qemu: use upstream swtpm support

Upstream finally accepted and merged a different approach for connecting QEMU to swtpm: instead of a custom cuse-tpm device, a normal chardev connects to swtpm, and that chardev then is used by the TPM device. For now we have to backport those patches, but the next major QEMU update will have them. However, the chardev-connect-socket-to-a-spawned-command.patch is something that OE will have to carry permanently. It simplifies starting and stopping swtpm when invoking QEMU through runqemu without having to teach that script about the additional process. Upstream rejected the patch because they want to keep the complexity of starting additional processes out of QEMU. A recent enough swtpm is needed. The one currently used by meta-security fails to communicate properly with QEMU, leading to this failure: qemu-system-x86_64: -tpmdev emulator,id=tpm0,chardev=chrtpm0: tpm-emulator: Failed to send CMD_SET_DATAFD: Input/output error qemu-system-x86_64: -tpmdev emulator,id=tpm0,chardev=chrtpm0: tpm-emulator: Could not cleanly shutdown the TPM: Invalid argument With a recent enough swtpm, one can create a TPM device like this: - bitbake swtpm-native - create a TPM instance and initialize it with: $ mkdir -p my-machine/myvtpm0 $ tmp*/work/*/swtpm-wrappers-native/*/swtpm_setup_oe.sh --tpm-state my-machine/myvtpm0 --createek Starting vTPM manufacturing as root:root @ Wed 06 Dec 2017 10:03:14 AM CET TPM is listening on TCP port 34613. Successfully created EK. Successfully authored TPM state. Ending vTPM manufacturing @ Wed 06 Dec 2017 10:03:14 AM CET - runqemu "qemuparams=-chardev 'socket,id=chrtpm0,cmd=exec swtpm_oe.sh socket --terminate --ctrl type=unixio,,clientfd=0 --tpmstate dir=... --log level=10,,file=.../swtpm.log --tpm2' -tpmdev emulator,id=tpm0,chardev=chrtpm0 -device tpm-tis,tpmdev=tpm0" ... Beware that the double commas are intentional. They are needed to embed commas in the "cmd" value. swtpm_oe.sh is from swtpm-wrappers-native. In the example it is invoked without the full path for the sake of brevity. In practice, one has to use the full path (tmp*/work/*/swtpm-wrappers-native/*/swtpm_oe.sh). With the TPM2-preview version of swtpm, the same works for TPM2 by adding the --tpm2 parameter when invoking swtpm_setup_oe.sh and swtpm_oe.sh. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Patrick Ohly <patrick.ohly@intel.com> 2017-12-06 12:03:32 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-12-10 22:41:43 +0000
commit: 82f37aa4c5152f104897fff04f09ad55c20c2a3f (patch)
tree: 1f12cceb9390f7d3715d2d9cfbeaecfbcedf1e51 /meta/recipes-devtools/qemu/qemu/0002-tpm-Clean-up-model-registration-lookup.patch
parent: d9b59df1230a20c7a5c9f4fb0325bb9216025a16 (diff)
download: openembedded-core-contrib-82f37aa4c5152f104897fff04f09ad55c20c2a3f.tar.gz
1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0002-tpm-Clean-up-model-registration-lookup.patch b/meta/recipes-devtools/qemu/qemu/0002-tpm-Clean-up-model-registration-lookup.patch
new file mode 100644
index 0000000000..c223ba83b6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0002-tpm-Clean-up-model-registration-lookup.patch
@@ -0,0 +1,121 @@
+From 89430c64784484214b3c99562520cdffe79cd801 Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Thu, 24 Aug 2017 10:45:59 +0200
+Subject: [PATCH 02/12] tpm: Clean up model registration & lookup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We have a strict separation between enum TpmModel and tpm_models[]:
+
+* TpmModel may have any number of members.  It just happens to have one.
+
+* tpm_register_model() uses the first empty slot in tpm_models[].
+
+  If you register more than tpm_models[] has space,
+  tpn_register_model() fails.  Its caller silently ignores the
+  failure.
+
+  Register the same TpmModel more than once has no effect other than
+  wasting tpm_models[] slots: tpm_model_is_registered() is happy with
+  the first one it finds.
+
+Since we only ever register one model, and tpm_models[] has space for
+just that one, this contraption even works.
+
+Turn tpm_models[] into a straight map from enum TpmType to bool.  Much
+simpler.
+
+Cc: Stefan Berger <stefanb@us.ibm.com>
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+Message-Id: <1503564371-26090-5-git-send-email-armbru@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+[Commit message typo fixed]
+
+Upstream-Status: Backport
+---
+ include/sysemu/tpm_backend.h |  2 +-
+ tpm.c                        | 37 +++++--------------------------------
+ 2 files changed, 6 insertions(+), 33 deletions(-)
+
+diff --git a/include/sysemu/tpm_backend.h b/include/sysemu/tpm_backend.h
+index 1d21c6b19b..b0a9731aee 100644
+--- a/include/sysemu/tpm_backend.h
++++ b/include/sysemu/tpm_backend.h
+@@ -226,7 +226,7 @@ TPMVersion tpm_backend_get_tpm_version(TPMBackend *s);
+ TPMBackend *qemu_find_tpm(const char *id);
+ 
+ const TPMDriverOps *tpm_get_backend_driver(const char *type);
+-int tpm_register_model(enum TpmModel model);
++void tpm_register_model(enum TpmModel model);
+ void tpm_register_driver(const TPMDriverOps *tdo);
+ 
+ #endif
+diff --git a/tpm.c b/tpm.c
+index bb45d0c08e..2dbea70645 100644
+--- a/tpm.c
++++ b/tpm.c
+@@ -24,39 +24,12 @@
+ static QLIST_HEAD(, TPMBackend) tpm_backends =
+     QLIST_HEAD_INITIALIZER(tpm_backends);
+ 
+-
+-#define TPM_MAX_MODELS      1
+-
+ static TPMDriverOps const *be_drivers[TPM_TYPE__MAX];
++static bool tpm_models[TPM_MODEL__MAX];
+ 
+-static enum TpmModel tpm_models[TPM_MAX_MODELS] = {
+-    TPM_MODEL__MAX,
+-};
+-
+-int tpm_register_model(enum TpmModel model)
+-{
+-    int i;
+-
+-    for (i = 0; i < TPM_MAX_MODELS; i++) {
+-        if (tpm_models[i] == TPM_MODEL__MAX) {
+-            tpm_models[i] = model;
+-            return 0;
+-        }
+-    }
+-    error_report("Could not register TPM model");
+-    return 1;
+-}
+-
+-static bool tpm_model_is_registered(enum TpmModel model)
++void tpm_register_model(enum TpmModel model)
+ {
+-    int i;
+-
+-    for (i = 0; i < TPM_MAX_MODELS; i++) {
+-        if (tpm_models[i] == model) {
+-            return true;
+-        }
+-    }
+-    return false;
++    tpm_models[model] = true;
+ }
+ 
+ const TPMDriverOps *tpm_get_backend_driver(const char *type)
+@@ -270,7 +243,7 @@ TPMInfoList *qmp_query_tpm(Error **errp)
+     TPMInfoList *info, *head = NULL, *cur_item = NULL;
+ 
+     QLIST_FOREACH(drv, &tpm_backends, list) {
+-        if (!tpm_model_is_registered(drv->fe_model)) {
++        if (!tpm_models[drv->fe_model]) {
+             continue;
+         }
+         info = g_new0(TPMInfoList, 1);
+@@ -317,7 +290,7 @@ TpmModelList *qmp_query_tpm_models(Error **errp)
+     TpmModelList *head = NULL, *prev = NULL, *cur_item;
+ 
+     for (i = 0; i < TPM_MODEL__MAX; i++) {
+-        if (!tpm_model_is_registered(i)) {
++        if (!tpm_models[i]) {
+             continue;
+         }
+         cur_item = g_new0(TpmModelList, 1);
+-- 
+2.11.0
+
author	Patrick Ohly <patrick.ohly@intel.com>	2017-12-06 12:03:32 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-12-10 22:41:43 +0000
commit	82f37aa4c5152f104897fff04f09ad55c20c2a3f (patch)
tree	1f12cceb9390f7d3715d2d9cfbeaecfbcedf1e51 /meta/recipes-devtools/qemu/qemu/0002-tpm-Clean-up-model-registration-lookup.patch
parent	d9b59df1230a20c7a5c9f4fb0325bb9216025a16 (diff)
download	openembedded-core-contrib-82f37aa4c5152f104897fff04f09ad55c20c2a3f.tar.gz