[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] measuring guest boot process
On 03/17/2014 06:32 AM, Ian Campbell wrote: Daniel, Is what Aastha wants to do possible with the vtpm stuff? Yes; most of it will work with Xen 4.3 and above for PV Linux. On Mon, 2014-03-17 at 09:31 +0100, Aastha Mehta wrote:On 11 March 2014 11:08, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote:On Fri, 2014-03-07 at 13:26 +0100, Aastha Mehta wrote:I have a basic question regarding how to measure the guest boot process. Is pv-grub an equivalent of trusted grub for guest domains? Or is it possible to use trusted grub for the guest domains? If not, what is the way to measure the guest boot process? The pv-grub included in Xen 4.3 will send the kernel and initrd hashes to a connected vTPM (PCRs 4 and 5; see commit d78dab3ec). HVM guests currently do not have an equivalent capability; this would require enabling TPM support in QEMU and the hvmloader/BIOS, and using either trusted GRUB or (more complex but in theory possible) TBOOT in the guest. [...] I actually came across a paper that explains the design of vTPM and in this case the authors implemented it in Xen (https://www.usenix.org/legacy/event/sec06/tech/full_papers/berger/berger.pdf). In section 4.4, they have mentioned a "SetupInstance" management command that seems to be for the same purpose that I mentioned. "The SetupInstance command prepares a vTPM instance for immediate usage by the corresponding virtual machine and extends PCRs with measurements of the operating system kernel image and other ïles involved in the boot process. This command is used for virtual machines that boot without the support of a TPM-enabled BIOS and boot loader, which would otherwise initialize the TPM and extend the TPM PCRs with appropriate measurements." I am not sure if the vTPM design in Xen follows from this paper and if there is an implementation of such a command available. The vTPM design in Xen does not directly follow from this paper. A few key differences: Xen's vTPM Manager is a separate domain and manages keys for all vTPMs. The vTPM domains are not capable of creating other vTPMs, but instead rely on the normal domain building process.A vTPM in Xen does not get a report of the hash of the kernel in its guest. Since you still need to trust domain 0 for guest measurements to have any meaning, requiring that all guests be built using a trusted pv-grub image is suitable as a basis for a trust chain from hardware to a guest; the vTPM still contains the running kernel and initrd hashes. The introduction of a dedicated domain builder can allow domains to be created without needing to trust the hardware domain in the creation process. When using this service, the TPM Manager for Xen 4.5 can be modified to accept kernel hashes from the domain builder in order to verify the integrity of the vTPM domain and report the hash of a guest to its vTPM when the vTPM requests it. These patches have not been posted for inclusion in Xen 4.5 because the underlying communication mechanism they use is not upstream (and V4V, the upstream counterpart, has not yet been merged). -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |