WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

Re: [Xense-devel] Run vTPM in its own VM?

To: "Fischer, Anna" <anna.fischer@xxxxxx>
Subject: Re: [Xense-devel] Run vTPM in its own VM?
From: Stefan Berger <stefanb@xxxxxxxxxx>
Date: Thu, 14 Sep 2006 12:36:14 -0400
Cc: Xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 14 Sep 2006 09:36:31 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <86FE9B2B91ADD04095335314BE6906E868AE50@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx

xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 09/14/2006 05:00:56 AM:

> The README of the current Xen unstable version says that setting
> VTPM_MULTI_VM allows running each vTPM in its own VM. However, compiling
> with this option doesn't work on my machine and the code doesn't seem to
> be complete for this option.
>
> Did I miss to configure something or is the current implementation in
> Xen not really ready for running a vTPM in a separate VM?


I am not familiar with the option above since I am running a different implementation of a VTPM, but I can say that it should generally be possible to run a vTPM in a separate domain, but I haven't done this in a long time. There exists an option when defining the vtpm in the VM configuration file to have it's backend located in a different domain than domain-0. Typically such an entry looks like

vtpm=['backend=0,instance=1']

to talk to a vTPM in domain-0 ( => backend=0 ).

There's one catch, though, and that's that all the hotplug scripts that are typically doing the life-cycle management of the vTPM instances now also have to be installed in that domain along with hotplug daemon etc.. I myself haven't run the vTPM in any other domain than domain-0 in a long time.

>
> Can you explain to me how a communication will look like for the planned
> implementation in Xen? Will all communication continue to go through the
> vTPM manager and the vTPM manager talks to a kind of FE that transmits
> TPM commands to a BE running in a separate domain? Or is it possible to
> set up direct connections between a user domain TPM FE and the vTPM
> running in an isolated VM?


It is possible to connect them directly with the vm configuration option above.
It should be possible to start a 2nd domain whose only purpose would be to run the vTPM - along with the hotplug stuff mentioned above running in that domain. That domain would have to be started from domain-0. However, you have a gap then if it's about taking integrity measurements of applications and a correct 'trust' chain. The proper way of doing this would be to have that vTPM-hosting domain started before domain 0 (including all the complications on how to access persistent storage etc.).
Can you tell us a bit more about what you are planning on doing?

  Stefan

>
> Regards,
> Anna
>
> _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel