Reporting Issues
Bug 594 - TPM enablement in OVMF
Summary: TPM enablement in OVMF
Status: RESOLVED FIXED
Alias: None
Product: Tianocore Feature Requests
Classification: Unclassified
Component: Code (show other bugs)
Version: Current
Hardware: All All
: Normal normal
Assignee: Marc-André Lureau
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-15 08:17 UTC by Laszlo Ersek
Modified: 2018-09-12 16:00 UTC (History)
5 users (show)

See Also:
EDK II Code First industry standard specifications: ---
Branch URL:
Release(s) the issue is observed: EDK II Master
The OS the target platform is running: ---
Package: OvmfPkg
Release(s) the issues must be fixed:
Tianocore documents:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Laszlo Ersek 2017-06-15 08:17:33 UTC 
I've asked Stefan Berger @IBM to document the current TPM status in QEMU (guest-visible frontend / behavior, QEMU specifics, currently supported TPM backends, design in general):

[Qemu-devel] TPM status
http://lists.nongnu.org/archive/html/qemu-devel/2017-06/msg03439.html
msgid <7f0b8d00-236d-37e8-5c1f-e7ea8e4b9146@redhat.com>

Based on that document, and based on the TianoCore Wiki's TPM instructions at <https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Security#Enabling_Trusted_Compute_Module_TPM>, we should enable TPM support in OVMF.

The goal is that a guest OS (incl. its boot loader) running on OVMF can read the TPM event log.
Comment 3 Laszlo Ersek 2017-07-12 20:36:38 UTC 
Amarnath Valluri's v4 swtpm set:

[Qemu-devel] [PATCH v4 0/8] Provide support for the software TPM emulator
http://mid.mail-archive.com/1496666711-14630-1-git-send-email-amarnath.valluri@intel.com
Comment 4 Laszlo Ersek 2017-07-14 04:24:04 UTC 
From <https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Security#Enabling_Trusted_Compute_Module_TPM>:

"Memory should be cleared if ClearMemory bit of variable MemoryOverwriteRequestControl is set when doing memory initialization".

This means TPM enablement depends on PEI-phase variable access.
Comment 6 Laszlo Ersek 2017-08-16 20:19:33 UTC 
Amarnath Valluri's v6 set:

[Qemu-devel] [PATCH v6 0/8] Provide support for the software TPM emulator
http://lists.nongnu.org/archive/html/qemu-devel/2017-07/msg05507.html
Comment 9 Laszlo Ersek 2018-03-08 15:16:27 UTC 
Patch sets from Marc-André:

[edk2] [PATCH 0/7] RFC: ovmf: preliminary TPM2 support
http://mid.mail-archive.com/20180223132311.26555-1-marcandre.lureau@redhat.com

[edk2] [PATCH v2 0/8] RFC: ovmf: preliminary TPM2 support
https://lists.01.org/pipermail/edk2-devel/2018-March/022390.html
http://mid.mail-archive.com/20180307155746.18526-1-marcandre.lureau@redhat.com
Comment 10 Laszlo Ersek 2018-03-08 15:17:03 UTC 
(In reply to Laszlo Ersek from comment #9)
> Patch sets from Marc-André:
> 
> [...]

moving BZ to IN_PROGRESS status
Comment 12 Laszlo Ersek 2018-03-09 13:39:56 UTC 
Fixed in commit range 7878f706e7eb..d5a002aba0aa, by Marc-André's v3 series (comment 11).

Future work (SEV compat, and TPM2 Physical Presence Interface) should be tracked by independent BZs.