Xen project Mailing List

Re: [Xen-devel] Install vTPM on Xen-4.2.2

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Wed, 05 Jun 2013 11:19:01 -0400

Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Wed, 05 Jun 2013 15:19:19 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 06/05/2013 04:36 AM, Bei Guan wrote:

Thank you for your reply.
I find out you previous TPM front patch that you posted several days ago at:
http://xen.markmail.org/message/j6xyvmjlqocjxbbn?q=drivers/tpm:+add+xen+tpmfront+interface

Is your patch only for a PV DomU? Can I use a linux hvm to apply your patch?
If not, can you recommend a DomU (PV or HVM is ok) to use your patch? Thank
you very much.

This patch has been tested successfully as both PV and HVM. Full support for HVM will need a bit more integration with the BIOS (i.e. hvmloader) and with QEMU to support the usual TIS interface to the TPM so bootloaders like trusted grub can work - however, if you don't care about having a full chain of measurement in your guest, all the usual TPM functionality will work in HVM mode with that module. The tpmfront driver also works in dom0, which can be useful if you want TPM functionality there since the real TPM is exclusively used by the TPM manager. This is what the "hwinitpcrs" vTPM command line option is intended for; normal vTPMs should initialize their PCRs to 0. Re: 2.6.18 - I think the in-kernel TPM interface is a bit different there. The existing tpmfront module for 2.6.18 won't work with the v2 interface used in Xen 4.3's tpmback, but there have been previous patches that just updated that interface (first to patch a 3.x kernel, then to tweak the interface) so a backport shouldn't be too hard.

2013/6/4 Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

On 06/04/2013 05:03 AM, Bei Guan wrote:

2013/5/29 Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

  On 05/29/2013 07:23 AM, Bei Guan wrote:


  Thank you for all your reply. I'll try vTPM on Xen-4.3-unstable.


However, I don't have a physical TPM on my PC. Can I use the TPM
emulator
in Xen-4.3-unstable now?

Thank you very much,
Bei Guan


  The current TPM Manager requires a physical TPM to be present. While

you could make things work without one, it would require patching
either the vTPM or vTPM Manager domains with an alternate sealing
mechanism for the long-term keys and source of random numbers.

Hi Daniel,

I'm trying vTPM on Xen-4.3-unstable with a TPM emulator. However, I run
into problems.
Everything in stubdom seems to be compiled successfully except for the TPM
emulator.


I can't help if I don't know what the problems are. Some of the
dependencies
in stubdom may be broken if you got things half-compiled before they broke,
so a clean tree could help. You also need cmake, but it sounds like you've
gotten past that point.


  I'm not sure how to make the TPM emulator work in Xen-4.3. Can you give me

more detailed instructions? Such as which part of the code need to be
modified, if necessary. And, how much the coding work need to do to make
the TPM emulator work?


The TPM emulator (vtpm-stubdom) depends on the TPM Manager
(vtpmmgr-stubdom)
to store its encryption keys securely. The TPM Manager uses a physical TPM
to secure its own storage. Without a physical TPM, this is not possible, so
possible workarounds include removing the requirement to have a TPM manager
from the vTPM domain (remove tpmfront references), or to modify the TPM
manager to not use the physical TPM.

In either case, you will need to find another source for random numbers,
which is one thing the physical TPM is used for. Changing the vTPM would be
simpler than changing the TPM manager; the code you need to change is ~1000
lines, but most of your changes will be removal of code.


  I found there is a code file tpm_tis.c in mini-os/ and stubdom/ioemu/hw/

respectively. What's the difference between them? Is the code
stubdom/ioemu/hw/tpm_tis.c only for QEMU emulated TPM device?
And, what's the difference between mini-os/tpm_tis.c and
drivers/char/tpm/tpm_tis.c in linux kernel?

Thank you very much.


The mini-os driver is derived from the one in the Linux kernel; they both
interface with a hardware TPM. The QEMU code (ioemu/hw) emulates a hardware
TPM based on qemu's access to a Linux /dev/tpm0 device driver. With Linux
stub domains, this device can be backed by the tpmfront driver connected to
the vtpm stubdom.


--
Daniel De Graaf
National Security Agency

-- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.