[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Install vTPM on Xen-4.2.2

On 06/05/2013 04:36 AM, Bei Guan wrote:
Thank you for your reply.
I find out you previous TPM front patch that you posted several days ago at:

Is your patch only for a PV DomU? Can I use a linux hvm to apply your patch?
If not, can you recommend a DomU (PV or HVM is ok) to use your patch? Thank
you very much.

This patch has been tested successfully as both PV and HVM. Full support for
HVM will need a bit more integration with the BIOS (i.e. hvmloader) and with
QEMU to support the usual TIS interface to the TPM so bootloaders like
trusted grub can work - however, if you don't care about having a full chain
of measurement in your guest, all the usual TPM functionality will work in
HVM mode with that module.

The tpmfront driver also works in dom0, which can be useful if you want TPM
functionality there since the real TPM is exclusively used by the TPM manager.
This is what the "hwinitpcrs" vTPM command line option is intended for; normal
vTPMs should initialize their PCRs to 0.

Re: 2.6.18 - I think the in-kernel TPM interface is a bit different there.
The existing tpmfront module for 2.6.18 won't work with the v2 interface used
in Xen 4.3's tpmback, but there have been previous patches that just updated
that interface (first to patch a 3.x kernel, then to tweak the interface) so
a backport shouldn't be too hard.

2013/6/4 Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

On 06/04/2013 05:03 AM, Bei Guan wrote:

2013/5/29 Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

  On 05/29/2013 07:23 AM, Bei Guan wrote:

  Thank you for all your reply. I'll try vTPM on Xen-4.3-unstable.

However, I don't have a physical TPM on my PC. Can I use the TPM
in Xen-4.3-unstable now?

Thank you very much,
Bei Guan

  The current TPM Manager requires a physical TPM to be present. While
you could make things work without one, it would require patching
either the vTPM or vTPM Manager domains with an alternate sealing
mechanism for the long-term keys and source of random numbers.

Hi Daniel,

I'm trying vTPM on Xen-4.3-unstable with a TPM emulator. However, I run
into problems.
Everything in stubdom seems to be compiled successfully except for the TPM

I can't help if I don't know what the problems are. Some of the
in stubdom may be broken if you got things half-compiled before they broke,
so a clean tree could help. You also need cmake, but it sounds like you've
gotten past that point.

  I'm not sure how to make the TPM emulator work in Xen-4.3. Can you give me
more detailed instructions? Such as which part of the code need to be
modified, if necessary. And, how much the coding work need to do to make
the TPM emulator work?

The TPM emulator (vtpm-stubdom) depends on the TPM Manager
to store its encryption keys securely. The TPM Manager uses a physical TPM
to secure its own storage. Without a physical TPM, this is not possible, so
possible workarounds include removing the requirement to have a TPM manager
from the vTPM domain (remove tpmfront references), or to modify the TPM
manager to not use the physical TPM.

In either case, you will need to find another source for random numbers,
which is one thing the physical TPM is used for. Changing the vTPM would be
simpler than changing the TPM manager; the code you need to change is ~1000
lines, but most of your changes will be removal of code.

  I found there is a code file tpm_tis.c in mini-os/ and stubdom/ioemu/hw/
respectively. What's the difference between them? Is the code
stubdom/ioemu/hw/tpm_tis.c only for QEMU emulated TPM device?
And, what's the difference between mini-os/tpm_tis.c and
drivers/char/tpm/tpm_tis.c in linux kernel?

Thank you very much.

The mini-os driver is derived from the one in the Linux kernel; they both
interface with a hardware TPM. The QEMU code (ioemu/hw) emulates a hardware
TPM based on qemu's access to a Linux /dev/tpm0 device driver. With Linux
stub domains, this device can be backed by the tpmfront driver connected to
the vtpm stubdom.

Daniel De Graaf
National Security Agency

Daniel De Graaf
National Security Agency

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.