[CentOS-virt] TPM

Wed Aug 29 12:37:47 UTC 2018
Alvin Starr <alvin at netvel.net>

On 08/29/2018 07:38 AM, Dag Nygren wrote:

> On onsdag 29 augusti 2018 kl. 10:00:39 EEST Sandro Bonazzola wrote:
>> 2018-08-28 13:52 GMT+02:00 Dag Nygren <dag at newtech.fi>:
>>
>>> We have a desperate need for TPM support and:
>>>
>>> 1. Tried the "standard" distro install. linvirt supports
>>>    TPM passthrough but kvm-qemu barfs:
>>>    "unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm
>>> does not support TPM backend type passthrough"
>>>
>>> 2. The activated the qemu-ev repo and updated qemu-kvm to version 2.10.0,
>>> which for sure
>>>     should support at least passthrough. No luck - Same error message.
>>>     Downloaded the source for th rpm and found a line: "--disable-tpm"
>>>     in build_configure.sh. Guess that the maintainers has some reason
>>>     to turn tpm off. Can somone confirm this?
>>>
>> Not sure about reasons for turning off, but request to enable it has been
>> closed wontfix: https://bugzilla.redhat.com/show_bug.cgi?id=1327947
> Thanks for the comments and reactions so far!
>
> Well. Changed -disable-tpm to enable-tpm in the rpmbuild and
> built myself a version with TPM passthrough enabled. Just to find
> out that it only supports tpm_tis in 2.10.0 and our device
> only seem to speak tpm_cdr :-(. Bugger.. But we really do need multiple
> VM:s accessing the hardware TPM anyway and this would only give us
> one VM ...
>
> Also downloaded qemu 2.12.0 and tried to very optimistically just
> throw it in the rpmbuild. And got a heap of patch fails already
> at the first patch. Expected of course... So no such luck.
>
> Now looking further it also seems like even 2.12.0 will not solve
> our problem as it only gives multiple VM access to the swtpm emulator.
> We need access to the hardware TPM...
>
> Can you make swtpm use the hardware ?
>
> Any advice would/will be valuable!
>
You could try using Xen.
A quick search implies that Xen from 4.3 onward will virtualize TPM.
I am not sure if the libvirt drivers for xen will support the feature 
but some work around may be possible.

-- 
Alvin Starr                   ||   land:  (905)513-7688
Netvel Inc.                   ||   Cell:  (416)806-0133
alvin at netvel.net              ||