On onsdag 29 augusti 2018 kl. 10:00:39 EEST Sandro Bonazzola wrote:> 2018-08-28 13:52 GMT+02:00 Dag Nygren <dag at newtech.fi>: > > > We have a desperate need for TPM support and: > > > > 1. Tried the "standard" distro install. linvirt supports > > TPM passthrough but kvm-qemu barfs: > > "unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm > > does not support TPM backend type passthrough" > > > > 2. The activated the qemu-ev repo and updated qemu-kvm to version 2.10.0, > > which for sure > > should support at least passthrough. No luck - Same error message. > > Downloaded the source for th rpm and found a line: "--disable-tpm" > > in build_configure.sh. Guess that the maintainers has some reason > > to turn tpm off. Can somone confirm this? > > > > Not sure about reasons for turning off, but request to enable it has been > closed wontfix: https://bugzilla.redhat.com/show_bug.cgi?id=1327947Thanks for the comments and reactions so far! Well. Changed -disable-tpm to enable-tpm in the rpmbuild and built myself a version with TPM passthrough enabled. Just to find out that it only supports tpm_tis in 2.10.0 and our device only seem to speak tpm_cdr :-(. Bugger.. But we really do need multiple VM:s accessing the hardware TPM anyway and this would only give us one VM ... Also downloaded qemu 2.12.0 and tried to very optimistically just throw it in the rpmbuild. And got a heap of patch fails already at the first patch. Expected of course... So no such luck. Now looking further it also seems like even 2.12.0 will not solve our problem as it only gives multiple VM access to the swtpm emulator. We need access to the hardware TPM... Can you make swtpm use the hardware ? Any advice would/will be valuable! Best Dag
On 08/29/2018 07:38 AM, Dag Nygren wrote:> On onsdag 29 augusti 2018 kl. 10:00:39 EEST Sandro Bonazzola wrote: >> 2018-08-28 13:52 GMT+02:00 Dag Nygren <dag at newtech.fi>: >> >>> We have a desperate need for TPM support and: >>> >>> 1. Tried the "standard" distro install. linvirt supports >>> TPM passthrough but kvm-qemu barfs: >>> "unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm >>> does not support TPM backend type passthrough" >>> >>> 2. The activated the qemu-ev repo and updated qemu-kvm to version 2.10.0, >>> which for sure >>> should support at least passthrough. No luck - Same error message. >>> Downloaded the source for th rpm and found a line: "--disable-tpm" >>> in build_configure.sh. Guess that the maintainers has some reason >>> to turn tpm off. Can somone confirm this? >>> >> Not sure about reasons for turning off, but request to enable it has been >> closed wontfix: https://bugzilla.redhat.com/show_bug.cgi?id=1327947 > Thanks for the comments and reactions so far! > > Well. Changed -disable-tpm to enable-tpm in the rpmbuild and > built myself a version with TPM passthrough enabled. Just to find > out that it only supports tpm_tis in 2.10.0 and our device > only seem to speak tpm_cdr :-(. Bugger.. But we really do need multiple > VM:s accessing the hardware TPM anyway and this would only give us > one VM ... > > Also downloaded qemu 2.12.0 and tried to very optimistically just > throw it in the rpmbuild. And got a heap of patch fails already > at the first patch. Expected of course... So no such luck. > > Now looking further it also seems like even 2.12.0 will not solve > our problem as it only gives multiple VM access to the swtpm emulator. > We need access to the hardware TPM... > > Can you make swtpm use the hardware ? > > Any advice would/will be valuable! >You could try using Xen. A quick search implies that Xen from 4.3 onward will virtualize TPM. I am not sure if the libvirt drivers for xen will support the feature but some work around may be possible. -- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin at netvel.net ||
On onsdag 29 augusti 2018 kl. 15:37:47 EEST Alvin Starr wrote:> On 08/29/2018 07:38 AM, Dag Nygren wrote: > > > On onsdag 29 augusti 2018 kl. 10:00:39 EEST Sandro Bonazzola wrote: > >> 2018-08-28 13:52 GMT+02:00 Dag Nygren <dag at newtech.fi>: > >> > >>> We have a desperate need for TPM support and: > >>> > >>> 1. Tried the "standard" distro install. linvirt supports > >>> TPM passthrough but kvm-qemu barfs: > >>> "unsupported configuration: The QEMU executable /usr/libexec/qemu-kvm > >>> does not support TPM backend type passthrough" > >>> > >>> 2. The activated the qemu-ev repo and updated qemu-kvm to version 2.10.0, > >>> which for sure > >>> should support at least passthrough. No luck - Same error message. > >>> Downloaded the source for th rpm and found a line: "--disable-tpm" > >>> in build_configure.sh. Guess that the maintainers has some reason > >>> to turn tpm off. Can somone confirm this? > >>> > >> Not sure about reasons for turning off, but request to enable it has been > >> closed wontfix: https://bugzilla.redhat.com/show_bug.cgi?id=1327947 > > Thanks for the comments and reactions so far! > > > > Well. Changed -disable-tpm to enable-tpm in the rpmbuild and > > built myself a version with TPM passthrough enabled. Just to find > > out that it only supports tpm_tis in 2.10.0 and our device > > only seem to speak tpm_cdr :-(. Bugger.. But we really do need multiple > > VM:s accessing the hardware TPM anyway and this would only give us > > one VM ... > > > > Also downloaded qemu 2.12.0 and tried to very optimistically just > > throw it in the rpmbuild. And got a heap of patch fails already > > at the first patch. Expected of course... So no such luck. > > > > Now looking further it also seems like even 2.12.0 will not solve > > our problem as it only gives multiple VM access to the swtpm emulator. > > We need access to the hardware TPM... > > > > Can you make swtpm use the hardware ? > > > > Any advice would/will be valuable! > > > You could try using Xen. > A quick search implies that Xen from 4.3 onward will virtualize TPM. > I am not sure if the libvirt drivers for xen will support the feature > but some work around may be possible.Thanks! Seems to be exactly what is needed. The problem here is that we have invested a lot of work and money in a QEMU solution already and have everything else working smoothly... The client just recently figured out that they will need TPM so nobody looked for it until now. But I will look into this! Best Dag
On onsdag 29 augusti 2018 kl. 15:37:47 EEST Alvin Starr wrote:> You could try using Xen. > A quick search implies that Xen from 4.3 onward will virtualize TPM. > I am not sure if the libvirt drivers for xen will support the feature > but some work around may be possible.Nice attitude and helpfulness in this list! Just had a look and it doesn't seem to be that an intrusive change going from QEMU to XEN. pacemaker,corosync and libvirt all seem to isolate the engine and most settings should work as is. Anyone here with an experience in transitioning QEMU -> XEN ? Best Dag