Bug 1758153

Summary: RFE: add TPM1.2 passthrough support
Product: Red Hat Enterprise Linux 8 Reporter: Marc-Andre Lureau <marcandre.lureau>
Component: edk2Assignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED CURRENTRELEASE QA Contact: Qinghua Cheng <qcheng>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: areis, berrange, coli, jferlan, jinzhao, juzhang, kraxel, lersek, mrezanin, mtessun, pbonzini, philmd, ribarry, yanqzhan
Target Milestone: rcKeywords: FutureFeature, TestOnly, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: edk2-20200602gitca407c7246bf-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-25 03:53:15 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1817035    
Bug Blocks: 1734505    
Attachments:
Description Flags
ovmf tpm1 patch none

Description Marc-Andre Lureau 2019-10-03 12:30:24 UTC 
In bug 1734505, a customer is trying to passthrough a TPM 1.2 device and enabling windows bitlocker with UEFI.

Under some limited context, it is possible to passthrough a TPM 1.2 device and enabling windows bitlocker with seabios. (When seabios detects a passthrough TPM, it doesn't extend any PCR)

Currently, ovmf supports vTPM 2.0 only.

Adding support for TPM 1.2 seems quite straightforward. I removed PCR extension altogether for now. Bitlocker seems quite happy about the result, although I lack a host with IMA/grub meansurements to confirm this is enough.

See attached patch
Comment 1 Marc-Andre Lureau 2019-10-03 12:31:16 UTC 
Created attachment 1622293 [details]
ovmf tpm1 patch
Comment 8 Laszlo Ersek 2020-02-23 20:06:27 UTC 
Related upstream patches, posted by Marc-André:

[edk2-devel] [PATCH v2 0/3] Ovmf: enable TPM 1.2
http://mid.mail-archive.com/20200213131222.157700-1-marcandre.lureau@redhat.com
https://edk2.groups.io/g/devel/message/54362
Comment 9 Laszlo Ersek 2020-03-02 20:37:45 UTC 
Further iterations:

[edk2-devel] [PATCH v3 0/6] Ovmf: enable TPM 1.2
https://edk2.groups.io/g/devel/message/54854
http://mid.mail-archive.com/20200226093459.1131530-1-marcandre.lureau@redhat.com

[edk2-devel] [PATCH v4 0/5] Ovmf: enable TPM 1.2
https://edk2.groups.io/g/devel/message/54894
http://mid.mail-archive.com/20200226152433.1295789-1-marcandre.lureau@redhat.com

V4 is ready to go in, with Simon Hardy's T-b, once edk2-stable202002 is tagged and the hard feature freeze ends (expected on March 4th).
Comment 10 Laszlo Ersek 2020-03-04 12:25:02 UTC 
Upstream v4 has been merged as commit range ecb30848fdc9..61d3b2d4279e, via <https://github.com/tianocore/edk2/pull/416/>.
Comment 16 Qinghua Cheng 2020-06-28 12:07:55 UTC 
Verified on RHEL 8.3

kernel: 4.18.0-215.el8.x86_64
qemu-kvm: qemu-kvm-4.2.0-19.module+el8.3.0+6473+93e27135.x86_64
edk: edk2-ovmf-20200602gitca407c7246bf-1.el8.noarch

Verified with windows 2019 guest:
passthrough test: pass
Run bitlocker app: BZ 1734505

Verified with linux rhel 8.3 guest: 
passthrough test: pass