[U-BOOT-TEST-HOOKS,1/1] Enable TPMv2 emulation

Provide a QEMU helper script to launch swtpm and add extra parameters to
conf.qemu_arm64_na and conf.qemu_arm_na to provide an emulated TPMv2.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
---
 bin/qemu.swtpm                   | 19 +++++++++++++++++++
 bin/travis-ci/conf.qemu_arm64_na |  3 ++-
 bin/travis-ci/conf.qemu_arm_na   |  3 ++-
 3 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100755 bin/qemu.swtpm

Hi Heinrich,

On Mon, 15 Nov 2021 at 12:11, Heinrich Schuchardt
<heinrich.schuchardt@canonical.com> wrote:
>
> Provide a QEMU helper script to launch swtpm and add extra parameters to
> conf.qemu_arm64_na and conf.qemu_arm_na to provide an emulated TPMv2.
>
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
> ---
>  bin/qemu.swtpm                   | 19 +++++++++++++++++++
>  bin/travis-ci/conf.qemu_arm64_na |  3 ++-
>  bin/travis-ci/conf.qemu_arm_na   |  3 ++-
>  3 files changed, 23 insertions(+), 2 deletions(-)
>  create mode 100755 bin/qemu.swtpm
>
> diff --git a/bin/qemu.swtpm b/bin/qemu.swtpm
> new file mode 100755
> index 0000000..089feba
> --- /dev/null
> +++ b/bin/qemu.swtpm
> @@ -0,0 +1,19 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: BSD-2
> +#
> +# This script launches swtpm to emulate a TPMv2. The parameter -t makes it
> +# unload when the connection to QEMU is terminated. To make use of it add
> +#
> +#     qemu_helper_script="swtpm"
> +#
> +# to the board script and the following arguments to qemu_extra_args
> +#
> +#     -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \
> +#     -tpmdev emulator,id=tpm0,chardev=chrtpm \
> +#     -device tpm-tis-device,tpmdev=tpm0
> +#
> +# U-Boot must be built with CONFIG_TPM2_MMIO=y.
> +
> +mkdir -p /tmp/tpm
> +swtpm socket -t --tpmstate dir=/tmp/tpm --tpm2 \
> +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock &

Nit pick the & can be '-d'

> diff --git a/bin/travis-ci/conf.qemu_arm64_na b/bin/travis-ci/conf.qemu_arm64_na
> index e7c9426..14577d8 100644
> --- a/bin/travis-ci/conf.qemu_arm64_na
> +++ b/bin/travis-ci/conf.qemu_arm64_na
> @@ -22,8 +22,9 @@
>
>  console_impl=qemu
>  qemu_machine="virt"
> +qemu_helper_script="swtpm"
>  qemu_binary="qemu-system-aarch64"
> -qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci"
> +qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
>  qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin"
>  reset_impl=none
>  flash_impl=none
> diff --git a/bin/travis-ci/conf.qemu_arm_na b/bin/travis-ci/conf.qemu_arm_na
> index 0f07c80..de0694d 100644
> --- a/bin/travis-ci/conf.qemu_arm_na
> +++ b/bin/travis-ci/conf.qemu_arm_na
> @@ -22,8 +22,9 @@
>
>  console_impl=qemu
>  qemu_machine="virt"
> +qemu_helper_script="swtpm"
>  qemu_binary="qemu-system-arm"
> -qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci"
> +qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"

Just a note here 'tpm-tis-device' works for arm.  If we evenr need
this on x86 it's 'tpm-tis' ....

>  qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin"
>  reset_impl=none
>  flash_impl=none
> --
> 2.32.0
>

Other than that
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

On 11/24/21 08:23, Ilias Apalodimas wrote:
> Hi Heinrich,
> 
> On Mon, 15 Nov 2021 at 12:11, Heinrich Schuchardt
> <heinrich.schuchardt@canonical.com> wrote:
>>
>> Provide a QEMU helper script to launch swtpm and add extra parameters to
>> conf.qemu_arm64_na and conf.qemu_arm_na to provide an emulated TPMv2.
>>
>> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
>> ---
>>   bin/qemu.swtpm                   | 19 +++++++++++++++++++
>>   bin/travis-ci/conf.qemu_arm64_na |  3 ++-
>>   bin/travis-ci/conf.qemu_arm_na   |  3 ++-
>>   3 files changed, 23 insertions(+), 2 deletions(-)
>>   create mode 100755 bin/qemu.swtpm
>>
>> diff --git a/bin/qemu.swtpm b/bin/qemu.swtpm
>> new file mode 100755
>> index 0000000..089feba
>> --- /dev/null
>> +++ b/bin/qemu.swtpm
>> @@ -0,0 +1,19 @@
>> +#!/bin/sh
>> +# SPDX-License-Identifier: BSD-2
>> +#
>> +# This script launches swtpm to emulate a TPMv2. The parameter -t makes it
>> +# unload when the connection to QEMU is terminated. To make use of it add
>> +#
>> +#     qemu_helper_script="swtpm"
>> +#
>> +# to the board script and the following arguments to qemu_extra_args
>> +#
>> +#     -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \
>> +#     -tpmdev emulator,id=tpm0,chardev=chrtpm \
>> +#     -device tpm-tis-device,tpmdev=tpm0
>> +#
>> +# U-Boot must be built with CONFIG_TPM2_MMIO=y.
>> +
>> +mkdir -p /tmp/tpm
>> +swtpm socket -t --tpmstate dir=/tmp/tpm --tpm2 \
>> +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock &
> 
> Nit pick the & can be '-d'

Daemonizing will ensure that we don't get console output. I will change 
this.

> 
>> diff --git a/bin/travis-ci/conf.qemu_arm64_na b/bin/travis-ci/conf.qemu_arm64_na
>> index e7c9426..14577d8 100644
>> --- a/bin/travis-ci/conf.qemu_arm64_na
>> +++ b/bin/travis-ci/conf.qemu_arm64_na
>> @@ -22,8 +22,9 @@
>>
>>   console_impl=qemu
>>   qemu_machine="virt"
>> +qemu_helper_script="swtpm"
>>   qemu_binary="qemu-system-aarch64"
>> -qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci"
>> +qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
>>   qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin"
>>   reset_impl=none
>>   flash_impl=none
>> diff --git a/bin/travis-ci/conf.qemu_arm_na b/bin/travis-ci/conf.qemu_arm_na
>> index 0f07c80..de0694d 100644
>> --- a/bin/travis-ci/conf.qemu_arm_na
>> +++ b/bin/travis-ci/conf.qemu_arm_na
>> @@ -22,8 +22,9 @@
>>
>>   console_impl=qemu
>>   qemu_machine="virt"
>> +qemu_helper_script="swtpm"
>>   qemu_binary="qemu-system-arm"
>> -qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci"
>> +qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
> 
> Just a note here 'tpm-tis-device' works for arm.  If we evenr need
> this on x86 it's 'tpm-tis' ....

This file is ARM specific.

Best regards

Heinrich

> 
>>   qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin"
>>   reset_impl=none
>>   flash_impl=none
>> --
>> 2.32.0
>>
> 
> Other than that
> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
>

On Wed, Nov 24, 2021 at 08:33:42AM +0100, Heinrich Schuchardt wrote:
> On 11/24/21 08:23, Ilias Apalodimas wrote:
> > Hi Heinrich,
> > 
> > On Mon, 15 Nov 2021 at 12:11, Heinrich Schuchardt
> > <heinrich.schuchardt@canonical.com> wrote:
> > > 
> > > Provide a QEMU helper script to launch swtpm and add extra parameters to
> > > conf.qemu_arm64_na and conf.qemu_arm_na to provide an emulated TPMv2.
> > > 
> > > Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
> > > ---
> > >   bin/qemu.swtpm                   | 19 +++++++++++++++++++
> > >   bin/travis-ci/conf.qemu_arm64_na |  3 ++-
> > >   bin/travis-ci/conf.qemu_arm_na   |  3 ++-
> > >   3 files changed, 23 insertions(+), 2 deletions(-)
> > >   create mode 100755 bin/qemu.swtpm
> > > 
> > > diff --git a/bin/qemu.swtpm b/bin/qemu.swtpm
> > > new file mode 100755
> > > index 0000000..089feba
> > > --- /dev/null
> > > +++ b/bin/qemu.swtpm
> > > @@ -0,0 +1,19 @@
> > > +#!/bin/sh
> > > +# SPDX-License-Identifier: BSD-2
> > > +#
> > > +# This script launches swtpm to emulate a TPMv2. The parameter -t makes it
> > > +# unload when the connection to QEMU is terminated. To make use of it add
> > > +#
> > > +#     qemu_helper_script="swtpm"
> > > +#
> > > +# to the board script and the following arguments to qemu_extra_args
> > > +#
> > > +#     -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \
> > > +#     -tpmdev emulator,id=tpm0,chardev=chrtpm \
> > > +#     -device tpm-tis-device,tpmdev=tpm0
> > > +#
> > > +# U-Boot must be built with CONFIG_TPM2_MMIO=y.
> > > +
> > > +mkdir -p /tmp/tpm
> > > +swtpm socket -t --tpmstate dir=/tmp/tpm --tpm2 \
> > > +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock &
> > 
> > Nit pick the & can be '-d'
> 
> Daemonizing will ensure that we don't get console output. I will change
> this.
> 
> > 
> > > diff --git a/bin/travis-ci/conf.qemu_arm64_na b/bin/travis-ci/conf.qemu_arm64_na
> > > index e7c9426..14577d8 100644
> > > --- a/bin/travis-ci/conf.qemu_arm64_na
> > > +++ b/bin/travis-ci/conf.qemu_arm64_na
> > > @@ -22,8 +22,9 @@
> > > 
> > >   console_impl=qemu
> > >   qemu_machine="virt"
> > > +qemu_helper_script="swtpm"
> > >   qemu_binary="qemu-system-aarch64"
> > > -qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci"
> > > +qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
> > >   qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin"
> > >   reset_impl=none
> > >   flash_impl=none
> > > diff --git a/bin/travis-ci/conf.qemu_arm_na b/bin/travis-ci/conf.qemu_arm_na
> > > index 0f07c80..de0694d 100644
> > > --- a/bin/travis-ci/conf.qemu_arm_na
> > > +++ b/bin/travis-ci/conf.qemu_arm_na
> > > @@ -22,8 +22,9 @@
> > > 
> > >   console_impl=qemu
> > >   qemu_machine="virt"
> > > +qemu_helper_script="swtpm"
> > >   qemu_binary="qemu-system-arm"
> > > -qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci"
> > > +qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
> > 
> > Just a note here 'tpm-tis-device' works for arm.  If we evenr need
> > this on x86 it's 'tpm-tis' ....
> 
> This file is ARM specific.

Sure, but it's worth noting since if we can also use these features and
tests on qemu-x86_64 we should.  Doesn't need to be to start with tho.
And I will apply this shortly.

On 11/27/21 02:38, Tom Rini wrote:
> On Wed, Nov 24, 2021 at 08:33:42AM +0100, Heinrich Schuchardt wrote:
>> On 11/24/21 08:23, Ilias Apalodimas wrote:
>>> Hi Heinrich,
>>>
>>> On Mon, 15 Nov 2021 at 12:11, Heinrich Schuchardt
>>> <heinrich.schuchardt@canonical.com> wrote:
>>>>
>>>> Provide a QEMU helper script to launch swtpm and add extra parameters to
>>>> conf.qemu_arm64_na and conf.qemu_arm_na to provide an emulated TPMv2.
>>>>
>>>> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
>>>> ---
>>>>    bin/qemu.swtpm                   | 19 +++++++++++++++++++
>>>>    bin/travis-ci/conf.qemu_arm64_na |  3 ++-
>>>>    bin/travis-ci/conf.qemu_arm_na   |  3 ++-
>>>>    3 files changed, 23 insertions(+), 2 deletions(-)
>>>>    create mode 100755 bin/qemu.swtpm
>>>>
>>>> diff --git a/bin/qemu.swtpm b/bin/qemu.swtpm
>>>> new file mode 100755
>>>> index 0000000..089feba
>>>> --- /dev/null
>>>> +++ b/bin/qemu.swtpm
>>>> @@ -0,0 +1,19 @@
>>>> +#!/bin/sh
>>>> +# SPDX-License-Identifier: BSD-2
>>>> +#
>>>> +# This script launches swtpm to emulate a TPMv2. The parameter -t makes it
>>>> +# unload when the connection to QEMU is terminated. To make use of it add
>>>> +#
>>>> +#     qemu_helper_script="swtpm"
>>>> +#
>>>> +# to the board script and the following arguments to qemu_extra_args
>>>> +#
>>>> +#     -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \
>>>> +#     -tpmdev emulator,id=tpm0,chardev=chrtpm \
>>>> +#     -device tpm-tis-device,tpmdev=tpm0
>>>> +#
>>>> +# U-Boot must be built with CONFIG_TPM2_MMIO=y.
>>>> +
>>>> +mkdir -p /tmp/tpm
>>>> +swtpm socket -t --tpmstate dir=/tmp/tpm --tpm2 \
>>>> +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock &
>>>
>>> Nit pick the & can be '-d'
>>
>> Daemonizing will ensure that we don't get console output. I will change
>> this.
>>
>>>
>>>> diff --git a/bin/travis-ci/conf.qemu_arm64_na b/bin/travis-ci/conf.qemu_arm64_na
>>>> index e7c9426..14577d8 100644
>>>> --- a/bin/travis-ci/conf.qemu_arm64_na
>>>> +++ b/bin/travis-ci/conf.qemu_arm64_na
>>>> @@ -22,8 +22,9 @@
>>>>
>>>>    console_impl=qemu
>>>>    qemu_machine="virt"
>>>> +qemu_helper_script="swtpm"
>>>>    qemu_binary="qemu-system-aarch64"
>>>> -qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci"
>>>> +qemu_extra_args="-cpu cortex-a57 -nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
>>>>    qemu_kernel_args="-bios ${U_BOOT_BUILD_DIR}/u-boot.bin"
>>>>    reset_impl=none
>>>>    flash_impl=none
>>>> diff --git a/bin/travis-ci/conf.qemu_arm_na b/bin/travis-ci/conf.qemu_arm_na
>>>> index 0f07c80..de0694d 100644
>>>> --- a/bin/travis-ci/conf.qemu_arm_na
>>>> +++ b/bin/travis-ci/conf.qemu_arm_na
>>>> @@ -22,8 +22,9 @@
>>>>
>>>>    console_impl=qemu
>>>>    qemu_machine="virt"
>>>> +qemu_helper_script="swtpm"
>>>>    qemu_binary="qemu-system-arm"
>>>> -qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci"
>>>> +qemu_extra_args="-nographic -netdev user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 -device virtio-rng-pci -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis-device,tpmdev=tpm0"
>>>
>>> Just a note here 'tpm-tis-device' works for arm.  If we evenr need
>>> this on x86 it's 'tpm-tis' ....
>>
>> This file is ARM specific.
> 
> Sure, but it's worth noting since if we can also use these features and
> tests on qemu-x86_64 we should.  Doesn't need to be to start with tho.
> And I will apply this shortly.
> 

The current version of this patch is:

[v2,1/1] Enable TPMv2 emulation
https://patchwork.ozlabs.org/project/uboot/patch/20211124081251.59511-1-heinrich.schuchardt@canonical.com/

On x86 we don't have support for the emulated TPM in U-Boot. According 
to the QEMU documentation you would have to parse  ACPI tables to detect 
if a TPM is made available by QEMU. Maybe you could instead define it in 
arch/x86/dts/qemu-x86_i440fx.dts.
Cf. https://qemu-project.gitlab.io/qemu/specs/tpm.html#acpi-interface

Once that work is done we should enable the TPM emulation on x86 in the 
U-Boot test hooks.

This will be the required settings:

qemu_helper_script="swtpm"
qemu_extra_args="-nographic -cpu qemu64 -netdev 
user,id=net0,tftp=${UBOOT_TRAVIS_BUILD_DIR} -device e1000,netdev=net0 
-chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock -tpmdev 
emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"

Best regards

Heinrich