[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xense-devel] Run vTPM in its own VM?

To: "Fischer, Anna" <anna.fischer@xxxxxx>
From: Stefan Berger <stefanb@xxxxxxxxxx>
Date: Thu, 14 Sep 2006 12:36:14 -0400
Cc: Xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 14 Sep 2006 09:36:31 -0700
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>

xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 09/14/2006 05:00:56 AM: > The README of the current Xen unstable version says that setting > VTPM_MULTI_VM allows running each vTPM in its own VM. However, compiling > with this option doesn't work on my machine and the code doesn't seem to > be complete for this option. > > Did I miss to configure something or is the current implementation in > Xen not really ready for running a vTPM in a separate VM?

I am not familiar with the option above since I am running a different implementation of a VTPM, but I can say that it should generally be possible to run a vTPM in a separate domain, but I haven't done this in a long time. There exists an option when defining the vtpm in the VM configuration file to have it's backend located in a different domain than domain-0. Typically such an entry looks like

vtpm=['backend=0,instance=1']

to talk to a vTPM in domain-0 ( => backend=0 ).

There's one catch, though, and that's that all the hotplug scripts that are typically doing the life-cycle management of the vTPM instances now also have to be installed in that domain along with hotplug daemon etc.. I myself haven't run the vTPM in any other domain than domain-0 in a long time.
> > Can you explain to me how a communication will look like for the planned > implementation in Xen? Will all communication continue to go through the > vTPM manager and the vTPM manager talks to a kind of FE that transmits > TPM commands to a BE running in a separate domain? Or is it possible to > set up direct connections between a user domain TPM FE and the vTPM > running in an isolated VM?

It is possible to connect them directly with the vm configuration option above.
It should be possible to start a 2nd domain whose only purpose would be to run the vTPM - along with the hotplug stuff mentioned above running in that domain. That domain would have to be started from domain-0. However, you have a gap then if it's about taking integrity measurements of applications and a correct 'trust' chain. The proper way of doing this would be to have that vTPM-hosting domain started before domain 0 (including all the complications on how to access persistent storage etc.).
Can you tell us a bit more about what you are planning on doing?

Stefan
> > Regards, > Anna > > _______________________________________________ > Xense-devel mailing list > Xense-devel@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xense-devel

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel

Follow-Ups:
- RE: [Xense-devel] Run vTPM in its own VM?
  - From: Fischer, Anna

References:
- [Xense-devel] Run vTPM in its own VM?
  - From: Fischer, Anna

Prev by Date: [Xense-devel] Run vTPM in its own VM?
Next by Date: RE: [Xense-devel] Run vTPM in its own VM?
Previous by thread: [Xense-devel] Run vTPM in its own VM?
Next by thread: RE: [Xense-devel] Run vTPM in its own VM?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.