[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH V11 0/5] Qemu Trusted Platform Module (TPM) inte
From: |
Michael S. Tsirkin |
Subject: |
Re: [Qemu-devel] [PATCH V11 0/5] Qemu Trusted Platform Module (TPM) integration |
Date: |
Sun, 2 Oct 2011 13:38:37 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Wed, Sep 28, 2011 at 09:22:55AM -0400, Stefan Berger wrote:
> The following series of patches adds TPM (Trusted Platform Module) support
> to Qemu. An emulator for the TIS (TPM Interface Spec) interface is
> added that provides the basis for accessing a 'backend' implementing the
> actual
> TPM functionality. The TIS emulator serves as a 'frontend' enabling for
> example Linux's TPM TIS (tpm_tis) driver.
>
> In this series I am posting a backend implementation that makes use of the
> host's TPM through a passthrough driver, which on Linux is accessed
> using /dev/tpm0.
Looks pretty clean, ACK to patches 1-4.
The passthrough mode is quite easy to misuse, though most
of the problem is in the hardware, not on our side.
I'm still trying to think of a good way to warn users
about the pitfalls with that. Disabling by default in configure, unless
explictly required, is certainly one way.
And/or, let's rename it 'assigned' mode to resemble the name of
another fragile qemu feature :) Only half joking ...
>
> v11:
> - applies to checkout of 46f3069 (Sep 28)
> - some filing on the documentation
> - small nits fixed
>
> v10:
> - applies to checkout of 1ce9ce6 (Sep 27)
> - addressed Michael Tsirkin's comments on v9
>
> v9:
> - addressed Michael Tsirkin's and other reviewers' comments
> - only posting Andreas Niederl's passthrough driver as the backend driver
>
> v8:
> - applies to checkout of f0fb8b7 (Aug 30)
> - fixing compilation error pointed out by Andreas Niederl
> - adding patch that allows to feed an initial state into the libtpms TPM
> - following memory API changes (glib) where necessary
>
> v7:
> - applies to checkout of b9c6cbf (Aug 9)
> - measuring the modules if multiboot is used
> - coding style fixes
>
> v6:
> - applies to checkout of 75ef849 (July 2nd)
> - some fixes and improvements to existing patches; see individual patches
> - added a patch with a null driver responding to all TPM requests with
> a response indicating failure; this backend has no dependencies and
> can alwayy be built;
> - added a patch to support the hashing of kernel, ramfs and command line
> if those were passed to Qemu using -kernel, -initrd and -append
> respectively. Measurements are taken, logged, and passed to SeaBIOS using
> the firmware interface.
> - libtpms revision 7 now requires 83kb of block storage due to having more
> NVRAM space
>
> v5:
> - applies to checkout of 1fddfba1
> - adding support for split command line using the -tpmdev ... -device ...
> options while keeping the -tpm option
> - support for querying the device models using -tpm model=?
> - support for monitor 'info tpm'
> - adding documentation of command line options for man page and web page
> - increasing room for ACPI tables that qemu reserves to 128kb (from 64kb)
> - adding (experimental) support for block migration
> - adding (experimental) support for taking measurements when kernel,
> initrd and kernel command line are directly passed to Qemu
>
> v4:
> - applies to checkout of d2d979c6
> - more coding style fixes
> - adding patch for supporting blob encryption (in addition to the existing
> QCoW2-level encryption)
> - this allows for graceful termination of a migration if the target
> is detected to have a wrong key
> - tested with big and little endian hosts
> - main thread releases mutex while checking for work to do on behalf of
> backend
> - introducing file locking (fcntl) on the block layer for serializing access
> to shared (QCoW2) files (used during migration)
>
> v3:
> - Building a null driver at patch 5/8 that responds to all requests
> with an error response; subsequently this driver is transformed to the
> libtpms-based driver for real TPM functionality
> - Reworked the threading; dropped the patch for qemu_thread_join; the
> main thread synchronizing with the TPM thread termination may need
> to write data to the block storage while waiting for the thread to
> terminate; did not previously show a problem but is safer
> - A lot of testing based on recent git checkout 4b4a72e5 (4/10):
> - migration of i686 VM from x86_64 host to i686 host to ppc64 host while
> running tests inside the VM
> - tests with S3 suspend/resume
> - tests with snapshots
> - multiple-hour tests with VM suspend/resume (using virsh save/restore)
> while running a TPM test suite inside the VM
> All tests passed; [not all of them were done on the ppc64 host]
>
> v2:
> - splitting some of the patches into smaller ones for easier review
> - fixes in individual patches
>
> Regards,
> Stefan
>
- Re: [Qemu-devel] [PATCH V11 0/5] Qemu Trusted Platform Module (TPM) integration,
Michael S. Tsirkin <=