tpm: Runtime flag for software tpm device

Gate the current software tpm device behind a crosvm flag called `--software-tpm`. When we get to leveraging the physical tpm, we will likely want that behind a separate `--hardware-tpm` flag that is automatically detected when the vm being launched is gLinux. Based on feedback from apronin: > Hm, long-term it may actually make sense to have software-tpm and > real-tpm-for-glinux as two separate run-time options and only enable > real-tpm-for-glinux for glinux. > > we want to protect guests from exploits, but we also want to limit > access to tpm for random guests. So, enterprises may set this to "no > TPM" for Linux images their employees run on their devices, so that > they don't get creative with trying to break TPM from inside those > images. BUG=chromium:911799 TEST=run TPM playground program inside crosvm with flag set TEST=confirm TPM playground does not run with flag unset Change-Id: I1bccf62be63d40203463623f43b1a6ee2d51f6c0 Reviewed-on: https://chromium-review.googlesource.com/1478377 Commit-Ready: David Tolnay <dtolnay@chromium.org> Tested-by: David Tolnay <dtolnay@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Zach Reizner <zachr@chromium.org>
2025-02-11 04:26:38 +00:00 · 2019-02-13 17:28:16 -08:00 · 2019-02-13 17:28:16 -08:00 · 43f8e21dd2
commit 43f8e21dd2
parent 42e5fbd9f3
2 changed files with 20 additions and 11 deletions
--- a/src/linux.rs
+++ b/src/linux.rs
@ -312,6 +312,7 @@ fn create_virtio_devs(

    #[cfg(feature = "tpm")]
    {
+        if cfg.software_tpm {
            let tpm_box = Box::new(devices::virtio::Tpm::new());
            let tpm_jail = if cfg.multiprocess {
                let policy_path = cfg.seccomp_policy_dir.join("tpm_device.policy");
@ -324,6 +325,7 @@ fn create_virtio_devs(
                jail: tpm_jail,
            });
        }
+    }

    if let Some(trackpad_spec) = cfg.virtio_trackpad {
        match create_input_socket(&trackpad_spec.path) {
--- a/src/main.rs
+++ b/src/main.rs
@ -116,6 +116,7 @@ pub struct Config {
    multiprocess: bool,
    seccomp_policy_dir: PathBuf,
    gpu: bool,
+    software_tpm: bool,
    cras_audio: bool,
    null_audio: bool,
    virtio_trackpad: Option<TrackpadOption>,
@ -146,6 +147,7 @@ impl Default for Config {
            tap_fd: Vec::new(),
            cid: None,
            gpu: false,
+            software_tpm: false,
            wayland_socket_path: None,
            wayland_dmabuf: false,
            shared_dirs: Vec::new(),
@ -518,6 +520,9 @@ fn set_argument(cfg: &mut Config, name: &str, value: Option<&str>) -> argument::
        "gpu" => {
            cfg.gpu = true;
        }
+        "software-tpm" => {
+            cfg.software_tpm = true;
+        }
        "trackpad" => {
            if cfg.virtio_trackpad.is_some() {
                return Err(argument::Error::TooManyArguments(
@ -629,6 +634,8 @@ fn run_vm(args: std::env::Args) -> std::result::Result<(), ()> {
                          "File descriptor for configured tap device. A different virtual network card will be added each time this argument is given."),
          #[cfg(feature = "gpu")]
          Argument::flag("gpu", "(EXPERIMENTAL) enable virtio-gpu device"),
+          #[cfg(feature = "tpm")]
+          Argument::flag("software-tpm", "enable a software emulated trusted platform module device"),
          Argument::value("evdev", "PATH", "Path to an event device node. The device will be grabbed (unusable from the host) and made available to the guest with the same configuration it shows on the host"),
          Argument::value("trackpad", "PATH:WIDTH:HEIGHT", "Path to a socket from where to read trackpad input events and write status updates to, optionally followed by screen width and height (defaults to 800x1280)."),
          Argument::value("mouse", "PATH", "Path to a socket from where to read mouse input events and write status updates to."),