|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Install vTPM on Xen-4.1.2
> -----Original Message----- > From: Daniel De Graaf [mailto:dgdegra@xxxxxxxxxxxxx] > Sent: Friday, November 15, 2013 11:10 PM > To: Xu, Quan > Cc: Wei Liu; xen-users@xxxxxxxxxxxxx > Subject: Re: [Xen-users] Install vTPM on Xen-4.1.2 > > On 11/14/2013 09:34 PM, Xu, Quan wrote: > > > > > >> -----Original Message----- > >> From: Daniel De Graaf [mailto:dgdegra@xxxxxxxxxxxxx] > >> Sent: Thursday, November 14, 2013 11:09 PM > >> To: Xu, Quan > >> Cc: Wei Liu; Lv, FeiX; xen-users@xxxxxxxxxxxxx > >> Subject: Re: [Xen-users] Install vTPM on Xen-4.1.2 > >> > >> On 11/14/2013 05:35 AM, Wei Liu wrote: > >>> On Thu, Nov 14, 2013 at 05:50:24AM +0000, Xu, Quan wrote: > >>>> Hi, Wei / Community > >>>> We are working on support HVM domU based on vTPM stubdom. > Now > >> the vTPM stubdom is just for PV domU in Xen 4.3.0. > >> > >> This is not correct; the frontend driver in Linux 3.12 will also work > >> on HVM, same as the other PV drivers. > >> > > Thanks , I will have a try based on Linux 3.12 for DomU. I have some > > question. > Does it work on xen 4.3.0 or xen-unstable ? > > > > The TPM stubdoms have not changed in the 4.4 development series, so it > should work on both. > > > > >> An important caveat here is that you don't have a complete > >> measurement of an HVM domain (hvmloader and grub don't speak to the > >> TPM), but that wasn't true in earlier versions of Xen for either PV > >> or HVM, so using the older version won't improve that. > >> > >>>> Xen supports HVM domU in previous version 4.1.2, even though the > >>>> backend > >> is in Dom0. > >>>> In previous vTPM, the backend driver is in Linux 2.6.18, the kernel > >>>> is tough to > >> build. I think it is helpful, if we enable the previous vTPM. > >>>> Does anyone maintain the vTPM backend driver? > >>>> > >>>> Quan Xu > >>>> > >> > >> I'm not sure building the 2.6.18 backend driver would be any more > >> helpful to you, since it won't talk to the frontend in 3.12. The PV > >> stubdoms have no issues talking to an HVM frontend (at least from what > I've tested). > >> > > > > My team tries to enable HVM VM based stubdom vTPM. 2.6.18 kernel works > for HVM domU based on legacy vTPM. As my estimate, the hvmloader is > enabled with TCG BIOS. > > Then my team can integrate the hvmloader with stubdom vTPM. > > Real integration on HVM will require integration with QEMU so that it can > emulate the normal hardware interface (TIS). I haven't looked at the > hvmloader's TPM support, but I would guess that it tries to use that interface > since that is what a normal BIOS would do. Since emulation of TIS will be > needed for unmodified OSes, I don't see any reason to add a Xen tpmfront > driver to hvmloader/*bios. > > QEMU 1.5 has support for doing pass-through to /dev/tpm0, so a Linux > stubdom with a 3.12+ kernel and attached vtpm would just require enabling the > option. The last posted Linux stubdom (RFC by Anthony Perard back in April) > was using an older Linux and QEMU, but it still may be a good starting point. > Thanks Graaf, my team will try to set it up. Share some QEMU patches in the archive first: http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg00674.html http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg00675.html http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg00676.html http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg00678.html http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg00677.html In those patches, the seabios code is not yet upstream (http://www.seabios.org/SeaBIOS ) that is required to run with this support, and provide support such as initialization, ACPI table updates, and menu updates. But I have found some seabios patches, "Add TPM support to SeaBIOS". http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00424.html http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00419.html http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00421.html http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00417.html http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00426.html http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00423.html http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00420.html http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00418.html http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00422.html I will go through all of patches/ stubdom vTPM / legacy dom0 vtpm daemon, and give you some further feedback. BTW, could you help me to Review those patches too? === BTW, 1. My team starts to develop stubdom vTPM based on TPM 2.0 for PV domU, which I mentioned before. I hope that Berlios TPM Emulator can work well for TPM 2.0. Could you share some debug experience ? 2. My team have integrated OpenAttestation(https://github.com/OpenAttestation/OpenAttestation ) with stubdom vTPM. OpenAttestation project is to provide SDK, Software Development Kit, to add cloud management tools with capability of establishing hosts integrity information by remotely retrieving and verifying Hosts' integrity with TPM quote. oat-client can work in RHEL 6.4 VM with vtpm, while comment out "check_drivers || load_drivers || exit 1" in /etc/init.d/tcsd file. Also we can integrate stubdom vtpm into openstack. > >>> > >>> I'm not expert in this field. You can probably make use of the > >>> classic > >>> 2.6.18 kernel tree on xenbits.xen.org. > >>> > >>> Wei. > >>> > >> > >> -- > >> Daniel De Graaf > >> National Security Agency > > > > > > Quan Xu > > Intel > > > > > > > -- > Daniel De Graaf > National Security Agency Quan Xu Intel _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |