[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [ANNOUNCE] TPM virtualization



Xen Community,

Intel and IBM have been working together to provide TPM (Trusted
Platform Module) virtualization for Xen.  You can find out more about
the architecture and ideas for TPM virtualization at
http://summit.xensource.com/pdfs/XenSecurity_Intel_CRozas.pdf and
http://www.research.ibm.com/secure_systems_department/projects/vtpm/.

[Detailed description of TPM:
https://www.trustedcomputinggroup.org/downloads/TCG_1_0_Architecture_Ove
rview.pdf; overview:
https://www.trustedcomputinggroup.org/downloads/tcg_presentations/TCG_Te
chnicalOverview_ACSAC_20041207.zip]

The patches that will be sent later today contain the changes and a
readme that describes how to integrate and run this TPM virtualization.
This is the first release of this functionality and we will continue to
maintain and enhance it.

TPM virtualization (vTPM) support will consist of the following patches
(in two emails).  The default behavior will be to build and install
these components.

1.  hypervisor: additions to include files
2.  tools directory: for xend to be able to setup TPM front- and backend
interfaces; allows it to parse VM configuration files with vtpm and
tpmif entries in the configuration files 
3.  sparse directory: the TPM front- and backend drivers used by Linux
on XEN; a PCI-independent implementation of the TPM driver including a
plug-in for interfacing with the TPM front-end driver

4.  tools directory: a virtual TPM manager in charge of managing vtpm
instances and protecting their secrets while they are offline
5.  tools directory: a virtual TPM which will be instantiated by the
manager on a one-per-guest basis
6.  tools directory: a TPM emulator to allow development and testing on
machines which lack a physical TPM

A developer-level summary of the functionality is:
*  The patches support TPM v1.1b.
*  Support is provided through a TPM block device that can be installed
in any domain (dom0 doesn't need one because the physical TPM driver
resides there).
*  For systems that don't have a physical TPM but would like to use the
measurement functionality, there is a build option that will allow the
use of a TPM emulator in dom0  in place of a physical TPM.  Naturally,
this will not have the security and trust properties of a physical TPM.
*  All components except the TPM FE driver reside in dom0 (the FEs go
into each domU).
*  Migration (of domU TPM state) is not supported at this time, but it
is being worked on.

We hope that many of you will give this a try and look forward to your
comments and feedback.

Intel & IBM


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.