Xen project Mailing List

Re: [Xen-users] Install vTPM on Xen-4.1.2

From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Date: Fri, 15 Nov 2013 10:10:06 -0500

Cc: "xen-users@xxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>

Delivery-date: Fri, 15 Nov 2013 15:11:19 +0000

List-id: Xen user discussion <xen-users.lists.xen.org>

On 11/14/2013 09:34 PM, Xu, Quan wrote:

-----Original Message-----
From: Daniel De Graaf [mailto:dgdegra@xxxxxxxxxxxxx]
Sent: Thursday, November 14, 2013 11:09 PM
To: Xu, Quan
Cc: Wei Liu; Lv, FeiX; xen-users@xxxxxxxxxxxxx
Subject: Re: [Xen-users] Install vTPM on Xen-4.1.2

On 11/14/2013 05:35 AM, Wei Liu wrote:

On Thu, Nov 14, 2013 at 05:50:24AM +0000, Xu, Quan wrote:

Hi, Wei / Community
     We are working on support HVM domU based on vTPM stubdom. Now

the vTPM stubdom is just for PV domU in Xen 4.3.0.

This is not correct; the frontend driver in Linux 3.12 will also work on HVM,
same as the other PV drivers.

Thanks , I will have a try based on Linux 3.12 for DomU. I have some question. 
Does it work on xen 4.3.0 or xen-unstable ?

The TPM stubdoms have not changed in the 4.4 development series, so it should work on both.

An important caveat here is that you don't have a complete measurement of an
HVM domain (hvmloader and grub don't speak to the TPM), but that wasn't
true in earlier versions of Xen for either PV or HVM, so using the older version
won't improve that.

Xen supports HVM domU in previous version 4.1.2, even though the backend

is in Dom0.

In previous vTPM, the backend driver is in Linux 2.6.18, the kernel is tough to

build. I think it is helpful, if we enable the previous vTPM.

     Does anyone maintain the vTPM backend driver?

Quan Xu


I'm not sure building the 2.6.18 backend driver would be any more helpful to
you, since it won't talk to the frontend in 3.12. The PV stubdoms have no issues
talking to an HVM frontend (at least from what I've tested).


My team tries to enable HVM VM based stubdom vTPM. 2.6.18 kernel works for HVM 
domU based on legacy vTPM. As my estimate, the hvmloader is enabled with TCG 
BIOS.
Then my team can integrate the hvmloader with stubdom vTPM.

Real integration on HVM will require integration with QEMU so that it can emulate the normal hardware interface (TIS). I haven't looked at the hvmloader's TPM support, but I would guess that it tries to use that interface since that is what a normal BIOS would do. Since emulation of TIS will be needed for unmodified OSes, I don't see any reason to add a Xen tpmfront driver to hvmloader/*bios. QEMU 1.5 has support for doing pass-through to /dev/tpm0, so a Linux stubdom with a 3.12+ kernel and attached vtpm would just require enabling the option. The last posted Linux stubdom (RFC by Anthony Perard back in April) was using an older Linux and QEMU, but it still may be a good starting point.


I'm not expert in this field. You can probably make use of the classic
2.6.18 kernel tree on xenbits.xen.org.

Wei.


--
Daniel De Graaf
National Security Agency



Quan Xu
Intel

-- Daniel De Graaf National Security Agency _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.