I have a setup with Ubuntu 20.04 "focal" x86_64 running in a QEMU based VM.
I've upgraded the default kernel to 5.8.15, mainly to leverage the patch noted below
(bottom of message). My understanding (please correct me if I'm off) is that it would
allow a userspace application (i.e. "tpm2_eventlog") to access the TPM2 event
log once the OS has fully booted. The QEMU instance itself connects to a Unix domain
socket that's owned by a TPM2 simulator running in a Docker container (i.e.
I can run various "tpm2_*" binaries in my QEMU VM, and view the low-level logs
in the simulator, so this setup appears to be working. However, there are no
"/sys/kernel/security/tpm0" objects, or anything I can find in "sysfs"
and/or "securityfs" to get a handle to the TPM2 event logs. My ultimate goal is
to be able to acquire these logs, and have a service of mine parse them, and validate each
message against the TPM (i.e. verify it it's legitimate TPM_GENERATED content).
To my questions:
1. How would I go about getting access to the TPM2 event logs on a running system (i.e.
are certain kernel build-time parameters needed, or does QEMU require specific flags in
order to run, or does the simulator need to be executed in a certain manner).
2. Is my appraisal of the features provided by the kernel patch (below) correct?
3. In general, is a UEFI-enabled BIOS required to get access to the TPM2 event log (i.e.
for BIOS' other than SeaBios, for example)?
Author: Stefan Berger <stefanb(a)linux.ibm.com>
Date: Mon Jul 6 19:58:07 2020 -0400
tpm: Add support for event log pointer found in TPM2 ACPI table
In case a TPM2 is attached, search for a TPM2 ACPI table when trying
to get the event log from ACPI. If one is found, use it to get the
start and length of the log area. This allows non-UEFI systems, such
as SeaBIOS, to pass an event log when using a TPM2.
Cc: Peter Huewe <peterhuewe(a)gmx.de>
Cc: Jason Gunthorpe <jgg(a)ziepe.ca>
Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
Reviewed-by: Jerry Snitselaar <jsnitsel(a)redhat.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com>