An update on this thread -- virtualbox devs are planning to pass through the
physical TPM rather than emulating one to the guest -- www.virtualbox.org/changeset/90946/vbox -- which has just been pushed.
I don't get how that's supposed to work if two devices are trying to use it at the same time. Similarly, I don't like the idea of people using it to break VM isolation, or alternatively hide keys.
QEMU have already implemented tpm emulation but there are two currently "not supported" interrupts, fortunately not hugely relevant, but still -- https://qemu.readthedocs.io/en/latest/specs/tpm.html#. Fortunately, it's possible to directly inspect the TPM and its communication protocol (TIS) state by making a debug build:
Quote:
This patch uses the possibility to add a vendor-specific register and
adds a debug register useful for dumping the TIS's internal state. This
register is only active in a debug build (#define DEBUG_TIS).
|
Hopefully this won't last too long and won't protect too much...