Fix support for TPM on Q35 (#633)

## Description Fixes issue related to enabling TPM for QEMU Q35. - [x] Impacts functionality? - [ ] Impacts security? - [ ] Breaking change? - [ ] Includes tests? - [ ] Includes documentation? ## How This Was Tested Locally tested with Windows boot. ## Integration Instructions N/A
2023-07-18 17:51:20 -07:00 · 2023-07-18 17:51:20 -07:00 · 7b1bfe2b24
--- a/Platforms/Docs/Q35/Features/feature_tpm.md
+++ b/Platforms/Docs/Q35/Features/feature_tpm.md
@ -0,0 +1,43 @@
+# TPM Emulation
+
+For more information on QEMU tpm, see the [QEMU TPM Documentation](https://www.qemu.org/docs/master/specs/tpm.html#the-qemu-tpm-emulator-device).
+
+The QEMU TPM relies on a seperate program to emulate the TPM. Currently, this is
+only supported on Linux using the [swtpm program](https://github.com/stefanberger/swtpm).
+Swtpm can be installed from the linux package managers.
+
+```bash
+sudo apt-get install swtpm
+```
+
+To start the TPM emulator, invoke swtpm with a state file location and character
+device.
+
+```bash
+mkdir /tmp/mytpm1
+swtpm socket --tpmstate dir=/tmp/mytpm1 \
+  --ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
+  --tpm2 \
+  --log level=20
+```
+
+To run Q35 using this TPM, build and run with the following options. `TPM_DEV` should
+point to the path of the character device from the above swtpm command.
+
+```bash
+stuart_build -c Platforms/QemuQ35Pkg/PlatformBuild.py --flashrom TOOL_CHAIN_TAG=GCC5 BLD_*_TPM_ENABLE=TRUE TPM_DEV=/tmp/mytpm1/swtpm-sock
+```
+
+In the window running swtpm, there should be output from the TPM communication.
+
+```txt
+Ctrl Cmd: length 4
+00 00 00 10
+Ctrl Rsp: length 4
+00 00 00 00
+SWTPM_IO_Read: length 10
+80 01 00 00 00 0A 00 00 01 81
+SWTPM_IO_Write: length 10
+80 01 00 00 00 0A 00 00 01 01
+...
+```
--- a/Platforms/QemuQ35Pkg/Plugins/QemuRunner/QemuRunner.py
+++ b/Platforms/QemuQ35Pkg/Plugins/QemuRunner/QemuRunner.py
@ -93,7 +93,7 @@ class QemuRunner(uefi_helper_plugin.IUefiHelperPlugin):
            args += " -m 8192"

            file_extension = Path(path_to_os).suffix.lower().replace('"', '')
-            
+
            storage_rule = {
                ".vhd": f" -drive format=raw,index=0,media=disk,file=\"{path_to_os}\"",
                ".qcow2": f" -hda \"{path_to_os}\""
@ -101,7 +101,7 @@ class QemuRunner(uefi_helper_plugin.IUefiHelperPlugin):

            if storage_rule is None:
                raise Exception("Unknown OS storage type: " + path_to_os)
-            
+
            args += storage_rule
        else:
            args += " -m 2048"
@ -179,6 +179,13 @@ class QemuRunner(uefi_helper_plugin.IUefiHelperPlugin):
        args += " -smbios type=1,manufacturer=Palindrome,product=MuQemuQ35,serial=42-42-42-42,uuid=9de555c0-05d7-4aa1-84ab-bb511e3a8bef"
        args += f" -smbios type=3,manufacturer=Palindrome,serial=40-41-42-43{boot_selection}"

+        # TPM in Linux
+        tpm_dev = env.GetValue("TPM_DEV")
+        if tpm_dev is not None:
+            args += f" -chardev socket,id=chrtpm,path={tpm_dev}"
+            args += " -tpmdev emulator,id=tpm0,chardev=chrtpm"
+            args += " -device tpm-tis,tpmdev=tpm0"
+
        if (env.GetValue("QEMU_HEADLESS").upper() == "TRUE"):
            args += " -display none"  # no graphics
        else:
--- a/Platforms/QemuQ35Pkg/QemuQ35Pkg.dsc
+++ b/Platforms/QemuQ35Pkg/QemuQ35Pkg.dsc
@ -30,7 +30,9 @@
  # -D FLAG=VALUE
  #
  DEFINE SOURCE_DEBUG_ENABLE            = FALSE
+!ifndef TPM_ENABLE
  DEFINE TPM_ENABLE                     = FALSE
+!endif
  DEFINE TPM_CONFIG_ENABLE              = FALSE
  DEFINE OPT_INTO_MFCI_PRE_PRODUCTION   = TRUE
  DEFINE BUILD_UNIT_TESTS               = TRUE
@ -445,7 +447,7 @@
  Tpm12DeviceLib             |SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
  Tpm2DeviceLib              |SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
  SourceDebugEnabledLib      |SourceLevelDebugPkg/Library/SourceDebugEnabled/SourceDebugEnabledLib.inf
-  Tcg2PreUefiEventLogLib     |SecurityPkg/Library/QemuQ35PkgPreUefiEventLogLib/QemuQ35PkgPreUefiEventLogLib.inf ## BRET - Do we have a null instance
+  Tcg2PreUefiEventLogLib     |QemuPkg/Library/QemuPreUefiEventLogLibNull/QemuPreUefiEventLogLibNull.inf
 !endif

 [LibraryClasses.X64.PEIM]
@ -855,6 +857,9 @@
  gUefiQemuQ35PkgTokenSpaceGuid.PcdPciMmio64Base|0x0
  gUefiQemuQ35PkgTokenSpaceGuid.PcdPciMmio64Size|0x800000000

+  # Limit to SHA256 for now.
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x00002
+
  gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0

  gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|0
@ -973,7 +978,6 @@

 !if $(TPM_ENABLE) == TRUE
  QemuPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-  SecurityPkg/Tcg/TcgPei/TcgPei.inf
  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
    <LibraryClasses>
      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
@ -1469,10 +1473,6 @@
      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
  }
-  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
-    <LibraryClasses>
-      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
-  }
 !endif
 !if $(TPM_CONFIG_ENABLE) == TRUE AND $(TPM_ENABLE) == TRUE
  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
--- a/Platforms/QemuQ35Pkg/QemuQ35Pkg.fdf
+++ b/Platforms/QemuQ35Pkg/QemuQ35Pkg.fdf
@ -250,7 +250,6 @@ INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf

 !if $(TPM_ENABLE) == TRUE
 INF  QemuPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
 INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
 !endif

@ -476,7 +475,6 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
 # TPM support
 #
 !if $(TPM_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
 INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
 !if $(TPM_CONFIG_ENABLE) == TRUE
 INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
--- a/QemuPkg/Library/QemuPreUefiEventLogLibNull/QemuPreUefiEventLogLibNull.c
+++ b/QemuPkg/Library/QemuPreUefiEventLogLibNull/QemuPreUefiEventLogLibNull.c
@ -0,0 +1,20 @@
+/** @file
+  NULL implementation of PreUefiEventLogLib for QEMU.
+
+  Copyright (c) Microsoft Corporation
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/DebugLib.h>
+
+/**
+  Create the event log entries, Nothing to do for QEMU.
+**/
+VOID
+CreateTcg2PreUefiEventLogEntries (
+  VOID
+  )
+{
+  return;
+}
--- a/QemuPkg/Library/QemuPreUefiEventLogLibNull/QemuPreUefiEventLogLibNull.inf
+++ b/QemuPkg/Library/QemuPreUefiEventLogLibNull/QemuPreUefiEventLogLibNull.inf
@ -0,0 +1,22 @@
+## @file
+#  NULL PreUefiEventLogLibNull library instance for QEMU
+#
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = QemuPreUefiEventLogLibNull
+  FILE_GUID                      = A3E24CE0-4E7D-4164-9A5B-90DFBE2F5744
+  MODULE_TYPE                    = BASE
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = Tcg2PreUefiEventLogLib
+
+[Sources]
+  QemuPreUefiEventLogLibNull.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
--- a/QemuPkg/QemuPkg.dsc
+++ b/QemuPkg/QemuPkg.dsc
@ -146,6 +146,7 @@
  QemuPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf
  QemuPkg/Library/VirtioLib/VirtioLib.inf
  QemuPkg/Library/QemuFwCfgLib/QemuFwCfgLibNull.inf
+  QemuPkg/Library/QemuPreUefiEventLogLibNull/QemuPreUefiEventLogLibNull.inf
  QemuPkg/Library/XenPlatformLib/XenPlatformLib.inf
  QemuPkg/FrontPageButtons/FrontPageButtons.inf
  QemuPkg/PciHotPlugInitDxe/PciHotPlugInit.inf