Best way to trace TPM commands during a qemu session?

[cwerling]

Hey all, I hope this an appropriate place ask for your advice.

I am using swtpm [1] as a virtual TPM for my qemu instance [2] and I would like to trace all issued TPM2 commands in an easily readable and processable way. I noticed that Wireshark has some really useful TPM2 decoders built in [3], but I can use it only if swtpm is configured to communicate through a TCP socket (as for example supported by VirtualBox). To my understanding, qemu is only able to work with swtpm over a Unix socket though.

I considered redirecting the Unix sockets through socat into a TCP socket and back into a Unix socket, but this yielded errors in swtpm and no immediate success.

What's in your experience the best way to capture TPM-only traffic from swtpm/libtpms (i.e. skip the control plane)?

Thanks in advance for any hints,
Christian

[1]

swtpm socket --tpmstate dir=$(pwd)/swtpm-state --ctrl type=unixio,path=$(pwd)/swtpm.sock --log level=20 --tpm2

[2]

qemu-system-x86_64 -hda /home/linuxbook/qemu-images/my_system.iso -boot d -cdrom my_os.iso  \
                   -m 8192 -enable-kvm \
	           -chardev socket,id=chrtpm,path=/home/linuxbook/qemu-images/swtpm.sock \
	           -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -bios /usr/share/ovmf/OVMF.fd

[3]

[stefanberger]

There's only a Unix socket on the host for the control channel of swtpm. The file descriptor for the data channel gets passed from QEMU to swtpm via SCM_RIGHTS message, so it's inaccessible to the outside world and with this the data channel is also inaccessible to the outside world and you cannot spy on TPM messages sent between QEMU and swtpm. The only way to listen in on the traffic would be via the a log but by default, at least with libvirt starting swtpm and QEMU, there's no log parameter passed to swtpm, either.