- /dev/null
> +++ b/hw/tpm_passthrough.c
> @@ -0,0 +1,398 @@
> +/*
> + *  passthrough TPM driver
> + *
> + *  Copyright (c) 2010, 2011 IBM Corporation
> + *  Authors:
> + *    Stefan Berger <stefanb@us.ibm.com>
> + *
> + *  Copyright (C) 2011 IAIK, Graz University of Technology
> + *    Author: Andreas Niederl
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>
> + */
> +
> +#include "qemu-common.h"
> +#include "qemu-error.h"
> +#include "qemu_socket.h"
> +#include "tpm.h"
> +#include "hw/hw.h"
> +#include "hw/tpm_tis.h"
> +#include "hw/tpm_backend.h"
> +#include "hw/pc.h"
> +
> +/* #define DEBUG_TPM */
> +
> +#ifdef DEBUG_TPM
> +#define dprintf(fmt, ...) \
> +    do { fprintf(stderr, fmt, ## __VA_ARGS__); } while (0)
> +#else
> +#define dprintf(fmt, ...) \
> +    do { } while (0)
> +#endif
> +
> +/* data structures */
> +
> +typedef struct TPMPassthruThreadParams {
> +    TPMState *tpm_state;
> +
> +    TPMRecvDataCB *recv_data_callback;
> +    TPMBackend *tb;
> +} TPMPassthruThreadParams;
> +
> +struct TPMPassthruState {
> +    TPMBackendThread tbt;
> +
> +    TPMPassthruThreadParams tpm_thread_params;
> +
> +    char *tpm_dev;
> +    int tpm_fd;
> +    bool had_startup_error;
> +};
> +
> +#define TPM_PASSTHROUGH_DEFAULT_DEVICE "/dev/tpm0"
> +
> +/* borrowed from qemu-char.c */
> +static int tpm_passthrough_unix_write(int fd, const uint8_t *buf, uint32_t len)
> +{
> +    return send_all(fd, buf, len);
> +}
> +
> +static int tpm_passthrough_unix_read(int fd, uint8_t *buf, uint32_t len)

It would probably be useful to other parts of QEMU if you defined this 
function as recv_all() and put it in qemu-char.c (to correspond with 
send_all()).

> +{
> +    int ret, len1;
> +    uint8_t *buf1;
> +
> +    len1 = len;
> +    buf1 = buf;
> +    while ((len1 > 0) && (ret = read(fd, buf1, len1)) != 0) {
> +        if (ret < 0) {
> +            if (errno != EINTR && errno != EAGAIN) {
> +                return -1;
> +            }
> +        } else {
> +            buf1 += ret;
> +            len1 -= ret;
> +        }
> +    }
> +    return len - len1;
> +}
> +
> +static uint32_t tpm_passthrough_get_size_from_buffer(const uint8_t *buf)
> +{
> +    return be32_to_cpu(*(uint32_t *)&buf[2]);
> +}
> +
> +static int tpm_passthrough_unix_tx_bufs(int tpm_fd,
> +                                        const uint8_t *in, uint32_t in_len,
> +                                        uint8_t *out, uint32_t out_len)
> +{
> +    int ret;
> +
> +    ret = tpm_passthrough_unix_write(tpm_fd, in, in_len);
> +    if (ret != in_len) {
> +        error_report("tpm_passthrough: error while transmitting data "
> +                     "to TPM: %s (%i)\n",
> +                     strerror(errno), errno);
> +        goto err_exit;
> +    }
> +
> +    ret = tpm_passthrough_unix_read(tpm_fd, out, out_len);
> +    if (ret < 0) {
> +        error_report("tpm_passthrough: error while reading data from "
> +                     "TPM: %s (%i)\n",
> +                     strerror(errno), errno);
> +    } else if (ret < sizeof(struct tpm_resp_hdr) ||
> +               tpm_passthrough_get_size_from_buffer(out) != ret) {
> +        ret = -1;
> +        error_report("tpm_passthrough: received invalid response "
> +                     "packet from TPM\n");
> +    }
> +
> +err_exit:
> +    if (ret < 0) {
> +        tpm_write_fatal_error_response(out, out_len);
> +    }
> +
> +    return ret;
> +}
> +
> +static int tpm_passthrough_unix_transfer(int tpm_fd,
> +                                         const TPMLocality *cmd_locty)
> +{
> +    return tpm_passthrough_unix_tx_bufs(tpm_fd,
> +                                        cmd_locty->w_buffer.buffer,
> +                                        cmd_locty->w_offset,
> +                                        cmd_locty->r_buffer.buffer,
> +                                        cmd_locty->r_buffer.size);
> +}
> +
> +static void tpm_passthrough_worker_thread(gpointer data,
> +                                          gpointer user_data)
> +{
> +    TPMPassthruThreadParams *thr_parms = user_data;
> +    TPMPassthruState *tpm_pt = thr_parms->tb->s.tpm_pt;
> +    TPMBackendCmd cmd = (TPMBackendCmd)data;
> +
> +    dprintf("tpm_passthrough: processing command type %ld\n", cmd);
> +
> +    switch (cmd) {
> +    case TPM_BACKEND_CMD_PROCESS_CMD:
> +        tpm_passthrough_unix_transfer(tpm_pt->tpm_fd,
> +                                      thr_parms->tpm_state->cmd_locty);
> +
> +        thr_parms->recv_data_callback(thr_parms->tpm_state,
> +                                      thr_parms->tpm_state->command_locty);
> +        break;
> +    case TPM_BACKEND_CMD_INIT:
> +    case TPM_BACKEND_CMD_END:
> +    case TPM_BACKEND_CMD_TPM_RESET:
> +        /* nothing to do */
> +        break;
> +    }
> +}
> +
> +/*
> + * Start the TPM (thread). If it had been started before, then terminate
> + * and start it again.
> + */
> +static int tpm_passthrough_do_startup_tpm(TPMBackend *tb)
> +{
> +    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
> +
> +    /* terminate a running TPM */
> +    tpm_backend_thread_end(&tpm_pt->tbt);
> +
> +    tpm_backend_thread_create(&tpm_pt->tbt,
> +                              tpm_passthrough_worker_thread,
> +                              &tb->s.tpm_pt->tpm_thread_params);
> +
> +    return 0;
> +}
> +
> +static int tpm_passthrough_startup_tpm(TPMBackend *tb)
> +{
> +    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
> +    int rc;
> +
> +    rc = tpm_passthrough_do_startup_tpm(tb);
> +    if (rc) {
> +        tpm_pt->had_startup_error = true;

tpm_passthrough_do_startup_tpm() always returns zero, so 
had_startup_error will never be set to true.

> +    }
> +    return rc;
> +}
> +
> +static void tpm_passthrough_reset(TPMBackend *tb)
> +{
> +    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
> +
> +    dprintf("tpm_passthrough: CALL TO TPM_RESET!\n");
> +
> +    tpm_backend_thread_end(&tpm_pt->tbt);

Should the thread be restarted here?

> +
> +    tpm_pt->had_startup_error = false;
> +}
> +
> +static int tpm_passthrough_init(TPMBackend *tb, TPMState *s,
> +                                TPMRecvDataCB *recv_data_cb)
> +{
> +    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
> +
> +    tpm_pt->tpm_thread_params.tpm_state = s;
> +    tpm_pt->tpm_thread_params.recv_data_callback = recv_data_cb;
> +    tpm_pt->tpm_thread_params.tb = tb;
> +
> +    return 0;
> +}
> +
> +static bool tpm_passthrough_get_tpm_established_flag(TPMBackend *tb)
> +{
> +    return false;

Can a T/OS never be established with the passthrough backend?

> +}
> +
> +static bool tpm_passthrough_get_startup_error(TPMBackend *tb)
> +{
> +    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
> +
> +    return tpm_pt->had_startup_error;
> +}
> +
> +static size_t tpm_passthrough_realloc_buffer(TPMSizedBuffer *sb)
> +{
> +    size_t wanted_size = 4096; /* Linux tpm.c buffer size */
> +
> +    if (sb->size != wanted_size) {
> +        sb->buffer = g_realloc(sb->buffer, wanted_size);
> +        sb->size = wanted_size;
> +    }
> +    return sb->size;
> +}
> +
> +static void tpm_passthrough_deliver_request(TPMBackend *tb)
> +{
> +    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
> +
> +    tpm_backend_thread_deliver_request(&tpm_pt->tbt);
> +}
> +
> +static const char *tpm_passthrough_create_desc(void)
> +{
> +    return "Passthrough TPM backend driver";
> +}
> +
> +/*
> + * A basic test of a TPM device. We expect a well formatted response header
> + * (error response is fine) within one second.
> + */
> +static int tpm_passthrough_test_tpmdev(int fd)
> +{
> +    struct tpm_req_hdr req = {
> +        .tag = cpu_to_be16(TPM_TAG_RQU_COMMAND),
> +        .len = cpu_to_be32(sizeof(req)),
> +        .ordinal = cpu_to_be32(TPM_ORD_GetTicks),
> +    };
> +    struct tpm_resp_hdr *resp;
> +    fd_set readfds;
> +    int n;
> +    struct timeval tv = {
> +        .tv_sec = 1,
> +        .tv_usec = 0,
> +    };
> +    unsigned char buf[1024];
> +
> +    n = write(fd, &req, sizeof(req));
> +    if (n < 0) {
> +        return errno;
> +    }
> +    if (n != sizeof(req)) {
> +        return EFAULT;
> +    }
> +
> +    FD_ZERO(&readfds);
> +    FD_SET(fd, &readfds);
> +
> +    /* wait for a second */
> +    n = select(fd + 1, &readfds, NULL, NULL, &tv);
> +    if (n != 1) {
> +        return errno;
> +    }
> +
> +    n = read(fd, &buf, sizeof(buf));
> +    if (n < sizeof(struct tpm_resp_hdr)) {
> +        return EFAULT;
> +    }
> +
> +    resp = (struct tpm_resp_hdr *)buf;
> +    /* check the header */
> +    if (be16_to_cpu(resp->tag) != TPM_TAG_RSP_COMMAND ||
> +        be32_to_cpu(resp->len) != n) {
> +        return EBADMSG;
> +    }
> +
> +    return 0;
> +}
> +
> +static int tpm_passthrough_handle_device_opts(QemuOpts *opts, TPMBackend *tb)
> +{
> +    const char *value;
> +
> +    value = qemu_opt_get(opts, "path");
> +    if (!value) {
> +        value = TPM_PASSTHROUGH_DEFAULT_DEVICE;
> +    }
> +
> +    tb->s.tpm_pt->tpm_dev = g_strdup(value);
> +
> +    tb->path = g_strdup(tb->s.tpm_pt->tpm_dev);
> +
> +    tb->s.tpm_pt->tpm_fd = open(tb->s.tpm_pt->tpm_dev, O_RDWR);
> +    if (tb->s.tpm_pt->tpm_fd < 0) {
> +        error_report("Cannot access TPM device using '%s'.\n",
> +                     tb->s.tpm_pt->tpm_dev);
> +        goto err_free_parameters;
> +    }
> +
> +    if (tpm_passthrough_test_tpmdev(tb->s.tpm_pt->tpm_fd)) {
> +        error_report("'%s' is not a TPM device.\n",
> +                     tb->s.tpm_pt->tpm_dev);
> +        goto err_close_tpmdev;
> +    }
> +
> +    return 0;
> +
> + err_close_tpmdev:
> +    close(tb->s.tpm_pt->tpm_fd);
> +    tb->s.tpm_pt->tpm_fd = -1;
> +
> + err_free_parameters:
> +    g_free(tb->path);
> +    tb->path = NULL;
> +
> +    g_free(tb->s.tpm_pt->tpm_dev);
> +    tb->s.tpm_pt->tpm_dev = NULL;
> +
> +    return 1;
> +}
> +
> +static TPMBackend *tpm_passthrough_create(QemuOpts *opts, const char *id)
> +{
> +    TPMBackend *tb;
> +
> +    tb = g_new0(TPMBackend, 1);
> +    tb->s.tpm_pt = g_new0(TPMPassthruState, 1);
> +    tb->id = g_strdup(id);
> +
> +    tb->ops = &tpm_passthrough_driver;
> +
> +    if (tpm_passthrough_handle_device_opts(opts, tb)) {
> +        goto err_exit;
> +    }
> +
> +    return tb;
> +
> +err_exit:
> +    g_free(tb->id);
> +    g_free(tb->s.tpm_pt);
> +    g_free(tb);
> +
> +    return NULL;
> +}
> +
> +static void tpm_passthrough_destroy(TPMBackend *tb)
> +{
> +    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
> +
> +    tpm_backend_thread_end(&tpm_pt->tbt);
> +
> +    close(tpm_pt->tpm_fd);
> +
> +    g_free(tb->id);
> +    g_free(tb->path);
> +    g_free(tb->s.tpm_pt->tpm_dev);
> +    g_free(tb->s.tpm_pt);
> +    g_free(tb);
> +}
> +
> +const TPMDriverOps tpm_passthrough_driver = {
> +    .id                       = "passthrough",
> +    .desc                     = tpm_passthrough_create_desc,
> +    .create                   = tpm_passthrough_create,
> +    .destroy                  = tpm_passthrough_destroy,
> +    .init                     = tpm_passthrough_init,
> +    .startup_tpm              = tpm_passthrough_startup_tpm,
> +    .realloc_buffer           = tpm_passthrough_realloc_buffer,
> +    .reset                    = tpm_passthrough_reset,
> +    .had_startup_error        = tpm_passthrough_get_startup_error,
> +    .deliver_request          = tpm_passthrough_deliver_request,
> +    .get_tpm_established_flag = tpm_passthrough_get_tpm_established_flag,
> +};
> diff --git a/qemu-options.hx b/qemu-options.hx
> index 143d92d..0b9fa0b 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -2013,10 +2013,12 @@ ETEXI
>   DEFHEADING()
>
>   #ifdef CONFIG_TPM
> +# ifdef CONFIG_TPM_PASSTHROUGH
>   DEFHEADING(TPM device options:)
>
>   DEF("tpmdev", HAS_ARG, QEMU_OPTION_tpmdev, \
> -    "-tpmdev [<type>],id=str[,option][,option][,...]\n",
> +    "-tpmdev passthrough,id=id[,path=path]\n"
> +    "                use path to provide path to a character device; default is /dev/tpm0\n",
>       QEMU_ARCH_ALL)
>   STEXI
>
> @@ -2026,6 +2028,7 @@ The general form of a TPM device option is:
>   @item -tpmdev @var{backend} ,id=@var{id} [,@var{options}]
>   @findex -tpmdev
>   Backend type must be:
> +@option{passthrough}.
>
>   The specific backend type will determine the applicable options.
>   The @code{-tpmdev} options requires a @code{-device} option.
> @@ -2037,12 +2040,45 @@ Use ? to print all available TPM backend types.
>   qemu -tpmdev ?
>   @end example
>
> +@item -tpmdev passthrough, id=@var{id}, path=@var{path}
> +
> +(Linux-host only) Enable access to the host's TPM using the passthrough
> +driver.
> +
> +@option{path} specifies the path to the host's TPM device, i.e., on
> +a Linux host this would be @code{/dev/tpm0}.
> +@option{path} is optional and by default @code{/dev/tpm0} is used.
> +
> +Some notes about using the host's TPM with the passthrough driver:
> +
> +The TPM device accessed by the passthrough driver must not be
> +used by any other application on the host.
> +
> +Since the host's firmware (BIOS/UEFI) has already initialized the TPM,
> +the VM's firmware (BIOS/UEFI) will not be able to initialize the
> +TPM again and may therefore not show a TPM-specific menu that would
> +otherwise allow the user to configure the TPM, e.g., allow the user to
> +enable/disable or activate/deactivate the TPM.
> +Further, if TPM ownership is released from within a VM then the host's TPM
> +will get disabled and deactivated. To enable and activate the
> +TPM again afterwards, the host has to be rebooted and the user is
> +required to enter the firmware's menu to enable and activate the TPM.
> +If the TPM is left disabled and/or deactivated most TPM commands will fail.
> +
> +To create a passthrough TPM use the following two options:
> +@example
> +-tpmdev passthrough,id=tpm0 -device tpm-tis,tpmdev=tpm0
> +@end example
> +Note that the @code{-tpmdev} id is @code{tpm0} and is referenced by
> +@code{tpmdev=tpm0} in the device option.
> +
>   @end table
>
>   ETEXI
>
>   DEFHEADING()
>
> +# endif
>   #endif
>
>   DEFHEADING(Linux/Multiboot boot specific:)
> diff --git a/tpm.c b/tpm.c
> index 778de42..79530c9 100644
> --- a/tpm.c
> +++ b/tpm.c
> @@ -24,9 +24,26 @@ static QLIST_HEAD(, TPMBackend) tpm_backends =
>   #ifdef CONFIG_TPM
>
>   static const TPMDriverOps *bes[] = {
> +#ifdef CONFIG_TPM_PASSTHROUGH
> +    &tpm_passthrough_driver,
> +#endif
>       NULL,
>   };
>
> +/*
> + * Write an error message in the given output buffer.
> + */
> +void tpm_write_fatal_error_response(uint8_t *out, uint32_t out_len)
> +{
> +    if (out_len >= sizeof(struct tpm_resp_hdr)) {
> +        struct tpm_resp_hdr *resp = (struct tpm_resp_hdr *)out;
> +
> +        resp->tag = cpu_to_be16(TPM_TAG_RSP_COMMAND);
> +        resp->len = cpu_to_be32(sizeof(struct tpm_resp_hdr));
> +        resp->errcode = cpu_to_be32(TPM_FAIL);
> +    }
> +}
> +
>   const TPMDriverOps *tpm_get_backend_driver(const char *id)
>   {
>       int i;
> @@ -182,6 +199,7 @@ static TPMInfo *qmp_query_tpm_inst(TPMBackend *drv)
>       res->id = g_strdup(drv->id);
>       if (drv->path) {
>           res->path = g_strdup(drv->path);
> +        res->has_path = true;
>       }
>       res->type = g_strdup(drv->ops->id);
>
> diff --git a/tpm.h b/tpm.h
> index 7fdd1db..bacaff3 100644
> --- a/tpm.h
> +++ b/tpm.h
> @@ -18,12 +18,18 @@
>   struct TPMDriverOps;
>   typedef struct TPMDriverOps TPMDriverOps;
>
> +typedef struct TPMPassthruState TPMPassthruState;
> +
>   typedef struct TPMBackend {
>       char *id;
>       const char *fe_model;
>       char *path;
>       const TPMDriverOps *ops;
>
> +    union {
> +        TPMPassthruState *tpm_pt;
> +    } s;
> +
>       QLIST_ENTRY(TPMBackend) list;
>   } TPMBackend;
>
> @@ -71,11 +77,38 @@ struct TPMDriverOps {
>
>   #define TPM_DEFAULT_DEVICE_MODEL "tpm-tis"
>
> +struct tpm_req_hdr {
> +    uint16_t tag;
> +    uint32_t len;
> +    uint32_t ordinal;
> +} __attribute__((packed));
> +
> +struct tpm_resp_hdr {
> +    uint16_t tag;
> +    uint32_t len;
> +    uint32_t errcode;
> +} __attribute__((packed));
> +
> +#define TPM_TAG_RQU_COMMAND       0xc1
> +#define TPM_TAG_RQU_AUTH1_COMMAND 0xc2
> +#define TPM_TAG_RQU_AUTH2_COMMAND 0xc3
> +
> +#define TPM_TAG_RSP_COMMAND       0xc4
> +#define TPM_TAG_RSP_AUTH1_COMMAND 0xc5
> +#define TPM_TAG_RSP_AUTH2_COMMAND 0xc6
> +
> +#define TPM_FAIL                  9
> +
> +#define TPM_ORD_GetTicks          0xf1
> +
>   int tpm_config_parse(QemuOptsList *opts_list, const char *optarg);
>   int tpm_init(void);
>   void tpm_cleanup(void);
>   TPMBackend *qemu_find_tpm(const char *id);
>   void tpm_display_backend_drivers(void);
>   const TPMDriverOps *tpm_get_backend_driver(const char *id);
> +void tpm_write_fatal_error_response(uint8_t *out, uint32_t out_len);
> +
> +extern const TPMDriverOps tpm_passthrough_driver;
>
>   #endif /* QEMU_TPM_H */
> diff --git a/vl.c b/vl.c
> index 3e784f5..6928e67 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -2676,11 +2676,13 @@ int main(int argc, char **argv, char **envp)
>                   break;
>               }
>   #ifdef CONFIG_TPM
> +# ifdef CONFIG_TPM_PASSTHROUGH
>               case QEMU_OPTION_tpmdev:
>                   if (tpm_config_parse(qemu_find_opts("tpmdev"), optarg) < 0) {
>                       exit(1);
>                   }
>                   break;
> +# endif
>   #endif
>               case QEMU_OPTION_mempath:
>                   mem_path = optarg;
>
Stefan Berger - Oct. 24, 2012, 7:07 p.m.
On 09/27/2012 10:28 AM, Corey Bryant wrote:
>
>
> On 06/04/2012 03:37 PM, Stefan Berger wrote:
>> +
>> +/* borrowed from qemu-char.c */
>> +static int tpm_passthrough_unix_write(int fd, const uint8_t *buf, 
>> uint32_t len)
>> +{
>> +    return send_all(fd, buf, len);
>> +}
>> +
>> +static int tpm_passthrough_unix_read(int fd, uint8_t *buf, uint32_t 
>> len)
>
> It would probably be useful to other parts of QEMU if you defined this 
> function as recv_all() and put it in qemu-char.c (to correspond with 
> send_all()).
>

Ok. I'd keep this patch to qemu-char.c inside of this patch, though, 
unless someone opposes.

>> +
>> +static int tpm_passthrough_startup_tpm(TPMBackend *tb)
>> +{
>> +    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
>> +    int rc;
>> +
>> +    rc = tpm_passthrough_do_startup_tpm(tb);
>> +    if (rc) {
>> +        tpm_pt->had_startup_error = true;
>
> tpm_passthrough_do_startup_tpm() always returns zero, so 
> had_startup_error will never be set to true.
>

I am consolidating the code into tpm_passthrough_startup_tpm() but let 
that return an int considering that other backend drivers may return an 
error code.

>> +static void tpm_passthrough_reset(TPMBackend *tb)
>> +{
>> +    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
>> +
>> +    dprintf("tpm_passthrough: CALL TO TPM_RESET!\n");
>> +
>> +    tpm_backend_thread_end(&tpm_pt->tbt);
>
> Should the thread be restarted here?
>

No. If the backend needs to be restarted, the frontend will invoke the 
startup_tpm function.


>> +static bool tpm_passthrough_get_tpm_established_flag(TPMBackend *tb)
>> +{
>> +    return false;
>
> Can a T/OS never be established with the passthrough backend?
>

Following the specs, this bit is set when locality 5 is used and a hash 
operation is started. See part 2 of the TPM specs.
The establishment bit could be read from the hardware TPM's permanent 
flags. The question is what it means to show this bit inside the VM. I 
wasn't sure, so I hardcoded it to always return false.

     Stefan

Patch

diff --git a/Makefile.target b/Makefile.target
index cdf108a..ef063c8 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -193,7 +193,8 @@  obj-$(CONFIG_NO_KVM) += kvm-stub.o
 obj-$(CONFIG_VGA) += vga.o
 obj-y += memory.o savevm.o cputlb.o
 obj-y += tpm.o
-obj-$(CONFIG_TPM) += tpm_tis.o
+obj-$(CONFIG_TPM) += tpm_tis.o tpm_backend.o
+obj-$(CONFIG_TPM_PASSTHROUGH) += tpm_passthrough.o
 LIBS+=-lz
 
 obj-i386-$(CONFIG_KVM) += hyperv.o
diff --git a/configure b/configure
index d805c20..804d8c8 100755
--- a/configure
+++ b/configure
@@ -3918,6 +3918,9 @@  fi
 
 if test "$tpm" = "yes"; then
   if test "$target_softmmu" = "yes" ; then
+    if test "$linux" = "yes" ; then
+      echo "CONFIG_TPM_PASSTHROUGH=y" >> $config_host_mak
+    fi
     echo "CONFIG_TPM=y" >> $config_host_mak
   fi
 fi
diff --git a/hw/tpm_backend.c b/hw/tpm_backend.c
new file mode 100644
index 0000000..4cf0809
--- /dev/null
+++ b/hw/tpm_backend.c
@@ -0,0 +1,58 @@ 
+/*
+ *  common TPM backend driver functions
+ *
+ *  Copyright (c) 2012 IBM Corporation
+ *  Authors:
+ *    Stefan Berger <stefanb@us.ibm.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>
+ */
+
+#include "tpm.h"
+#include "qemu-thread.h"
+#include "hw/tpm_backend.h"
+
+void tpm_backend_thread_deliver_request(TPMBackendThread *tbt)
+{
+   g_thread_pool_push(tbt->pool, (gpointer)TPM_BACKEND_CMD_PROCESS_CMD, NULL);
+}
+
+void tpm_backend_thread_create(TPMBackendThread *tbt,
+                               GFunc func, gpointer user_data)
+{
+    if (!tbt->pool) {
+        tbt->pool = g_thread_pool_new(func, user_data, 1, TRUE, NULL);
+        g_thread_pool_push(tbt->pool, (gpointer)TPM_BACKEND_CMD_INIT, NULL);
+    }
+}
+
+void tpm_backend_thread_end(TPMBackendThread *tbt)
+{
+    if (tbt->pool) {
+        g_thread_pool_push(tbt->pool, (gpointer)TPM_BACKEND_CMD_END, NULL);
+        g_thread_pool_free(tbt->pool, FALSE, TRUE);
+        tbt->pool = NULL;
+    }
+}
+
+void tpm_backend_thread_tpm_reset(TPMBackendThread *tbt,
+                                  GFunc func, gpointer user_data)
+{
+    if (!tbt->pool) {
+        tpm_backend_thread_create(tbt, func, user_data);
+    } else {
+        g_thread_pool_push(tbt->pool, (gpointer)TPM_BACKEND_CMD_TPM_RESET,
+                           NULL);
+    }
+}
diff --git a/hw/tpm_backend.h b/hw/tpm_backend.h
new file mode 100644
index 0000000..f5fe198
--- /dev/null
+++ b/hw/tpm_backend.h
@@ -0,0 +1,43 @@ 
+/*
+ *  common TPM backend driver functions
+ *
+ *  Copyright (c) 2012 IBM Corporation
+ *  Authors:
+ *    Stefan Berger <stefanb@us.ibm.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>
+ */
+
+#ifndef HW_TPM_BACKEND_H
+#define HW_TPM_BACKEND_H
+
+typedef struct TPMBackendThread {
+    GThreadPool *pool;
+} TPMBackendThread;
+
+void tpm_backend_thread_deliver_request(TPMBackendThread *tbt);
+void tpm_backend_thread_create(TPMBackendThread *tbt,
+                               GFunc func, gpointer user_data);
+void tpm_backend_thread_end(TPMBackendThread *tbt);
+void tpm_backend_thread_tpm_reset(TPMBackendThread *tbt,
+                                  GFunc func, gpointer user_data);
+
+typedef enum TPMBackendCmd {
+    TPM_BACKEND_CMD_INIT = 1,
+    TPM_BACKEND_CMD_PROCESS_CMD,
+    TPM_BACKEND_CMD_END,
+    TPM_BACKEND_CMD_TPM_RESET,
+} TPMBackendCmd;
+
+#endif /* HW_TPM_BACKEND_H */
diff --git a/hw/tpm_passthrough.c b/hw/tpm_passthrough.c
new file mode 100644
index 0000000..8914705
--- /dev/null
+++ b/hw/tpm_passthrough.c
@@ -0,0 +1,398 @@ 
+/*
+ *  passthrough TPM driver
+ *
+ *  Copyright (c) 2010, 2011 IBM Corporation
+ *  Authors:
+ *    Stefan Berger <stefanb@us.ibm.com>
+ *
+ *  Copyright (C) 2011 IAIK, Graz University of Technology
+ *    Author: Andreas Niederl
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>
+ */
+
+#include "qemu-common.h"
+#include "qemu-error.h"
+#include "qemu_socket.h"
+#include "tpm.h"
+#include "hw/hw.h"
+#include "hw/tpm_tis.h"
+#include "hw/tpm_backend.h"
+#include "hw/pc.h"
+
+/* #define DEBUG_TPM */
+
+#ifdef DEBUG_TPM
+#define dprintf(fmt, ...) \
+    do { fprintf(stderr, fmt, ## __VA_ARGS__); } while (0)
+#else
+#define dprintf(fmt, ...) \
+    do { } while (0)
+#endif
+
+/* data structures */
+
+typedef struct TPMPassthruThreadParams {
+    TPMState *tpm_state;
+
+    TPMRecvDataCB *recv_data_callback;
+    TPMBackend *tb;
+} TPMPassthruThreadParams;
+
+struct TPMPassthruState {
+    TPMBackendThread tbt;
+
+    TPMPassthruThreadParams tpm_thread_params;
+
+    char *tpm_dev;
+    int tpm_fd;
+    bool had_startup_error;
+};
+
+#define TPM_PASSTHROUGH_DEFAULT_DEVICE "/dev/tpm0"
+
+/* borrowed from qemu-char.c */
+static int tpm_passthrough_unix_write(int fd, const uint8_t *buf, uint32_t len)
+{
+    return send_all(fd, buf, len);
+}
+
+static int tpm_passthrough_unix_read(int fd, uint8_t *buf, uint32_t len)
+{
+    int ret, len1;
+    uint8_t *buf1;
+
+    len1 = len;
+    buf1 = buf;
+    while ((len1 > 0) && (ret = read(fd, buf1, len1)) != 0) {
+        if (ret < 0) {
+            if (errno != EINTR && errno != EAGAIN) {
+                return -1;
+            }
+        } else {
+            buf1 += ret;
+            len1 -= ret;
+        }
+    }
+    return len - len1;
+}
+
+static uint32_t tpm_passthrough_get_size_from_buffer(const uint8_t *buf)
+{
+    return be32_to_cpu(*(uint32_t *)&buf[2]);
+}
+
+static int tpm_passthrough_unix_tx_bufs(int tpm_fd,
+                                        const uint8_t *in, uint32_t in_len,
+                                        uint8_t *out, uint32_t out_len)
+{
+    int ret;
+
+    ret = tpm_passthrough_unix_write(tpm_fd, in, in_len);
+    if (ret != in_len) {
+        error_report("tpm_passthrough: error while transmitting data "
+                     "to TPM: %s (%i)\n",
+                     strerror(errno), errno);
+        goto err_exit;
+    }
+
+    ret = tpm_passthrough_unix_read(tpm_fd, out, out_len);
+    if (ret < 0) {
+        error_report("tpm_passthrough: error while reading data from "
+                     "TPM: %s (%i)\n",
+                     strerror(errno), errno);
+    } else if (ret < sizeof(struct tpm_resp_hdr) ||
+               tpm_passthrough_get_size_from_buffer(out) != ret) {
+        ret = -1;
+        error_report("tpm_passthrough: received invalid response "
+                     "packet from TPM\n");
+    }
+
+err_exit:
+    if (ret < 0) {
+        tpm_write_fatal_error_response(out, out_len);
+    }
+
+    return ret;
+}
+
+static int tpm_passthrough_unix_transfer(int tpm_fd,
+                                         const TPMLocality *cmd_locty)
+{
+    return tpm_passthrough_unix_tx_bufs(tpm_fd,
+                                        cmd_locty->w_buffer.buffer,
+                                        cmd_locty->w_offset,
+                                        cmd_locty->r_buffer.buffer,
+                                        cmd_locty->r_buffer.size);
+}
+
+static void tpm_passthrough_worker_thread(gpointer data,
+                                          gpointer user_data)
+{
+    TPMPassthruThreadParams *thr_parms = user_data;
+    TPMPassthruState *tpm_pt = thr_parms->tb->s.tpm_pt;
+    TPMBackendCmd cmd = (TPMBackendCmd)data;
+
+    dprintf("tpm_passthrough: processing command type %ld\n", cmd);
+
+    switch (cmd) {
+    case TPM_BACKEND_CMD_PROCESS_CMD:
+        tpm_passthrough_unix_transfer(tpm_pt->tpm_fd,
+                                      thr_parms->tpm_state->cmd_locty);
+
+        thr_parms->recv_data_callback(thr_parms->tpm_state,
+                                      thr_parms->tpm_state->command_locty);
+        break;
+    case TPM_BACKEND_CMD_INIT:
+    case TPM_BACKEND_CMD_END:
+    case TPM_BACKEND_CMD_TPM_RESET:
+        /* nothing to do */
+        break;
+    }
+}
+
+/*
+ * Start the TPM (thread). If it had been started before, then terminate
+ * and start it again.
+ */
+static int tpm_passthrough_do_startup_tpm(TPMBackend *tb)
+{
+    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
+
+    /* terminate a running TPM */
+    tpm_backend_thread_end(&tpm_pt->tbt);
+
+    tpm_backend_thread_create(&tpm_pt->tbt,
+                              tpm_passthrough_worker_thread,
+                              &tb->s.tpm_pt->tpm_thread_params);
+
+    return 0;
+}
+
+static int tpm_passthrough_startup_tpm(TPMBackend *tb)
+{
+    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
+    int rc;
+
+    rc = tpm_passthrough_do_startup_tpm(tb);
+    if (rc) {
+        tpm_pt->had_startup_error = true;
+    }
+    return rc;
+}
+
+static void tpm_passthrough_reset(TPMBackend *tb)
+{
+    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
+
+    dprintf("tpm_passthrough: CALL TO TPM_RESET!\n");
+
+    tpm_backend_thread_end(&tpm_pt->tbt);
+
+    tpm_pt->had_startup_error = false;
+}
+
+static int tpm_passthrough_init(TPMBackend *tb, TPMState *s,
+                                TPMRecvDataCB *recv_data_cb)
+{
+    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
+
+    tpm_pt->tpm_thread_params.tpm_state = s;
+    tpm_pt->tpm_thread_params.recv_data_callback = recv_data_cb;
+    tpm_pt->tpm_thread_params.tb = tb;
+
+    return 0;
+}
+
+static bool tpm_passthrough_get_tpm_established_flag(TPMBackend *tb)
+{
+    return false;
+}
+
+static bool tpm_passthrough_get_startup_error(TPMBackend *tb)
+{
+    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
+
+    return tpm_pt->had_startup_error;
+}
+
+static size_t tpm_passthrough_realloc_buffer(TPMSizedBuffer *sb)
+{
+    size_t wanted_size = 4096; /* Linux tpm.c buffer size */
+
+    if (sb->size != wanted_size) {
+        sb->buffer = g_realloc(sb->buffer, wanted_size);
+        sb->size = wanted_size;
+    }
+    return sb->size;
+}
+
+static void tpm_passthrough_deliver_request(TPMBackend *tb)
+{
+    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
+
+    tpm_backend_thread_deliver_request(&tpm_pt->tbt);
+}
+
+static const char *tpm_passthrough_create_desc(void)
+{
+    return "Passthrough TPM backend driver";
+}
+
+/*
+ * A basic test of a TPM device. We expect a well formatted response header
+ * (error response is fine) within one second.
+ */
+static int tpm_passthrough_test_tpmdev(int fd)
+{
+    struct tpm_req_hdr req = {
+        .tag = cpu_to_be16(TPM_TAG_RQU_COMMAND),
+        .len = cpu_to_be32(sizeof(req)),
+        .ordinal = cpu_to_be32(TPM_ORD_GetTicks),
+    };
+    struct tpm_resp_hdr *resp;
+    fd_set readfds;
+    int n;
+    struct timeval tv = {
+        .tv_sec = 1,
+        .tv_usec = 0,
+    };
+    unsigned char buf[1024];
+
+    n = write(fd, &req, sizeof(req));
+    if (n < 0) {
+        return errno;
+    }
+    if (n != sizeof(req)) {
+        return EFAULT;
+    }
+
+    FD_ZERO(&readfds);
+    FD_SET(fd, &readfds);
+
+    /* wait for a second */
+    n = select(fd + 1, &readfds, NULL, NULL, &tv);
+    if (n != 1) {
+        return errno;
+    }
+
+    n = read(fd, &buf, sizeof(buf));
+    if (n < sizeof(struct tpm_resp_hdr)) {
+        return EFAULT;
+    }
+
+    resp = (struct tpm_resp_hdr *)buf;
+    /* check the header */
+    if (be16_to_cpu(resp->tag) != TPM_TAG_RSP_COMMAND ||
+        be32_to_cpu(resp->len) != n) {
+        return EBADMSG;
+    }
+
+    return 0;
+}
+
+static int tpm_passthrough_handle_device_opts(QemuOpts *opts, TPMBackend *tb)
+{
+    const char *value;
+
+    value = qemu_opt_get(opts, "path");
+    if (!value) {
+        value = TPM_PASSTHROUGH_DEFAULT_DEVICE;
+    }
+
+    tb->s.tpm_pt->tpm_dev = g_strdup(value);
+
+    tb->path = g_strdup(tb->s.tpm_pt->tpm_dev);
+
+    tb->s.tpm_pt->tpm_fd = open(tb->s.tpm_pt->tpm_dev, O_RDWR);
+    if (tb->s.tpm_pt->tpm_fd < 0) {
+        error_report("Cannot access TPM device using '%s'.\n",
+                     tb->s.tpm_pt->tpm_dev);
+        goto err_free_parameters;
+    }
+
+    if (tpm_passthrough_test_tpmdev(tb->s.tpm_pt->tpm_fd)) {
+        error_report("'%s' is not a TPM device.\n",
+                     tb->s.tpm_pt->tpm_dev);
+        goto err_close_tpmdev;
+    }
+
+    return 0;
+
+ err_close_tpmdev:
+    close(tb->s.tpm_pt->tpm_fd);
+    tb->s.tpm_pt->tpm_fd = -1;
+
+ err_free_parameters:
+    g_free(tb->path);
+    tb->path = NULL;
+
+    g_free(tb->s.tpm_pt->tpm_dev);
+    tb->s.tpm_pt->tpm_dev = NULL;
+
+    return 1;
+}
+
+static TPMBackend *tpm_passthrough_create(QemuOpts *opts, const char *id)
+{
+    TPMBackend *tb;
+
+    tb = g_new0(TPMBackend, 1);
+    tb->s.tpm_pt = g_new0(TPMPassthruState, 1);
+    tb->id = g_strdup(id);
+
+    tb->ops = &tpm_passthrough_driver;
+
+    if (tpm_passthrough_handle_device_opts(opts, tb)) {
+        goto err_exit;
+    }
+
+    return tb;
+
+err_exit:
+    g_free(tb->id);
+    g_free(tb->s.tpm_pt);
+    g_free(tb);
+
+    return NULL;
+}
+
+static void tpm_passthrough_destroy(TPMBackend *tb)
+{
+    TPMPassthruState *tpm_pt = tb->s.tpm_pt;
+
+    tpm_backend_thread_end(&tpm_pt->tbt);
+
+    close(tpm_pt->tpm_fd);
+
+    g_free(tb->id);
+    g_free(tb->path);
+    g_free(tb->s.tpm_pt->tpm_dev);
+    g_free(tb->s.tpm_pt);
+    g_free(tb);
+}
+
+const TPMDriverOps tpm_passthrough_driver = {
+    .id                       = "passthrough",
+    .desc                     = tpm_passthrough_create_desc,
+    .create                   = tpm_passthrough_create,
+    .destroy                  = tpm_passthrough_destroy,
+    .init                     = tpm_passthrough_init,
+    .startup_tpm              = tpm_passthrough_startup_tpm,
+    .realloc_buffer           = tpm_passthrough_realloc_buffer,
+    .reset                    = tpm_passthrough_reset,
+    .had_startup_error        = tpm_passthrough_get_startup_error,
+    .deliver_request          = tpm_passthrough_deliver_request,
+    .get_tpm_established_flag = tpm_passthrough_get_tpm_established_flag,
+};
diff --git a/qemu-options.hx b/qemu-options.hx
index 143d92d..0b9fa0b 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2013,10 +2013,12 @@  ETEXI
 DEFHEADING()
 
 #ifdef CONFIG_TPM
+# ifdef CONFIG_TPM_PASSTHROUGH
 DEFHEADING(TPM device options:)
 
 DEF("tpmdev", HAS_ARG, QEMU_OPTION_tpmdev, \
-    "-tpmdev [<type>],id=str[,option][,option][,...]\n",
+    "-tpmdev passthrough,id=id[,path=path]\n"
+    "                use path to provide path to a character device; default is /dev/tpm0\n",
     QEMU_ARCH_ALL)
 STEXI
 
@@ -2026,6 +2028,7 @@  The general form of a TPM device option is:
 @item -tpmdev @var{backend} ,id=@var{id} [,@var{options}]
 @findex -tpmdev
 Backend type must be:
+@option{passthrough}.
 
 The specific backend type will determine the applicable options.
 The @code{-tpmdev} options requires a @code{-device} option.
@@ -2037,12 +2040,45 @@  Use ? to print all available TPM backend types.
 qemu -tpmdev ?
 @end example
 
+@item -tpmdev passthrough, id=@var{id}, path=@var{path}
+
+(Linux-host only) Enable access to the host's TPM using the passthrough
+driver.
+
+@option{path} specifies the path to the host's TPM device, i.e., on
+a Linux host this would be @code{/dev/tpm0}.
+@option{path} is optional and by default @code{/dev/tpm0} is used.
+
+Some notes about using the host's TPM with the passthrough driver:
+
+The TPM device accessed by the passthrough driver must not be
+used by any other application on the host.
+
+Since the host's firmware (BIOS/UEFI) has already initialized the TPM,
+the VM's firmware (BIOS/UEFI) will not be able to initialize the
+TPM again and may therefore not show a TPM-specific menu that would
+otherwise allow the user to configure the TPM, e.g., allow the user to
+enable/disable or activate/deactivate the TPM.
+Further, if TPM ownership is released from within a VM then the host's TPM
+will get disabled and deactivated. To enable and activate the
+TPM again afterwards, the host has to be rebooted and the user is
+required to enter the firmware's menu to enable and activate the TPM.
+If the TPM is left disabled and/or deactivated most TPM commands will fail.
+
+To create a passthrough TPM use the following two options:
+@example
+-tpmdev passthrough,id=tpm0 -device tpm-tis,tpmdev=tpm0
+@end example
+Note that the @code{-tpmdev} id is @code{tpm0} and is referenced by
+@code{tpmdev=tpm0} in the device option.
+
 @end table
 
 ETEXI
 
 DEFHEADING()
 
+# endif
 #endif
 
 DEFHEADING(Linux/Multiboot boot specific:)
diff --git a/tpm.c b/tpm.c
index 778de42..79530c9 100644
--- a/tpm.c
+++ b/tpm.c
@@ -24,9 +24,26 @@  static QLIST_HEAD(, TPMBackend) tpm_backends =
 #ifdef CONFIG_TPM
 
 static const TPMDriverOps *bes[] = {
+#ifdef CONFIG_TPM_PASSTHROUGH
+    &tpm_passthrough_driver,
+#endif
     NULL,
 };
 
+/*
+ * Write an error message in the given output buffer.
+ */
+void tpm_write_fatal_error_response(uint8_t *out, uint32_t out_len)
+{
+    if (out_len >= sizeof(struct tpm_resp_hdr)) {
+        struct tpm_resp_hdr *resp = (struct tpm_resp_hdr *)out;
+
+        resp->tag = cpu_to_be16(TPM_TAG_RSP_COMMAND);
+        resp->len = cpu_to_be32(sizeof(struct tpm_resp_hdr));
+        resp->errcode = cpu_to_be32(TPM_FAIL);
+    }
+}
+
 const TPMDriverOps *tpm_get_backend_driver(const char *id)
 {
     int i;
@@ -182,6 +199,7 @@  static TPMInfo *qmp_query_tpm_inst(TPMBackend *drv)
     res->id = g_strdup(drv->id);
     if (drv->path) {
         res->path = g_strdup(drv->path);
+        res->has_path = true;
     }
     res->type = g_strdup(drv->ops->id);
 
diff --git a/tpm.h b/tpm.h
index 7fdd1db..bacaff3 100644
--- a/tpm.h
+++ b/tpm.h
@@ -18,12 +18,18 @@ 
 struct TPMDriverOps;
 typedef struct TPMDriverOps TPMDriverOps;
 
+typedef struct TPMPassthruState TPMPassthruState;
+
 typedef struct TPMBackend {
     char *id;
     const char *fe_model;
     char *path;
     const TPMDriverOps *ops;
 
+    union {
+        TPMPassthruState *tpm_pt;
+    } s;
+
     QLIST_ENTRY(TPMBackend) list;
 } TPMBackend;
 
@@ -71,11 +77,38 @@  struct TPMDriverOps {
 
 #define TPM_DEFAULT_DEVICE_MODEL "tpm-tis"
 
+struct tpm_req_hdr {
+    uint16_t tag;
+    uint32_t len;
+    uint32_t ordinal;
+} __attribute__((packed));
+
+struct tpm_resp_hdr {
+    uint16_t tag;
+    uint32_t len;
+    uint32_t errcode;
+} __attribute__((packed));
+
+#define TPM_TAG_RQU_COMMAND       0xc1
+#define TPM_TAG_RQU_AUTH1_COMMAND 0xc2
+#define TPM_TAG_RQU_AUTH2_COMMAND 0xc3
+
+#define TPM_TAG_RSP_COMMAND       0xc4
+#define TPM_TAG_RSP_AUTH1_COMMAND 0xc5
+#define TPM_TAG_RSP_AUTH2_COMMAND 0xc6
+
+#define TPM_FAIL                  9
+
+#define TPM_ORD_GetTicks          0xf1
+
 int tpm_config_parse(QemuOptsList *opts_list, const char *optarg);
 int tpm_init(void);
 void tpm_cleanup(void);
 TPMBackend *qemu_find_tpm(const char *id);
 void tpm_display_backend_drivers(void);
 const TPMDriverOps *tpm_get_backend_driver(const char *id);
+void tpm_write_fatal_error_response(uint8_t *out, uint32_t out_len);
+
+extern const TPMDriverOps tpm_passthrough_driver;
 
 #endif /* QEMU_TPM_H */
diff --git a/vl.c b/vl.c
index 3e784f5..6928e67 100644
--- a/vl.c
+++ b/vl.c
@@ -2676,11 +2676,13 @@  int main(int argc, char **argv, char **envp)
                 break;
             }
 #ifdef CONFIG_TPM
+# ifdef CONFIG_TPM_PASSTHROUGH
             case QEMU_OPTION_tpmdev:
                 if (tpm_config_parse(qemu_find_opts("tpmdev"), optarg) < 0) {
                     exit(1);
                 }
                 break;
+# endif
 #endif
             case QEMU_OPTION_mempath:
                 mem_path = optarg;