[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] measuring guest boot process

On 18 March 2014 15:35, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> wrote:
> On 03/17/2014 06:32 AM, Ian Campbell wrote:
>> Daniel,
>> Is what Aastha wants to do possible with the vtpm stuff?
> Yes; most of it will work with Xen 4.3 and above for PV Linux.
>> On Mon, 2014-03-17 at 09:31 +0100, Aastha Mehta wrote:
>>> On 11 March 2014 11:08, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote:
>>>> On Fri, 2014-03-07 at 13:26 +0100, Aastha Mehta wrote:
>>>>> I have a basic question regarding how to measure the guest boot
>>>>> process. Is pv-grub an equivalent of trusted grub for guest domains?
>>>>> Or is it possible to use trusted grub for the guest domains? If not,
>>>>> what is the way to measure the guest boot process?
> The pv-grub included in Xen 4.3 will send the kernel and initrd hashes
> to a connected vTPM (PCRs 4 and 5; see commit d78dab3ec).  HVM guests
> currently do not have an equivalent capability; this would require
> enabling TPM support in QEMU and the hvmloader/BIOS, and using either
> trusted GRUB or (more complex but in theory possible) TBOOT in the guest.
> [...]
>>> I actually came across a paper that explains the design of vTPM and in
>>> this case the authors implemented it in Xen
>>> (https://www.usenix.org/legacy/event/sec06/tech/full_papers/berger/berger.pdf).
>>> In section 4.4, they have mentioned a "SetupInstance" management
>>> command that seems to be for the same purpose that I mentioned.
>>> "The SetupInstance command prepares a vTPM instance for immediate
>>> usage by the corresponding virtual machine and extends PCRs with
>>> measurements of the operating system kernel image and other ïles
>>> involved in the boot process. This command is used for virtual
>>> machines that boot without the support of a TPM-enabled BIOS and boot
>>> loader, which would otherwise initialize the TPM and extend the TPM
>>> PCRs with appropriate measurements."
>>> I am not sure if the vTPM design in Xen follows from this paper and if
>>> there is an implementation of such a command available.
> The vTPM design in Xen does not directly follow from this paper.  A few
> key differences: Xen's vTPM Manager is a separate domain and manages
> keys for all vTPMs.  The vTPM domains are not capable of creating other
> vTPMs, but instead rely on the normal domain building process.
>     A vTPM in Xen does not get a report of the hash of the kernel in its
> guest.  Since you still need to trust domain 0 for guest measurements to
> have any meaning, requiring that all guests be built using a trusted
> pv-grub image is suitable as a basis for a trust chain from hardware to
> a guest; the vTPM still contains the running kernel and initrd hashes.
> The introduction of a dedicated domain builder can allow domains to be
> created without needing to trust the hardware domain in the creation
> process.  When using this service, the TPM Manager for Xen 4.5 can be
> modified to accept kernel hashes from the domain builder in order to
> verify the integrity of the vTPM domain and report the hash of a guest
> to its vTPM when the vTPM requests it.  These patches have not been
> posted for inclusion in Xen 4.5 because the underlying communication
> mechanism they use is not upstream (and V4V, the upstream counterpart,
> has not yet been merged).
> --
> Daniel De Graaf
> National Security Agency

Thank you for the reply.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.