[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] measuring guest boot process

On 03/17/2014 06:32 AM, Ian Campbell wrote:

Is what Aastha wants to do possible with the vtpm stuff?

Yes; most of it will work with Xen 4.3 and above for PV Linux.

On Mon, 2014-03-17 at 09:31 +0100, Aastha Mehta wrote:
On 11 March 2014 11:08, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote:
On Fri, 2014-03-07 at 13:26 +0100, Aastha Mehta wrote:
I have a basic question regarding how to measure the guest boot
process. Is pv-grub an equivalent of trusted grub for guest domains?
Or is it possible to use trusted grub for the guest domains? If not,
what is the way to measure the guest boot process?

The pv-grub included in Xen 4.3 will send the kernel and initrd hashes
to a connected vTPM (PCRs 4 and 5; see commit d78dab3ec).  HVM guests
currently do not have an equivalent capability; this would require
enabling TPM support in QEMU and the hvmloader/BIOS, and using either
trusted GRUB or (more complex but in theory possible) TBOOT in the guest.

I actually came across a paper that explains the design of vTPM and in
this case the authors implemented it in Xen
In section 4.4, they have mentioned a "SetupInstance" management
command that seems to be for the same purpose that I mentioned.
"The SetupInstance command prepares a vTPM instance for immediate
usage by the corresponding virtual machine and extends PCRs with
measurements of the operating system kernel image and other ïles
involved in the boot process. This command is used for virtual
machines that boot without the support of a TPM-enabled BIOS and boot
loader, which would otherwise initialize the TPM and extend the TPM
PCRs with appropriate measurements."

I am not sure if the vTPM design in Xen follows from this paper and if
there is an implementation of such a command available.

The vTPM design in Xen does not directly follow from this paper.  A few
key differences: Xen's vTPM Manager is a separate domain and manages
keys for all vTPMs.  The vTPM domains are not capable of creating other
vTPMs, but instead rely on the normal domain building process.
A vTPM in Xen does not get a report of the hash of the kernel in its
guest.  Since you still need to trust domain 0 for guest measurements to
have any meaning, requiring that all guests be built using a trusted
pv-grub image is suitable as a basis for a trust chain from hardware to
a guest; the vTPM still contains the running kernel and initrd hashes.

The introduction of a dedicated domain builder can allow domains to be
created without needing to trust the hardware domain in the creation
process.  When using this service, the TPM Manager for Xen 4.5 can be
modified to accept kernel hashes from the domain builder in order to
verify the integrity of the vTPM domain and report the hash of a guest
to its vTPM when the vTPM requests it.  These patches have not been
posted for inclusion in Xen 4.5 because the underlying communication
mechanism they use is not upstream (and V4V, the upstream counterpart,
has not yet been merged).

Daniel De Graaf
National Security Agency

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.