| Message ID | 1483989503.2398.13.camel@HansenPartnership.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 01/09/2017 02:18 PM, James Bottomley wrote: > On Mon, 2017-01-09 at 13:52 -0500, Stefan Berger wrote: >> On 01/09/2017 01:51 PM, James Bottomley wrote: >>> On Mon, 2017-01-09 at 13:41 -0500, Stefan Berger wrote: >>>> On 01/09/2017 01:24 PM, James Bottomley wrote: >>>>> On Mon, 2017-01-09 at 13:03 -0500, Stefan Berger wrote: >>>>>> Examples: >>>>>> ./src/vtpmctrl --tpm2 \ >>>>>> --spawn /bin/swtpm chardev --tpm2 --fd %fd --tpmstate >>>>>> dir=/tmp >>>>> git head for swtpm is giving >>>>> >>>>> Created TPM device /dev/tpm1; vTPM device has fd 4, major/minor >>>>> = >>>>> 247/1. >>>>> chardev: unrecognized option '--tpm2' >>>> You need the tpm2-preview branches of libtpms and swtpm. Why you >>>> need >>>> them is related to the format in which the persistent data are >>>> written by the TPM 2 implementation. For QEMU it should probably >>>> big >>>> endian, but so far it's not. >>>> >>>> Here's a short wiki of libtpms pointing out the issues. >>>> >>>> https://github.com/stefanberger/libtpms/wiki >>>> >>>> https://github.com/stefanberger/libtpms/tree/tpm2-previewa.rev138 >>>> https://github.com/stefanberger/swtpm/tree/tpm2-preview >>> Basically the synopsis is that it's not yet working well enough to >>> run the resource manager smoke tests and I need to continue using >>> the ibmswtpm2 as the emulator or run against the real thing for the >>> time being. >> Have you tried it ? > Git head of the tpm2-preview branch of libtpms isn't building for me: > > tpm2/ExecCommand.c: In function 'ExecuteCommand': > tpm2/ExecCommand.c:434:37: error: 'commandIndex' may be used > uninitialized in this function [-Werror=maybe-uninitialized] > buffer = MemoryGetResponseBuffer(commandIndex); > ^ > cc1: all warnings being treated as errors > > I also think you probably need this patch > > James > > --- > > diff --git a/configure.ac b/configure.ac > index e84bc0f..4ab149d 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -125,7 +125,7 @@ openssl) > esac > > AC_ARG_WITH([tpm2], > - AC_HELP_STRING([--wih-tpm2], > + AC_HELP_STRING([--with-tpm2], > [build libtpms with TPM2 support (experimental)]), > AC_MSG_RESULT([Building with TPM2 support]) > #if test "x$cryptolib" = "xfreebl"; then Thanks. I fixed this now to make it at least compilable. The more recent branch is the tpm2-preview.rev138, which makes that other branch more or less obsolete. Stefan ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
On Mon, 2017-01-09 at 14:37 -0500, Stefan Berger wrote: > On 01/09/2017 02:18 PM, James Bottomley wrote: > > On Mon, 2017-01-09 at 13:52 -0500, Stefan Berger wrote: > > > On 01/09/2017 01:51 PM, James Bottomley wrote: > > > > On Mon, 2017-01-09 at 13:41 -0500, Stefan Berger wrote: > > > > > On 01/09/2017 01:24 PM, James Bottomley wrote: > > > > > > On Mon, 2017-01-09 at 13:03 -0500, Stefan Berger wrote: > > > > > > > Examples: > > > > > > > ./src/vtpmctrl --tpm2 \ > > > > > > > --spawn /bin/swtpm chardev --tpm2 --fd %fd - > > > > > > > -tpmstate > > > > > > > dir=/tmp > > > > > > git head for swtpm is giving > > > > > > > > > > > > Created TPM device /dev/tpm1; vTPM device has fd 4, > > > > > > major/minor > > > > > > = > > > > > > 247/1. > > > > > > chardev: unrecognized option '--tpm2' > > > > > You need the tpm2-preview branches of libtpms and swtpm. Why > > > > > you need them is related to the format in which the > > > > > persistent data are written by the TPM 2 implementation. For > > > > > QEMU it should probably big endian, but so far it's not. > > > > > > > > > > Here's a short wiki of libtpms pointing out the issues. > > > > > > > > > > https://github.com/stefanberger/libtpms/wiki > > > > > > > > > > https://github.com/stefanberger/libtpms/tree/tpm2-previewa.re > > > > > v138 > > > > > https://github.com/stefanberger/swtpm/tree/tpm2-preview > > > > Basically the synopsis is that it's not yet working well enough > > > > to run the resource manager smoke tests and I need to continue > > > > using the ibmswtpm2 as the emulator or run against the real > > > > thing for the time being. > > > Have you tried it ? > > Git head of the tpm2-preview branch of libtpms isn't building for > > me: > > > > tpm2/ExecCommand.c: In function 'ExecuteCommand': > > tpm2/ExecCommand.c:434:37: error: 'commandIndex' may be used > > uninitialized in this function [-Werror=maybe-uninitialized] > > buffer = MemoryGetResponseBuffer(commandIndex); > > ^ > > cc1: all warnings being treated as errors > > > > I also think you probably need this patch > > > > James > > > > --- > > > > diff --git a/configure.ac b/configure.ac > > index e84bc0f..4ab149d 100644 > > --- a/configure.ac > > +++ b/configure.ac > > @@ -125,7 +125,7 @@ openssl) > > esac > > > > AC_ARG_WITH([tpm2], > > - AC_HELP_STRING([--wih-tpm2], > > + AC_HELP_STRING([--with-tpm2], > > [build libtpms with TPM2 support > > (experimental)]), > > AC_MSG_RESULT([Building with TPM2 support]) > > #if test "x$cryptolib" = "xfreebl"; then > > > Thanks. I fixed this now to make it at least compilable. The more > recent branch is the tpm2-preview.rev138, which makes that other > branch more or less obsolete. OK, with this branch, I can get a mostly successful run of the smoke tests. The failure looks to be a dispute over who handles TPM_RC_RETRY James --- jejb@jarvis:~/git/tpm2-scripts> python tpm2_smoke.py E..... ====================================================================== ERROR: test_seal_with_auth (__main__.SmokeTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "tpm2_smoke.py", line 24, in test_seal_with_auth blob = self.client.seal(self.root_key, data, auth, None) File "/home/jejb/git/tpm2-scripts/tpm2.py", line 665, in seal rsp = self.send_cmd(cmd) File "/home/jejb/git/tpm2-scripts/tpm2.py", line 443, in send_cmd raise ProtocolError(cc, rc) ProtocolError: TPM_RC_RETRY: cc=0x00000153, rc=0x00000922 ---------------------------------------------------------------------- Ran 6 tests in 1.341s FAILED (errors=1) ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
On 01/09/2017 03:06 PM, James Bottomley wrote: >> >> >> Thanks. I fixed this now to make it at least compilable. The more >> recent branch is the tpm2-preview.rev138, which makes that other >> branch more or less obsolete. > OK, with this branch, I can get a mostly successful run of the smoke > tests. The failure looks to be a dispute over who handles TPM_RC_RETRY The following now also works after a (forced) updated on the swtpm TPM2 preview branch: swtpm chardev --vtpm-proxy --tpmstate dir=/tmp --tpm2 swtpm chardev --vtpm-proxy --tpmstate dir=/tmp Stefan ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
On Sun, 2017-01-15 at 14:18 -0500, Stefan Berger wrote: > On 01/09/2017 03:06 PM, James Bottomley wrote: > > > > > > > > > Thanks. I fixed this now to make it at least compilable. The more > > > recent branch is the tpm2-preview.rev138, which makes that other > > > branch more or less obsolete. > > OK, with this branch, I can get a mostly successful run of the > > smoke tests. The failure looks to be a dispute over who handles > > TPM_RC_RETRY > > The following now also works after a (forced) updated on the swtpm > TPM2 preview branch: > > swtpm chardev --vtpm-proxy --tpmstate dir=/tmp --tpm2 > swtpm chardev --vtpm-proxy --tpmstate dir=/tmp What would it take to get this into the master branch and released, so those of us who use standard distribution tools can get it? James ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
On 01/15/2017 02:40 PM, James Bottomley wrote: > On Sun, 2017-01-15 at 14:18 -0500, Stefan Berger wrote: >> On 01/09/2017 03:06 PM, James Bottomley wrote: >>>> >>>> Thanks. I fixed this now to make it at least compilable. The more >>>> recent branch is the tpm2-preview.rev138, which makes that other >>>> branch more or less obsolete. >>> OK, with this branch, I can get a mostly successful run of the >>> smoke tests. The failure looks to be a dispute over who handles >>> TPM_RC_RETRY >> The following now also works after a (forced) updated on the swtpm >> TPM2 preview branch: >> >> swtpm chardev --vtpm-proxy --tpmstate dir=/tmp --tpm2 >> swtpm chardev --vtpm-proxy --tpmstate dir=/tmp > What would it take to get this into the master branch and released, so > those of us who use standard distribution tools can get it? The problem lies in the code that writes the TPM 2 state in host format rather than in Big Endian format, which would make the state portable and likely that is the preferred format for QEMU integration. Besides that there is some functionality missing for suspending the volatile state of the TPM 2. https://github.com/stefanberger/libtpms/wiki Stefan ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
On Sun, 2017-01-15 at 21:25 -0500, Stefan Berger wrote: > On 01/15/2017 02:40 PM, James Bottomley wrote: > > On Sun, 2017-01-15 at 14:18 -0500, Stefan Berger wrote: > > > On 01/09/2017 03:06 PM, James Bottomley wrote: > > > > > > > > > > Thanks. I fixed this now to make it at least compilable. The > > > > > more > > > > > recent branch is the tpm2-preview.rev138, which makes that > > > > > other > > > > > branch more or less obsolete. > > > > OK, with this branch, I can get a mostly successful run of the > > > > smoke tests. The failure looks to be a dispute over who > > > > handles > > > > TPM_RC_RETRY > > > The following now also works after a (forced) updated on the > > > swtpm > > > TPM2 preview branch: > > > > > > swtpm chardev --vtpm-proxy --tpmstate dir=/tmp --tpm2 > > > swtpm chardev --vtpm-proxy --tpmstate dir=/tmp > > What would it take to get this into the master branch and released, > > so > > those of us who use standard distribution tools can get it? > > The problem lies in the code that writes the TPM 2 state in host > format > rather than in Big Endian format, which would make the state portable > and likely that is the preferred format for QEMU integration. Besides > that there is some functionality missing for suspending the volatile > state of the TPM 2. > > > https://github.com/stefanberger/libtpms/wiki Yes, but my point is that most people who want to be using tpm2 emulation don't really care about QEMU ... it's a nice thing, sure, but it's very complex to set up, so it's only going to be the odd enthusiast that cares about vtpm in QEMU. Most people simply care about testing TPM2 code or playing with TPM2 itself and for that, they don't need or want virtualization. Could you not push tpm2 into the release branch with the caveat that the extremely esoteric BE on LE virtualization case doesn't work yet? James ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
diff --git a/configure.ac b/configure.ac index e84bc0f..4ab149d 100644 --- a/configure.ac +++ b/configure.ac @@ -125,7 +125,7 @@ openssl) esac AC_ARG_WITH([tpm2], - AC_HELP_STRING([--wih-tpm2], + AC_HELP_STRING([--with-tpm2], [build libtpms with TPM2 support (experimental)]), AC_MSG_RESULT([Building with TPM2 support]) #if test "x$cryptolib" = "xfreebl"; then