Add current vTPM driver #5
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add protocol and call numbers as defined in the "Secure VM Service Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00 https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58019.pdf Signed-off-by: Oliver Steffen <[email protected]>
Make use of the named protocol and call constants for SVSM communication. Signed-off-by: Oliver Steffen <[email protected]>
We need to stub the SVSM vTPM protocol in the UefiCpuPkg in order to support a SEV-SNP guest running under a SVSM at VMPL1 or lower. Cc: Ray Ni <[email protected]> Cc: Rahul Kumar <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Jiaxin Wu <[email protected]> Co-authored-by: James Bottomley <[email protected]> Signed-off-by: Claudio Carvalho <[email protected]> Signed-off-by: Oliver Steffen <[email protected]>
Add call numbers for the SVSM vTPM protocol, as defined in the "Secure VM Service Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00 Signed-off-by: Oliver Steffen <[email protected]>
As described in the SVSM specification, guest components can call to the SVSM vTPM through the vTPM protocol (protocol-id 2). The SVSM vTPM protocol follows the Microsoft TPM Simulator interface (MSSIM) and supports two services: - SVSM_VTPM_QUERY (call-id 0): query MSSIM commands and vTPM features supported. - SVSM_VTPM_CMD (call-id 1): send a MSSIM command to be run by the vTPM and get the result. This patch adds support for SVSM_VTPM_QUERY and SVSM_VTPM_CMD to invoke a SVSM when the guest is running at VMPL0. Cc: Ard Biesheuvel <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Co-authored-by: James Bottomley <[email protected]> Signed-off-by: Claudio Carvalho <[email protected]> Signed-off-by: Oliver Steffen <[email protected]>
A some of functions implemented in Tpm2Ptp.c are forward declared in a couple of places. To clean this up, introduce a header that contains these declarations in a central place and use it instead. Signed-off-by: Oliver Steffen <[email protected]>
SEV-SNP provides a feature known as VM Privilege Level (VMPL), which allows for services to be run in the guest at different privilege levels. By running at VMPL0 (most privileged VM level), the SVSM can be used to provide privileged services, e.g. a virtual TPM, for the guest rather than trust such services from the hypervisor. This patch adds a DTpm driver to communicate with a virtual TPM running in the SVSM. The driver follows the vTPM protocol documented in the SVSM specification. SVSM vTPM functionality is available as new device and instance libraries, which can be consumed optionally, keeping changes to the regular TPM implementation minimal. Cc: Jiewen Yao <[email protected]> Co-authored-by: James Bottomley <[email protected]> Signed-off-by: Claudio Carvalho <[email protected]> Signed-off-by: Oliver Steffen <[email protected]>
Switch over to Tpm2InstanceLibDTpmSvsm as the Tpm2 implementation to support vTPMs provided by an SVSM. Signed-off-by: Oliver Steffen <[email protected]>
stefano-garzarella
approved these changes
Dec 18, 2024
There was a problem hiding this comment.
@osteffenrh great, thanks!
Just tested with all other components and vTPM is working as expected now!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull in the current state of the upstream PR for the vTPM support in EDK2.
This is still WIP since there are open comments, but it should work fine with the regular OVMF build as described in the Coconut documentation.