qemu: support virtual TPM

This enables the use of swtpm (from meta-security) as a virtual TPM in
qemu. These patches extend the existing support in qemu for TPM
passthrough so that a swtpm daemon can be accessed via CUSE (character
device in user space).

To use this:
 - add the meta-security layer including the swtpm enhancements for qemu
 - bitbake swtpm-native
 - create a TPM instance and initialize it with:

   $ mkdir -p my-machine/myvtpm0
   $ tmp-glibc/sysroots/x86_64-linux/usr/bin/swtpm_setup_oe.sh --tpm-state my-machine/myvtpm0 --createek
   Starting vTPM manufacturing as root:root @ Fri 20 Jan 2017 08:56:18 AM CET
   TPM is listening on TCP port 52167.
   Successfully created EK.
   Successfully authored TPM state.
   Ending vTPM manufacturing @ Fri 20 Jan 2017 08:56:19 AM CET

 - run swtpm *before each runqemu invocation* (it shuts down after use) and
   do it as root (required to set up the /dev/vtpm0 CUSE device):

   $ sudo sh -c 'PATH=`pwd`/tmp-glibc/sysroots/x86_64-linux/usr/bin/:`pwd`/tmp-glibc/sysroots/x86_64-linux/usr/sbin/:$PATH; export TPM_PATH=`pwd`/my-machine/myvtpm0; swtpm_cuse -n vtpm0' && sudo chmod a+rw /dev/vtpm0

 - run qemu:

   $ runqemu 'qemuparams=-tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device tpm-tis,tpmdev=tpm0' ...

The guest kernel has to have TPM support enabled, which can be done with:

KERNEL_FEATURES_append = " features/tpm/tpm.scc"

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>

0 files changed, 0 insertions, 0 deletions