Enable TPM in uefi #2624
Enable TPM in uefi #2624
Conversation
giggsoff
force-pushed
the
fix-tpm-uefi-support
branch
2 times, most recently
from
013f763 to
fd0982a
Compare
There was a problem hiding this comment.
The qemu parts should be ok, but I don't know the impact of setting the options in pkg/uefi/build.sh - can this have an impact when running on bare metal? @rvs can you take a look?
|
@rvs can you please review this? Without this patch PCRs are not filling when we run EVE-OS in qemu using eve-uefi package. |
|
I've been using the same patch for UEFI for a while and I can confirm it is working |
Makefile
Outdated
| (echo 'set devicetree="(hd0,msdos1)/eve.dtb"' ; echo 'set rootfs_root=/dev/vdb' ; echo 'set root=hd1' ; echo 'export rootfs_root' ; echo 'export devicetree' ; echo 'configfile /EFI/BOOT/grub.cfg' ) > $(EFI_PART)/BOOT/grub.cfg | ||
| $(QEMU_SYSTEM) $(QEMU_OPTS) -drive file=$(ROOTFS_IMG),format=raw -drive file=fat:rw:$(EFI_PART)/..,label=CONFIG,id=uefi-disk,format=vvfat | ||
| $(QUIET): $@: Succeeded | ||
|
|
||
| run-grub: $(BIOS_IMG) $(UBOOT_IMG) $(EFI_PART) $(DEVICETREE_DTB) | ||
| run-grub: $(BIOS_IMG) $(UBOOT_IMG) $(EFI_PART) $(DEVICETREE_DTB) swtpm |
There was a problem hiding this comment.
Wait, why do we need swtpm in all these targets? I say -- let's make it conditional at least.
There was a problem hiding this comment.
Condition is inside swtpm target. I want to run swtpm as part of make TPM=y run... command.
There was a problem hiding this comment.
My point is that it would me much nicer if this followed (some) of the other makefile logic and was a SWTPM variable that would resolve to an empty string conditionally.
I understand that this is highly subjective -- I just absolutely dislike mixing these types of "styles" in Makefile (makefiles are ugly as it is and super convoluted).
To use TPM devices with qemu we should enable support inside uefi Signed-off-by: Petr Fedchenkov <giggsoff@gmail.com>
giggsoff
force-pushed
the
fix-tpm-uefi-support
branch
from
fd0982a to
179af52
Compare
Makefile
Outdated
| (echo 'set devicetree="(hd0,msdos1)/eve.dtb"' ; echo 'set rootfs_root=/dev/vdb' ; echo 'set root=hd1' ; echo 'export rootfs_root' ; echo 'export devicetree' ; echo 'configfile /EFI/BOOT/grub.cfg' ) > $(EFI_PART)/BOOT/grub.cfg | ||
| $(QEMU_SYSTEM) $(QEMU_OPTS) -drive file=$(ROOTFS_IMG),format=raw -drive file=fat:rw:$(EFI_PART)/..,label=CONFIG,id=uefi-disk,format=vvfat | ||
| $(QUIET): $@: Succeeded | ||
|
|
||
| run-grub: $(BIOS_IMG) $(UBOOT_IMG) $(EFI_PART) $(DEVICETREE_DTB) | ||
| run-grub: $(BIOS_IMG) $(UBOOT_IMG) $(EFI_PART) $(DEVICETREE_DTB) swtpm |
There was a problem hiding this comment.
My point is that it would me much nicer if this followed (some) of the other makefile logic and was a SWTPM variable that would resolve to an empty string conditionally.
I understand that this is highly subjective -- I just absolutely dislike mixing these types of "styles" in Makefile (makefiles are ugly as it is and super convoluted).
Makefile
Outdated
| # Use tpm (any non-empty value will trigger using it) | ||
| TPM= |
There was a problem hiding this comment.
Should we document this in the markdown file which has the examples of how to build and run?
Signed-off-by: Petr Fedchenkov <giggsoff@gmail.com>
giggsoff
force-pushed
the
fix-tpm-uefi-support
branch
from
179af52 to
c550d14
Compare
To use TPM devices with qemu (when we use uefi provided by eve-uefi package) we should enable support inside uefi. Right now I can see zero values inside PCRs when I try to use eve-uefi.
Also this PR enables TPM option in Makefile to use swtpm as TPM device for Qemu.
Signed-off-by: Petr Fedchenkov giggsoff@gmail.com