Stefan Berger stefanb@us.ibm.com
The SWTPM package provides TPM emulators with different front-end interfaces
-to libtpms. TPM emulators provide socket interfaces (TCP/IP) and the Linux
-CUSE interface for the creation of multiple native /dev/vtpm* devices.
-Those can be the targets of multiple QEMU cuse-tpm instances.
+to libtpms. TPM emulators provide socket interfaces (TCP/IP and Unix) and
+the Linux CUSE interface for the creation of multiple native /dev/vtpm* devices.
-The SWTPM package also provides several tools for using the CUSE TPM,
+The SWTPM package also provides several tools for using the TPM emulator,
creating certificates for a TPM, and simulating the manufacturing of
a TPM by creating a TPM's EK and platform certificates etc. Please read
the READMEs in the individual tool's directory under src/.
+Please consult the Wiki for information about swtpm:
-TPM emulators:
---------------
-
-The primary goal of the CUSE TPM is to support running multiple QEMU guests,
-each having its own TPM emulator, without modifying QEMU, the kernel, or
-libtpms. The approach is to use the QEMU cuse-tpm driver, pointing it to
-/dev/vtpm? which is established as a CUSE frontend to libtpms.
-
-The CUSE frontend supports ioctls on the /dev/vtpm? device file, for
-handling hardware specific features, such as hardware reset, hardware
-shutdown, setting locality, and getting the tpmEstablished bit and
-others. There is a getcapability ioctl to query which of these features
-are available on a given vtpm.
-
-This has been tested on Fedora 20, as it has everything needed
-(cuse, QEMU with TPM passthrough driver, libtpms...) enabled by default.
-It is also known to work on RHEL-6.
-
-Building:
- Please read INSTALL for how to build and install the package
-
-Notes: If you are running selinux in enforcing mode (the Fedora 20 default),
- then you will get many (6?) rounds of errors, and everytime you have to
- use the selinux troubleshooter to add policies to allow the vtpm
- server to run. You only have to do this for the first VM.
-
- (If you are running ima-appraisal, you will need to sign the
- installed executables and libraries (/usr/bin/swtpm and
- /usr/bin/swtpm_cuse and /usr/lib/libswtpm_libtpms.so)
-
-In the Guest:
- If you are running a fedora20 guest, then you can start out with:
- yum install tpm-tools
- systemctl start tcsd.service
- tpm_createek
- tpm_takeown -u -y -z
- tpm_getpubek -u -z
-
------------------------------------------------------------------------------
-Low level details on the executables:
-
- On Fedora 20, CUSE is a module, so you may need to:
- modprobe cuse
- For each desired vtpm, as root you simply:
- export TPM_PATH=<directory to keep vtpm state files>
- ./swtpm_cuse -M <major> -m <minor> -n <device name>
- The process runs as a background daemon.
-
-Initialize two vTPMs' initial state with an EK each:
-
- # mkdir /tmp/myvtpm0
- # chown -R tss:root /tmp/myvtpm0
- # swtpm_setup --tpm-state /tmp/myvtpm0 --createek
-
- # mkdir /tmp/myvtpm1
- # chown -R tss:root /tmp/myvtpm1
- # swtpm_setup --tpm-state /tmp/myvtpm1 --createek
-
-Start the vTPM to use it with QEMU:
-
- # export TPM_PATH=/tmp/myvtpm0
- # swtpm_cuse -n vtpm0
-
- # export TPM_PATH=/tmp/myvtpm1
- # swtpm_cuse -n vtpm1
-
-Running QEMU with the cuse-tpm:
-
-There are two needed options for the passthrough -tpmdev and -device
-as shown in these examples. Note that the "path" parameter points to the
-native (/dev/vtpm0...) path, while the id and tpmdev are the guest's view.
-
- $ qemu-system-x86_64 -display sdl -enable-kvm -cdrom cdrom.iso \
- -m 1024 -boot d -bios bios.bin -boot menu=on -tpmdev \
- cuse-tpm,id=tpm0,path=/dev/vtpm0 \
- -device tpm-tis,tpmdev=tpm0 test.img
-
- $ qemu-system-x86_64 -display sdl -enable-kvm -cdrom cdrom.iso \
- -m 1024 -boot d -bios bios.bin -boot menu=on -tpmdev \
- cuse-tpm,id=tpm1,path=/dev/vtpm1 \
- -device tpm-tis,tpmdev=tpm1 test2.img
-
-For this to work, qemu patches that are not included in upstream qemu
-are needed. Currently those are maintained in
-https://github.com/stefanberger/qemu-tpm
-
-Including them upstream has been discussed, most recently at
-https://lists.nongnu.org/archive/html/qemu-devel/2016-06/msg00252.html
-
+ https://github.com/stefanberger/swtpm/wiki
projects / swtpm.git / commitdiff