| Message ID | 20190415155636.32748-3-sashal@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ftpm: a firmware based TPM driver | expand |
On 15.04.19 17:56, Sasha Levin wrote:
Hi,
> +The driver acts as a thin layer that passes commands to and from a TPM> +implemented in firmware. The driver itself doesn't contain much logic
and is> +used more like a dumb pipe between firmware and kernel/userspace.
Is that TPM already used in production or yet an PoC ?
IOW: can the protocol be changed ?
If so, I'd prefer using 9P for that. This already proven well, not just
for grid computing (where it originally came from), but also in things
like virtio, etc.
In general, many of the hardware/chip interfaces out there basically
deal with either either passing around some data packets or streams,
or reading/setting some attributes. But everybody seems to do that part
in his own special way - that takes up a big share of the driver
development resources and final code - and that needs to be repeated
for each OS. In many, many cases a standard protocol like 9P could
already provide this - if folks would just use it :p
Therefore, I'm really a strong supporter of the idea of using 9P
for this.
In your case, you could design the highlevel TPM interface like with
a tcp stream / socket or a synthetic filesystem, and for the lowlevel
part just like kvm does w/ virtio.
In case you have no experience w/ 9P+friends, feel free to ask,
I'll to my best to explain it :)
--mtx
On Wed, Apr 17, 2019 at 02:23:13PM +0200, Enrico Weigelt, metux IT consult wrote: >On 15.04.19 17:56, Sasha Levin wrote: > >Hi, > >> +The driver acts as a thin layer that passes commands to and from a TPM> +implemented in firmware. The driver itself doesn't contain much logic >and is> +used more like a dumb pipe between firmware and kernel/userspace. >Is that TPM already used in production or yet an PoC ? >IOW: can the protocol be changed ? Sadly no, this is based on something that exists for a few years already and we're trying to make Linux run on it. -- Thanks, Sasha
On Mon, Apr 15, 2019 at 11:56:36AM -0400, Sasha Levin wrote: > This patch adds basic documentation to describe the new fTPM driver. > > Signed-off-by: Sasha Levin <sashal@kernel.org> > Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org> > --- > Documentation/security/tpm/index.rst | 1 + > Documentation/security/tpm/tpm_ftpm_tee.rst | 31 +++++++++++++++++++++ > 2 files changed, 32 insertions(+) > create mode 100644 Documentation/security/tpm/tpm_ftpm_tee.rst > > diff --git a/Documentation/security/tpm/index.rst b/Documentation/security/tpm/index.rst > index af77a7bbb070..15783668644f 100644 > --- a/Documentation/security/tpm/index.rst > +++ b/Documentation/security/tpm/index.rst > @@ -4,4 +4,5 @@ Trusted Platform Module documentation > > .. toctree:: > > + tpm_ftpm_tee > tpm_vtpm_proxy > diff --git a/Documentation/security/tpm/tpm_ftpm_tee.rst b/Documentation/security/tpm/tpm_ftpm_tee.rst > new file mode 100644 > index 000000000000..29c2f8b5ed10 > --- /dev/null > +++ b/Documentation/security/tpm/tpm_ftpm_tee.rst > @@ -0,0 +1,31 @@ > +============================================= > +Firmware TPM Driver > +============================================= > + > +| Authors: > +| Thirupathaiah Annapureddy <thiruan@microsoft.com> > +| Sasha Levin <sashal@kernel.org> > + > +This document describes the firmware Trusted Platform Module (fTPM) > +device driver. > + > +Introduction > +============ > + > +This driver is a shim for a firmware implemented in ARM's TrustZone > +environment. The driver allows programs to interact with the TPM in the same > +way the would interact with a hardware TPM. > + > +Design > +====== > + > +The driver acts as a thin layer that passes commands to and from a TPM > +implemented in firmware. The driver itself doesn't contain much logic and is > +used more like a dumb pipe between firmware and kernel/userspace. > + > +The firmware itself is based on the following paper: > +https://www.microsoft.com/en-us/research/wp-content/uploads/2017/06/ftpm1.pdf > + > +When the driver is loaded it will expose ``/dev/tpmX`` character devices to > +userspace which will enable userspace to communicate with the firmware tpm > +through this device. > -- > 2.19.1 > Actually this would a better place at least with some words to describe what is TEE. I'm, for example, confused whether there is only single TEE in existence always used with TZ or is this some MS specific TEE. Otherwise, looks legit. /Jarkko
diff --git a/Documentation/security/tpm/index.rst b/Documentation/security/tpm/index.rst index af77a7bbb070..15783668644f 100644 --- a/Documentation/security/tpm/index.rst +++ b/Documentation/security/tpm/index.rst @@ -4,4 +4,5 @@ Trusted Platform Module documentation .. toctree:: + tpm_ftpm_tee tpm_vtpm_proxy diff --git a/Documentation/security/tpm/tpm_ftpm_tee.rst b/Documentation/security/tpm/tpm_ftpm_tee.rst new file mode 100644 index 000000000000..29c2f8b5ed10 --- /dev/null +++ b/Documentation/security/tpm/tpm_ftpm_tee.rst @@ -0,0 +1,31 @@ +============================================= +Firmware TPM Driver +============================================= + +| Authors: +| Thirupathaiah Annapureddy <thiruan@microsoft.com> +| Sasha Levin <sashal@kernel.org> + +This document describes the firmware Trusted Platform Module (fTPM) +device driver. + +Introduction +============ + +This driver is a shim for a firmware implemented in ARM's TrustZone +environment. The driver allows programs to interact with the TPM in the same +way the would interact with a hardware TPM. + +Design +====== + +The driver acts as a thin layer that passes commands to and from a TPM +implemented in firmware. The driver itself doesn't contain much logic and is +used more like a dumb pipe between firmware and kernel/userspace. + +The firmware itself is based on the following paper: +https://www.microsoft.com/en-us/research/wp-content/uploads/2017/06/ftpm1.pdf + +When the driver is loaded it will expose ``/dev/tpmX`` character devices to +userspace which will enable userspace to communicate with the firmware tpm +through this device.