Hi On Sun, Aug 19, 2018 at 9:47 AM 汤福 <tan...@gohighsec.com> wrote: > > I tried it according to your method, but I have some problems. My host is > centos 7.2 with the TPM 2.0 hardware and qemu v2.10.2. The driver for the TPM > 2.0 hardware is crb device,Execute lsmod to view the tpm 2.0 driver > information as follows: > [root@localhost BUILD]# lsmod | grep tpm > tpm_crb 12972 0 > > I downloaded the OVMF-20182028-5.noarch.src.rpm package from the rpm search > website. And rebulid it with -DTPM2_ENABLE and -DSECURE_BOOT_ENABLE, Rebulid > everything well and generate the OVMF.fd and OVMF_ARGS.fd file,so I copy > OVMF.fd to my qemu-kvm project and start qemu to install windows 10 virtual > machine. > > I first created a blank img file named win10.img,and install win10 virtual > machine as follows: > [root@localhost BUILD]#qemu-system-x86_64 -display sdl -enable-kvm -m 4096 > -boot d -cdrom win10.iso -bios OVMF.fd -net none -boot menu=on -tpmdev > cuse-tpm,id=tpm0,cancel-path=/dev/null,type=passthrough,path=/dev/tpm0 > -device tpm-tis,tpmdev=tpm0 win10.img
cuse-tpm doesn't exist in qemu upstream. You are using TPM passthrough here, not vTPM. I suggest you try with qemu upstream and read the TPM document (replacing seabios with ovmf like you did, and tis with crb etc), in complement with https://github.com/stefanberger/swtpm/wiki/Certificiates-created-by-swtpm_setup : https://git.qemu.org/?p=qemu.git;a=blob_plain;f=docs/specs/tpm.txt > > The installation process is very very slow, the system automatically restarts > after the installation is complete. But it seems can't enter the desktop. The > system restarts cyclically, it looks like there is a problem with BIOS boot. > I think of what you said that for Windows TPM 2 support will need the TPM > CRB device, so I start qemu with parameter of -device tpm-crb but it didn't > work. Prompt the following error message: > [root@localhost BUILD]#qemu-system-x86_64 -display sdl -enable-kvm -m 4096 > -boot d -bios OVMF.fd -net none -boot menu=on -tpmdev > cuse-tpm,id=tpm0,cancel-path=/dev/null,type=passthrough,path=/dev/tpm0 > -device tpm-crb,tpmdev=tpm0 win10.img > [root@localhost BUILD]#qemu-system-x86_64: -device tpm-crb,tpmdev=tpm0: > 'tpm-crb' is not a valid device model name > > I don't know where the problem is, I need you to give me some help. Thank you > very much! > > > > -----原始邮件----- > > 发件人: "Marc-André Lureau" <marcandre.lur...@gmail.com> > > 发送时间: 2018-08-16 16:56:52 (星期四) > > 收件人: tan...@gohighsec.com > > 抄送: QEMU <qemu-devel@nongnu.org> > > 主题: Re: [Qemu-devel] vTPM 2.0 is recognized as vTPM 1.2 on the Win 10 > > virtual machine > > > > Hi > > On Thu, Aug 16, 2018 at 3:29 AM 汤福 <tan...@gohighsec.com> wrote: > > > > > > Hi, > > > > > > I want to use the vTPM in a qemu Windows image. Unfortunately, it didn't > > > work. > > > First, the equipment: > > > TPM 2.0 hardware > > > CentOS 7.2 > > > Qemu v2.10.2 > > > SeaBIOS 1.11.0 > > > libtpm and so on > > > > > > My host is centos 7.2 with the TPM 2.0 hardware and qemu v2.10.2. > > > I make the libtpm and seabios with ./configure, make and so on. I checked > > > seabios with make menuconfig the TPM setting. It is enabled tpm by > > > default. > > > Eventually, all works without errors. > > > > > > I start the Widnows 10 image with: > > > qemu-system-x86_64 -display sdl -enable-kvm -m 2048 -boot d -bios > > > bios.bin -boot menu=on -tpmdev > > > cuse-tpm,id=tpm0,cancel-path=/dev/null,type=passthrough,path=/dev/tpm0 > > > -device tpm-tis,tpmdev=tpm0 win10.img > > > > > > > > > First it looks all fine. Windows 10 booted up but the vTPM was recognized > > > as TPM 1.2 instead of TPM 2.0 in device manager. I open the tpm Manager > > > with tpm.msc but get error with No compatible TPM found. > > > If I use vTPM in a qemu linux image, everything gose well. I think of > > > what you said > > > > > > > > > So, what could be the problem? > > > > You need to build libtpms & swtpm from Stefan tpm2-preview branches. > > (Alternatively, there is now an experimental fedora copr repository: > > https://copr.fedorainfracloud.org/coprs/stefanberger/swtpm/) > > > > I suggest to setup the VM with libvirt upstream, which will do the > > preliminary swtpm_setup for you, or follow > > https://github.com/stefanberger/swtpm/wiki/Certificiates-created-by-swtpm_setup > > > > For Windows TPM 2 support, you will need the TPM CRB device, and > > upstream OVMF compiled with -D TPM2_ENABLE (TIS & Bios are 1.2 only > > for Windows, even if seabios does have some 2.0 support with them) > > > > Furthermore, to pass the WLK tests, you need PPI & MOR interface, > > which are still pending merge ([PATCH v9 0/6] Add support for TPM > > Physical Presence interface) > > > > > > > > > > -- > > Marc-André Lureau -- Marc-André Lureau
