From 43f8e21dd29af32a8937e22d5c5e135370934353 Mon Sep 17 00:00:00 2001 From: David Tolnay Date: Wed, 13 Feb 2019 17:28:16 -0800 Subject: tpm: Runtime flag for software tpm device Gate the current software tpm device behind a crosvm flag called `--software-tpm`. When we get to leveraging the physical tpm, we will likely want that behind a separate `--hardware-tpm` flag that is automatically detected when the vm being launched is gLinux. Based on feedback from apronin: > Hm, long-term it may actually make sense to have software-tpm and > real-tpm-for-glinux as two separate run-time options and only enable > real-tpm-for-glinux for glinux. > > we want to protect guests from exploits, but we also want to limit > access to tpm for random guests. So, enterprises may set this to "no > TPM" for Linux images their employees run on their devices, so that > they don't get creative with trying to break TPM from inside those > images. BUG=chromium:911799 TEST=run TPM playground program inside crosvm with flag set TEST=confirm TPM playground does not run with flag unset Change-Id: I1bccf62be63d40203463623f43b1a6ee2d51f6c0 Reviewed-on: https://chromium-review.googlesource.com/1478377 Commit-Ready: David Tolnay Tested-by: David Tolnay Tested-by: kokoro Reviewed-by: Zach Reizner --- src/linux.rs | 24 +++++++++++++----------- src/main.rs | 7 +++++++ 2 files changed, 20 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/linux.rs b/src/linux.rs index 0391f9d..2d6673d 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -312,17 +312,19 @@ fn create_virtio_devs( #[cfg(feature = "tpm")] { - let tpm_box = Box::new(devices::virtio::Tpm::new()); - let tpm_jail = if cfg.multiprocess { - let policy_path = cfg.seccomp_policy_dir.join("tpm_device.policy"); - Some(create_base_minijail(empty_root_path, &policy_path)?) - } else { - None - }; - devs.push(VirtioDeviceStub { - dev: tpm_box, - jail: tpm_jail, - }); + if cfg.software_tpm { + let tpm_box = Box::new(devices::virtio::Tpm::new()); + let tpm_jail = if cfg.multiprocess { + let policy_path = cfg.seccomp_policy_dir.join("tpm_device.policy"); + Some(create_base_minijail(empty_root_path, &policy_path)?) + } else { + None + }; + devs.push(VirtioDeviceStub { + dev: tpm_box, + jail: tpm_jail, + }); + } } if let Some(trackpad_spec) = cfg.virtio_trackpad { diff --git a/src/main.rs b/src/main.rs index d0c1e7d..4965deb 100644 --- a/src/main.rs +++ b/src/main.rs @@ -116,6 +116,7 @@ pub struct Config { multiprocess: bool, seccomp_policy_dir: PathBuf, gpu: bool, + software_tpm: bool, cras_audio: bool, null_audio: bool, virtio_trackpad: Option, @@ -146,6 +147,7 @@ impl Default for Config { tap_fd: Vec::new(), cid: None, gpu: false, + software_tpm: false, wayland_socket_path: None, wayland_dmabuf: false, shared_dirs: Vec::new(), @@ -518,6 +520,9 @@ fn set_argument(cfg: &mut Config, name: &str, value: Option<&str>) -> argument:: "gpu" => { cfg.gpu = true; } + "software-tpm" => { + cfg.software_tpm = true; + } "trackpad" => { if cfg.virtio_trackpad.is_some() { return Err(argument::Error::TooManyArguments( @@ -629,6 +634,8 @@ fn run_vm(args: std::env::Args) -> std::result::Result<(), ()> { "File descriptor for configured tap device. A different virtual network card will be added each time this argument is given."), #[cfg(feature = "gpu")] Argument::flag("gpu", "(EXPERIMENTAL) enable virtio-gpu device"), + #[cfg(feature = "tpm")] + Argument::flag("software-tpm", "enable a software emulated trusted platform module device"), Argument::value("evdev", "PATH", "Path to an event device node. The device will be grabbed (unusable from the host) and made available to the guest with the same configuration it shows on the host"), Argument::value("trackpad", "PATH:WIDTH:HEIGHT", "Path to a socket from where to read trackpad input events and write status updates to, optionally followed by screen width and height (defaults to 800x1280)."), Argument::value("mouse", "PATH", "Path to a socket from where to read mouse input events and write status updates to."), -- cgit 1.4.1