Hi Mimi, Piotr,

[Cc'ing Petr Vorel]

Thanks Mimi.

Hi Piotr,

On Tue, 2019-08-27 at 01:24 +0200, Piotr Król wrote:

quoted

Hi all,
I'm moving here discussion that I started with Jarkko and Peter on LinkedIn.

quoted

I'm preparing for 2 talks during LPC 2019 System Boot MC and one of it
will discuss TPM 2.0 sysfs support [1]. This was discussed couple times
[2] and explained why it is not done yet by Jarkko [3].

quoted

Why is this important?
- there seem to be no default method to distinguish if we dealing with
TPM 1.2 or 2.0 in the system. 

Agreed, this affects both the LTP IMA tests and ima-evm-utils package,
which need to support both TPM 1.2 and 2.0 for the forseeable future.
The LTP IMA tests check different sysfs files to determine if it is
TPM 1.2 or TPM 2.0 (eg. /sys/class/tpm/tpm0/device/description,
/sys/class/tpm/tpm0/device/pcrs and /sys/class/misc/tpm0/device/pcrs),
but the "description" file is not defined by all TPM 2.0's.  It
shouldn't be that difficult to define a single common sysfs file.

+1. I'd appreciate have simple /sys/class/tpm/tpm0/version file.

quoted

- distros use various tools to detect TPM based on sysfs (e.g. Qubes OS
scripts)
- tpm2-software has ton of dependencies, is not easy to build,
development is way faster then distros can manage and packages are often
out of date or even broken, so using it can be troublesome
- for deeply embedded systems adding fully-featured tpm2-software
doesn't make sense e.g. if we just need PCRs values

quoted

Jarkko comment on detecting 1.2 vs 2.0:
"Detecting TPM 2.0 is dead easy: send any idempotent TPM 2.0 command and
check if the tag field matches 0x8002 (TPM_NO_SESSIONS). The sysfs
features for TPM 1.2 are for the large part useless as you can get the
same data by using TPM commands."

quoted

Ok, but doesn't this mean I need TPM2 software stack?
Peter mentioned that it can be tricky to invoke such tools early in boot
process.

ima-evm-utils now uses the TPM 2.0 TSS[1] to read the PCRs.  I haven't
tried using it during boot, but I don't forsee a problem. I guess it
depends on how early you need to read the PCRs.

I'd prefer using library instead of tsspcrread binary ("tsspcrread -halg sha1
-ha %d -ns 2> /dev/null"; better link to shared lib than depend on presence of
binary), but looking into ibmtpm20tss-tss git the functionality is really
provided only in tsspcrread (utils/pcrread.c).
I'd expect it'd be in libibmtss.so.0 or libibmtssutils.so.0, but it's not :(.

Mimi

[1] https://git.code.sf.net/p/ibmtpm20tss/tss

Kind regards,
Petr