[Xen-users] [TPM, vTPM] Persistence of data on VM?

To:	Xen-Users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject:	[Xen-users] [TPM, vTPM] Persistence of data on VM?
From:	Nicolas Muñoz <nicolas.munoz.zz@xxxxxxxxx>
Date:	Mon, 7 Sep 2009 16:16:00 +0100
Delivery-date:	Mon, 07 Sep 2009 08:16:43 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=7tjF5BDSNcC6oF1j4twfuHHLNySF9FX0lA7FtSngW3o=; b=rQe04n4kVpfZX+pcSqhhjNjs7tOZAeABQorXGklDXugPdDao507WUKPAgrgK6yz+TH NFX+9CHzydqaC9W8uFVOIDHNhal/SZkIucAAojzn5p3KyE/sXmuKzHFeatFWvGiXvR9F UbpItBdrQwoW2jqn3Ri/XIfIyw4C8PmNkzKlM=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=XhtpM0QccBXVMPObIYZk46EMf2GIWVeBA6YLkovM81etaOe/4dSuSd0TTfI/oxERA5 sHV3lY35pkrWMTtHKIZe4F2yh2GbCnaYOfdf0C5eIlO3RUxzwFO7WAHvB7JSvkw6+ylg r0y4oUFRM8puad4oS4SpI12ae7Ypphns6Jk+k=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

Hi,

In advance, sorry, I am not sure if it's the right mailing list to ask that, but as my question is half-way between Xen and trousers, I thought asking in both mailing lists would not be too much....

I am currently having a little problem finding out how to make work my seal/unseal things...
Running a Debian Lenny on top of Xen 3.5 unstable. with vtpm management enabled on my VM's, my wish is to make some sealing tests on my VM's/

So here are all the operations I do :

On the Dom0

/etc/inid.d/trousers stop # TrouSerS prevents use of the vtpm manager, becauser the vtpmm cant use the TPM is another application is already using it

xend start

vtpm_managerd &

vtpm_migratord &

On the DomU

modprobe tpm_xenu

tcsd start

tpm_takeownership -z # I know SRK passw trouble is fixed now, but I continue using the well known secret for a test purpose for now

echo "Secret test" | tpm_sealdata -o 0209091104.blob -z

So here I've got a blob that contains

-----BEGIN TSS-----
-----TSS KEY-----
[...]
-----ENC KEY-----
[...]
-----ENC DAT-----
[...]
-----END TSS-----

Then I can unseal it, just to test that it has been done correctly:

lenny-guest# tpm_unsealdata -i 200909071534.blob

-----
Secret test

-----

So it seems that everything went ok.

So I reboot my VM, do the modprobe and tcsd start again, and then, I expect my TPM to have kept the state I gave to it last time. But that doesn't seem to work. or else I am doing something wrong.

Is not the TPM_STRONG_PERSISTENCE of the Xen tpm emulator option supposed to allow automatic state save after each issued command on a VM?

After reboot, I have to take ownership again of my TPM, otherwise, I cant issue any of the command that I want to execute. Example:

echo "secret" | tpm_sealdata -o 200909071544.blob -z

results in

Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003 (3), Bad parameter

Any idea?

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

WARNING - OLD ARCHIVES

xen-users

[Xen-users] [TPM, vTPM] Persistence of data on VM?