[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 0/6] vTPM: Xen stubdom vTPM for HVM virtual machine




> -----Original Message-----
> From: xen-devel-bounces@xxxxxxxxxxxxx
> [mailto:xen-devel-bounces@xxxxxxxxxxxxx] On Behalf Of Stefano Stabellini
> Sent: Wednesday, November 05, 2014 7:02 PM
> To: Xu, Quan
> Cc: keir@xxxxxxx; ian.campbell@xxxxxxxxxx; Stefano Stabellini; tim@xxxxxxx;
> ian.jackson@xxxxxxxxxxxxx; xen-devel@xxxxxxxxxxxxx; jbeulich@xxxxxxxx;
> wei.liu2@xxxxxxxxxx; Daniel De Graaf
> Subject: Re: [Xen-devel] [PATCH 0/6] vTPM: Xen stubdom vTPM for HVM
> virtual machine
> 
> On Wed, 5 Nov 2014, Xu, Quan wrote:
> > > -----Original Message-----
> > > From: Stefano Stabellini [mailto:stefano.stabellini@xxxxxxxxxxxxx]
> > > Sent: Monday, November 03, 2014 7:30 PM
> > > To: Xu, Quan
> > > Cc: xen-devel@xxxxxxxxxxxxx; keir@xxxxxxx; ian.campbell@xxxxxxxxxx;
> > > tim@xxxxxxx; ian.jackson@xxxxxxxxxxxxx; jbeulich@xxxxxxxx
> > > Subject: Re: [Xen-devel] [PATCH 0/6] vTPM: Xen stubdom vTPM for HVM
> > > virtual machine
> > >
> > > On Thu, 30 Oct 2014, Quan Xu wrote:
> > > >
> > > > Signed-off-by: Quan Xu <quan.xu@xxxxxxxxx>
> > > >
> > > > This patch series are only the Xen part to enable stubdom vTPM for
> > > > HVM
> > > virtual machine.
> > > > it will work w/ Qemu patch series and seaBios patch series. Change
> > > > QEMU_STUBDOM_VTPM compile option from 'n' to 'y', when the
> > > Qemu/SeaBios patch series are merged.
> > >
> > > Please, could you add more detailed commit messages in your patches?
> > > Also spending a few more words here to explain why are you doing
> > > this and how would help.
> > >
> > The goal of virtual Trusted Platform Module (vTPM) is to provide a TPM
> > functionality to virtual machines (Fedora, Ubuntu, Redhat, Windows
> > .etc). This allows programs to interact with a TPM in a virtual
> > machine the same way they interact with a TPM on the physical system.
> Each virtual machine gets its own unique, emulated, software TPM.
> > Each major component of vTPM is implemented as a stubdom, providing
> > secure separation guaranteed by the hypervisor.
> > The vTPM stubdom is a Xen mini-OS domain that emulates a TPM for the
> > virtual machine to use. It is a small wrapper around the Berlios TPM
> > emulator. TPM commands are passed from mini-os TPM backend driver.
> >
> > This patch series are to enable Xen stubdom vTPM for HVM virtual
> > machine. his allows programs to interact with a TPM in a HVM virtual
> > machine(Fedora, Ubuntu, Redhat, Windows .etc) the same way they
> interact with a TPM on the physical system.
> >
> >
> > > It looks like you are trying to introduce vTPM stubdomains. The QEMU
> > > changes have been posted against upstream QEMU, that is good,
> > > however as far as I know upstream QEMU doesn't build or work as a
> stubdomain yet.
> > > Where are the changes to make upstream QEMU based stubdoms work?
> > > I don't see them neither here nor in the QEMU series.
> > >
> > It's Xen stubdom, not QEMU stubdom. Sorry for this confusion.
> 
> What does "Xen stubdom" mean?
> I am still a bit confused, I replied to the other email.

It is StubDom, it is xen wiki about StubDom (http://wiki.xen.org/wiki/StubDom 
). 
Stubdoms (or stub domains) are lightweight 'service' or 'driver' domain to run 
device models and one technique to 
implement Dom0 Disaggregation. The initial purpose of stub domains were to 
offload qemu workloads from dom0 
into a seperate domain.

The following link is the wiki of vTPM. 
http://wiki.xenproject.org/wiki/Virtual_Trusted_Platform_Module_%28vTPM%29 
in 'vTPM Extensions in Xen 4.3 ' section, 
[...]
Each major component of vTPM is implemented as a separate domain, providing 
secure separation guaranteed by the 
hypervisor. The vTPM domains are implemented in mini-os to reduce memory and 
processor overhead.


--> 
So 'Xen stubdom' is a separate domain, and implemented in mini-os.
My mistake, maybe 'Xen stubdom' is not a common Noun in community. 

> 
> 
> > > How are you testing this work?
> >
> >
> > The following steps are how to build and test it:
> >
> > 1. SeaBios with my patch against upstream seabios is not submitted. I
> > will submit seabios patch when I finish these questions from review.
> > Now I archive my seabios patch against upstream seabios in
> > Github: https://github.com/virt2x/seabios2 , try to build it for test.
> >
> > Configure it with Xen,
> > --- <Xen> Config.mk
> > -SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
> > +SEABIOS_UPSTREAM_URL ?= https://github.com/virt2x/seabios2
> > [...]
> > -SEABIOS_UPSTREAM_REVISION ?= rel-1.7.5
> > +SEABIOS_UPSTREAM_REVISION ?=
> ea94c083cc15875f46f0bf288b6531154b866f5a
> >
> > 2. qemu with my patch against upstream QEMU is not merged. now I
> > archive my qemu patch series again Upstream QEMU in github:
> > https://github.com/virt2x/qemu-xen-unstable2
> >
> > Configure it with Xen,
> > --- <Xen> Config.mk
> >
> > -QEMU_UPSTREAM_URL ?=
> git://xenbits.xen.org/qemu-upstream-unstable.git
> > +QEMU_UPSTREAM_URL ?=
> https://github.com/virt2x/qemu-xen-unstable2
> > -QEMU_UPSTREAM_REVISION ?= qemu-xen-4.5.0-rc1
> > +QEMU_UPSTREAM_REVISION ?=
> e867e6cf86c8412ca516cf2d0ccad57130e3388c
> >
> > 3. build/install Xen
> > Change QEMU_STUBDOM_VTPM option from 'n' to 'y'
> >    QEMU_STUBDOM_VTPM ?= y
> > ./configure --prefix=/usr
> > make dist
> > make install
> 
> From the previous email, it looks like you are running QEMU in a Linux based
> stubdom. If so, I don't see where are you creating it.

Not so,
The attach file is the picture of vTPM architecture. 

> 
> 
> > 4. try to launch vtpmmgr / vtpm domain via
> <Xen>/docs/misc/vtpm-platforms.txt.
> > The reader is assumed to have familiarity with building and installing
> > Xen, Linux, and a basic understanding of the TPM and vTPM concepts.
> >
> > The Linux / Windows HVM guest configuration file needs to be modified to
> include the following line:
> > [..]
> > vtpm=["backend=domu-vtpm"]
> > device_model_version = 'qemu-xen'
> > acpi = 1
> > [..]
> >
> > ## domu-vtpm is the name vtpm domain, A mini-os stub domain that
> implements a vTPM.
> >
> > 5. enable native TPM 1.2 drvier in HVM virtual machine. for example
> > enable tpm_tis.ko in Linux HVM virtual machine.
> > If you have trousers and tpm_tools installed on the guest, the
> > tpm_version command should return the following:
> >
> > The version command should return the following:
> >   TPM 1.2 Version Info:
> >   Chip Version:        1.2.0.7
> >   Spec Level:          2
> >   Errata Revision:     1
> >   TPM Vendor ID:       ETHZ
> >   TPM Version:         01010000
> >   Manufacturer Info:   4554485a
> >
> > Or check it with sysfs, /sys/class/misc/tpm0
> >
> >
> > BTW, Some local ISV are trying to integrate this feature into their
> > cloud service for trusted services, Such as trusted virtual desktop
> infrastructure(HVM fedora/ubuntu/redhat/windows virtual machine).
> >
> >
> > >
> > >
> > > >  Config.mk                             |  4 ++++
> > > >  extras/mini-os/include/tpmback.h      |  3 +++
> > > >  extras/mini-os/tpmback.c              | 20
> +++++++++++++++++---
> > > >  tools/Makefile                        |  7 +++++++
> > > >  tools/firmware/hvmloader/acpi/build.c |  5 +++--
> > > >  tools/libxl/libxl.c                   | 62
> > >
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > +++
> > > >  tools/libxl/libxl_create.c            | 16 +++++++++++++---
> > > >  tools/libxl/libxl_dm.c                | 16 ++++++++++++++++
> > > >  tools/libxl/libxl_dom.c               |  2 ++
> > > >  tools/libxl/libxl_internal.h          |  3 +++
> > > >  tools/libxl/libxl_types.idl           |  1 +
> > > >  tools/libxl/xl_cmdimpl.c              |  2 ++
> > > >  xen/arch/x86/hvm/hvm.c                |  3 +++
> > > >  xen/include/public/hvm/params.h       |  1 +
> > > >
> > > > I've tried to break it down to smaller patches:
> > > >
> > > >  *(Patch 1/6)*  event channel bind interdomain with para/hvm
> > > > virtual machine
> > > >
> > > >  *(Patch 2/6)*  add HVM_PARAM_STUBDOM_VTPM parameter for
> HVM
> > > virtual
> > > > machine
> > > >
> > > >  *(Patch 3/6)*  limit libxl__add_vtpms() function to para virtual
> > > > machine
> > > >
> > > >  *(Patch 4/6)*  add TPM TCPA and SSDT for HVM virtual machine
> when
> > > > vTPM is added
> > > >
> > > >  *(Patch 5/6)*  add vTPM device for HVM virtual machine
> > > >
> > > >  *(Patch 6/6)*  add QEMU_STUBDOM_VTPM compile option
> > > >
> > > >
> > > > _______________________________________________
> > > > Xen-devel mailing list
> > > > Xen-devel@xxxxxxxxxxxxx
> > > > http://lists.xen.org/xen-devel
> > > >
> >
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel

Attachment: vtpm.pdf
Description: vtpm.pdf

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.