| SWTPM - Software TPM Emulator |
| David Safford safford@us.ibm.com |
| Stefan Berger stefanb@us.ibm.com |
| |
| The SWTPM package provides TPM emulators with different front-end interfaces |
| to libtpms. TPM emulators provide socket interfaces (TCP/IP) and the Linux |
| CUSE interface for the creation of multiple native /dev/vtpm* devices. |
| Those can be the targets of multiple QEMU cuse-tpm instances. |
| |
| The SWTPM package also provides several tools for using the CUSE TPM, |
| creating certificates for a TPM, and simulating the manufacturing of |
| a TPM by creating a TPM's EK and platform certificates etc. Please read |
| the READMEs in the individual tool's directory under src/. |
| |
| |
| TPM emulators: |
| -------------- |
| |
| The primary goal of the CUSE TPM is to support running multiple QEMU guests, |
| each having its own TPM emulator, without modifying QEMU, the kernel, or |
| libtpms. The approach is to use the QEMU cuse-tpm driver, pointing it to |
| /dev/vtpm? which is established as a CUSE frontend to libtpms. |
| |
| The CUSE frontend supports ioctls on the /dev/vtpm? device file, for |
| handling hardware specific features, such as hardware reset, hardware |
| shutdown, setting locality, and getting the tpmEstablished bit and |
| others. There is a getcapability ioctl to query which of these features |
| are available on a given vtpm. |
| |
| This has been tested on Fedora 20, as it has everything needed |
| (cuse, QEMU with TPM passthrough driver, libtpms...) enabled by default. |
| It is also known to work on RHEL-6. |
| |
| Building: |
| Please read INSTALL for how to build and install the package |
| |
| Notes: If you are running selinux in enforcing mode (the Fedora 20 default), |
| then you will get many (6?) rounds of errors, and everytime you have to |
| use the selinux troubleshooter to add policies to allow the vtpm |
| server to run. You only have to do this for the first VM. |
| |
| (If you are running ima-appraisal, you will need to sign the |
| installed executables and libraries (/usr/bin/swtpm and |
| /usr/bin/swtpm_cuse and /usr/lib/libswtpm_libtpms.so) |
| |
| In the Guest: |
| If you are running a fedora20 guest, then you can start out with: |
| yum install tpm-tools |
| systemctl start tcsd.service |
| tpm_createek |
| tpm_takeown -u -y -z |
| tpm_getpubek -u -z |
| |
| ----------------------------------------------------------------------------- |
| Low level details on the executables: |
| |
| On Fedora 20, CUSE is a module, so you may need to: |
| modprobe cuse |
| For each desired vtpm, as root you simply: |
| export TPM_PATH=<directory to keep vtpm state files> |
| ./swtpm_cuse -M <major> -m <minor> -n <device name> |
| The process runs as a background daemon. |
| |
| Initialize two vTPMs' initial state with an EK each: |
| |
| # mkdir /tmp/myvtpm0 |
| # chown -R tss:root /tmp/myvtpm0 |
| # swtpm_setup --tpm-state /tmp/myvtpm0 --createek |
| |
| # mkdir /tmp/myvtpm1 |
| # chown -R tss:root /tmp/myvtpm1 |
| # swtpm_setup --tpm-state /tmp/myvtpm1 --createek |
| |
| Start the vTPM to use it with QEMU: |
| |
| # export TPM_PATH=/tmp/myvtpm0 |
| # swtpm_cuse -n vtpm0 |
| |
| # export TPM_PATH=/tmp/myvtpm1 |
| # swtpm_cuse -n vtpm1 |
| |
| Running QEMU with the cuse-tpm: |
| |
| There are two needed options for the passthrough -tpmdev and -device |
| as shown in these examples. Note that the "path" parameter points to the |
| native (/dev/vtpm0...) path, while the id and tpmdev are the guest's view. |
| |
| $ qemu-system-x86_64 -display sdl -enable-kvm -cdrom cdrom.iso \ |
| -m 1024 -boot d -bios bios.bin -boot menu=on -tpmdev \ |
| cuse-tpm,id=tpm0,path=/dev/vtpm0 \ |
| -device tpm-tis,tpmdev=tpm0 test.img |
| |
| $ qemu-system-x86_64 -display sdl -enable-kvm -cdrom cdrom.iso \ |
| -m 1024 -boot d -bios bios.bin -boot menu=on -tpmdev \ |
| cuse-tpm,id=tpm1,path=/dev/vtpm1 \ |
| -device tpm-tis,tpmdev=tpm1 test2.img |
| |
| For this to work, qemu patches that are not included in upstream qemu |
| are needed. Currently those are maintained in |
| https://github.com/stefanberger/qemu-tpm |
| |
| Including them upstream has been discussed, most recently at |
| https://lists.nongnu.org/archive/html/qemu-devel/2016-06/msg00252.html |
| |