Re: [Xense-devel] questions about isolation model and GVTPM

[Reiner Sailer <sailer@xxxxxxxxxx>]

xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 04/25/2006
10:40:38 AM:

> Hi guys, 
Hi Huang,

I am still out-of-the office but I am starting to
read my e-mail :-) I did not see anybody answering to your e-mail yet,
so I will try to answer those parts that I am familiar with.

> I am interesting in vitrualization and tcpa.I
want to do some 
> research on Xen platform to present a more trusted VMM. I think the
> key points are isolation and integrity. 
>
> With isoliation, I want to use uninterference
policy to confine the 
> communication between xen and domains with device channel.

This sounds interesting. Can you describe this policy
a little more? What does it address that the current Type Enforcement (controlled
sharing between Domains) or the Chinese Wall Policy do not express? Do
you aim at discovering/measuring covert channels (a very beneficial, interesting,
and challenging task)?

>That is to
> say, map the formal model to xen. I think now the MAC mechanism also
> does some isolation, the channel-control analyse with formal model
> is another way, especially used for confine the TCB where access 
> control can do nothing.

You must be talking about covert channels here since
those are not access controlled.

>By the way,I think critical application also 
> is a part of TCB. 
> And from Reiner, I see Xen is not a isolation
VMM,or separation VMM.
> But I think formal analyze can benefit confinement of Xen's I/O device.

Can you give an example of an I/O device and the confinement
guarantees you are looking for? We are extending the MAC into I/O virtualization
(which happens on operating system level).
 
> With integrity, I want to examine the GVTPM architecture
and do 
> something based on it. 
> My questions are: does the isolation provided
by Xen for domains is 
> strong enough from your developer's view? Is the! re anybody can 
> help me to learn more about GVTPM except for a .ppt document? 

I can give a little information about last 4 letters
(VTPM): there are multiple documented approaches. The current implementation
in Xen is the result of a cooperation between Intel and IBM. We have a
project web page at IBM Research that describes our general approach (http://www.research.ibm.com/ssd_vtpm)
and we will present a research paper on the Usenix Security Symposium this
year describing challenges and solutions when virtualizing a TPM.

Probably a person from Intel can describe best their
vision of generalized VTPM or point to more information :-)

Regards
Reiner

> Something like what the function of "shared memory TPM driver"
in 
> the code? is it a backend driver? Or what is the opinion of TCG about
GVTPM?
> I am already much inspired by your help in the
mail list.Hope I can 
> do something to the community. Thanks! 
> Yours Huang _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel