This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] [TPM, vTPM] Persistence of data on VM?

To: Xen-Users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] [TPM, vTPM] Persistence of data on VM?
From: Nicolas Muñoz <nicolas.munoz.zz@xxxxxxxxx>
Date: Mon, 7 Sep 2009 16:16:00 +0100
Delivery-date: Mon, 07 Sep 2009 08:16:43 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=7tjF5BDSNcC6oF1j4twfuHHLNySF9FX0lA7FtSngW3o=; b=rQe04n4kVpfZX+pcSqhhjNjs7tOZAeABQorXGklDXugPdDao507WUKPAgrgK6yz+TH NFX+9CHzydqaC9W8uFVOIDHNhal/SZkIucAAojzn5p3KyE/sXmuKzHFeatFWvGiXvR9F UbpItBdrQwoW2jqn3Ri/XIfIyw4C8PmNkzKlM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=XhtpM0QccBXVMPObIYZk46EMf2GIWVeBA6YLkovM81etaOe/4dSuSd0TTfI/oxERA5 sHV3lY35pkrWMTtHKIZe4F2yh2GbCnaYOfdf0C5eIlO3RUxzwFO7WAHvB7JSvkw6+ylg r0y4oUFRM8puad4oS4SpI12ae7Ypphns6Jk+k=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

In advance, sorry, I am not sure if it's the right mailing list to ask that, but as my question is half-way between Xen and trousers, I thought asking in both mailing lists would not be too much....

I am currently having a little problem finding out how to make work my seal/unseal things...
Running a Debian Lenny on top of Xen 3.5 unstable. with vtpm management enabled on my VM's, my wish is to make some sealing tests on my VM's/

So here are all the operations I do :

On the Dom0

/etc/inid.d/trousers stop   # TrouSerS prevents use of the vtpm manager, becauser the vtpmm cant use the TPM is another application is already using it

xend start

vtpm_managerd &

vtpm_migratord &

On the DomU

modprobe tpm_xenu

tcsd start

tpm_takeownership -z   # I know SRK passw trouble is fixed now, but I continue using the well known secret for a test purpose for now

echo "Secret test" | tpm_sealdata -o 0209091104.blob -z

So here I've got a blob that contains

-----BEGIN TSS-----
-----TSS KEY-----
-----ENC KEY-----
-----ENC DAT-----
-----END TSS-----

Then I can unseal it, just to test that it has been done correctly:

lenny-guest# tpm_unsealdata -i 200909071534.blob

Secret test


So it seems that everything went ok.

So I reboot my VM, do the modprobe and tcsd start again, and then, I expect my TPM to have kept the state I gave to it last time. But that doesn't seem to work. or else I am doing something wrong.

Is not the TPM_STRONG_PERSISTENCE of the Xen tpm emulator option supposed to allow automatic state save after each issued command on a VM?

After reboot, I have to take ownership again of my TPM, otherwise, I cant issue any of the command that I want to execute. Example:

echo "secret" | tpm_sealdata -o 200909071544.blob -z

results in

Tspi_Key_CreateKey failed: 0x00000003 - layer=tpm, code=0003 (3), Bad parameter

Any idea?
Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] [TPM, vTPM] Persistence of data on VM?, Nicolas Muñoz <=