[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Install vTPM on Xen-4.2.2

The config file for vTPM manager is

kernel="/root/Xen/xen-4.3-unstable/stubdom/mini-os-x86_64-vtpmmgr/mini-os.gz"
memory=16
disk=["file:/var/vtpmmgr-stubdom.img,hda,w"]
name="vtpmmgr"
iomem=["fed40,5"]



2013/6/6 Bei Guan <gbtju85@xxxxxxxxx>



2013/6/5 Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
On 06/05/2013 04:36 AM, Bei Guan wrote:
Thank you for your reply.
I find out you previous TPM front patch that you posted several days ago at:
http://xen.markmail.org/message/j6xyvmjlqocjxbbn?q=drivers/tpm:+add+xen+tpmfront+interface

Is your patch only for a PV DomU? Can I use a linux hvm to apply your patch?
If not, can you recommend a DomU (PV or HVM is ok) to use your patch? Thank
you very much.

This patch has been tested successfully as both PV and HVM. Full support for
HVM will need a bit more integration with the BIOS (i.e. hvmloader) and with
QEMU to support the usual TIS interface to the TPM so bootloaders like
trusted grub can work - however, if you don't care about having a full chain
of measurement in your guest, all the usual TPM functionality will work in
HVM mode with that module.

The tpmfront driver also works in dom0, which can be useful if you want TPM
functionality there since the real TPM is exclusively used by the TPM manager.
This is what the "hwinitpcrs" vTPM command line option is intended for; normal
vTPMs should initialize their PCRs to 0.

Re: 2.6.18 - I think the in-kernel TPM interface is a bit different there.
The existing tpmfront module for 2.6.18 won't work with the v2 interface used
in Xen 4.3's tpmback, but there have been previous patches that just updated
that interface (first to patch a 3.x kernel, then to tweak the interface) so
a backport shouldn't be too hard.
I have applied your patch  tpmfront (v3) to the linux-kernel 3.9.1. 
When I create the vtpm_manager, there is an error as the following. (on Xen-4.3-unstable with TPM emulator)
Does this error has something to do with the TPM emulator? 
(PS: I have not yet changed the vtpm manager and vtpm to fit for the emulator.)

[root@localhost vtpm-conf]# xl create -c vtpmmgr-stubdom.cfg 
Parsing config from vtpmmgr-stubdom.cfg
Daemon running with PID 6631
Xen Minimal OS!
  start_info: 0xa3000(VA)
    nr_pages: 0x1000
  shared_inf: 0xbbcaf000(MA)
     pt_base: 0xa6000(VA)
nr_pt_frames: 0x5
    mfn_list: 0x9b000(VA)
   mod_start: 0x0(VA)
     mod_len: 0
       flags: 0x0
    cmd_line: 
  stack:      0x5a7a0-0x7a7a0
MM: Init
      _text: 0x0(VA)
     _etext: 0x39854(VA)
   _erodata: 0x46000(VA)
     _edata: 0x48c00(VA)
stack start: 0x5a7a0(VA)
       _end: 0x9adc0(VA)
  start_pfn: ae
    max_pfn: 1000
Mapping memory range 0x400000 - 0x1000000
setting 0x0-0x46000 readonly
skipped 0x1000
MM: Initialise page allocator for b4000(b4000)-1000000(1000000)
MM: done
Demand map pfns at 1001000-2001001000.
Heap resides at 2001002000-4001002000.
Initialising timer interface
Initialising console ... done.
gnttab_table mapped at 0x1001000.
Initialising scheduler
Thread "Idle": pointer: 0x2001002050, stack: 0xd0000
Thread "xenstore": pointer: 0x2001002800, stack: 0xe0000
xenbus initialised on irq 1 mfn 0x1003e8
Thread "shutdown": pointer: 0x2001002fb0, stack: 0xf0000
Dummy main: start_info=0x7a8a0
Thread "main": pointer: 0x2001003760, stack: 0x100000
"main" 
Shutting down ()
Shutdown requested: 3
Thread "shutdown" exited.
INFO[VTPM]: Starting vTPM manager domain
INFO[VTPM]: Option: Using tpm_tis driver
******************* BLKFRONT for device/vbd/768 **********


backend at /local/domain/0/backend/qdisk/19/768
Failed to read /local/domain/0/backend/qdisk/19/768/feature-barrier.
32768 sectors of 512 bytes
**************************
blk_open(device/vbd/768) -> 3
============= Init TPM BACK ================
Thread "tpmback-listener": pointer: 0x20010043f0, stack: 0xf0000
============= Init TPM TIS Driver ==============
IOMEM Machine Base Address: FED40000
Enabled Localities: 0 
Map 1 (fed40, ...) at 0x1006000 failed: -1.
Do_exit called!
base is 0x10fcb8 caller is 0x1f0ea
base is 0x10fcd8 caller is 0x284e3
base is 0x10fd88 caller is 0x285b8
base is 0x10fde8 caller is 0x270cc
base is 0x10fe28 caller is 0x270e4
base is 0x10fe38 caller is 0x1bcc9
base is 0x10fe78 caller is 0x6ffc
base is 0x10ff38 caller is 0x3545
base is 0x10ff68 caller is 0x1fc1c
base is 0x10ffe8 caller is 0x343b




 


2013/6/4 Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

On 06/04/2013 05:03 AM, Bei Guan wrote:

2013/5/29 Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

  On 05/29/2013 07:23 AM, Bei Guan wrote:

  Thank you for all your reply. I'll try vTPM on Xen-4.3-unstable.

However, I don't have a physical TPM on my PC. Can I use the TPM
emulator
in Xen-4.3-unstable now?

Thank you very much,
Bei Guan


  The current TPM Manager requires a physical TPM to be present. While
you could make things work without one, it would require patching
either the vTPM or vTPM Manager domains with an alternate sealing
mechanism for the long-term keys and source of random numbers.


Hi Daniel,

I'm trying vTPM on Xen-4.3-unstable with a TPM emulator. However, I run
into problems.
Everything in stubdom seems to be compiled successfully except for the TPM
emulator.


I can't help if I don't know what the problems are. Some of the
dependencies
in stubdom may be broken if you got things half-compiled before they broke,
so a clean tree could help. You also need cmake, but it sounds like you've
gotten past that point.


  I'm not sure how to make the TPM emulator work in Xen-4.3. Can you give me
more detailed instructions? Such as which part of the code need to be
modified, if necessary. And, how much the coding work need to do to make
the TPM emulator work?


The TPM emulator (vtpm-stubdom) depends on the TPM Manager
(vtpmmgr-stubdom)
to store its encryption keys securely. The TPM Manager uses a physical TPM
to secure its own storage. Without a physical TPM, this is not possible, so
possible workarounds include removing the requirement to have a TPM manager
from the vTPM domain (remove tpmfront references), or to modify the TPM
manager to not use the physical TPM.

In either case, you will need to find another source for random numbers,
which is one thing the physical TPM is used for. Changing the vTPM would be
simpler than changing the TPM manager; the code you need to change is ~1000
lines, but most of your changes will be removal of code.


  I found there is a code file tpm_tis.c in mini-os/ and stubdom/ioemu/hw/
respectively. What's the difference between them? Is the code
stubdom/ioemu/hw/tpm_tis.c only for QEMU emulated TPM device?
And, what's the difference between mini-os/tpm_tis.c and
drivers/char/tpm/tpm_tis.c in linux kernel?

Thank you very much.


The mini-os driver is derived from the one in the Linux kernel; they both
interface with a hardware TPM. The QEMU code (ioemu/hw) emulates a hardware
TPM based on qemu's access to a Linux /dev/tpm0 device driver. With Linux
stub domains, this device can be backed by the tpmfront driver connected to
the vtpm stubdom.


--
Daniel De Graaf
National Security Agency






--
Daniel De Graaf
National Security Agency



--
Best Regards,
Bei Guan



--
Best Regards,
Bei Guan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.