|
xense-devel
RE: [Xense-devel] Run vTPM in its own VM?
Stefan,
Thanks for your answer.
However, I think the multivm mode approach that Vinnie described in his last
post is a much more secure design than running all vTPMs in domain 0.
As I don't know details about your internal vTPM implementation, I can only
refer to the public Xen implementation which runs the vTPMs as user processes
in domain 0. This doesn't seem to be the most secure approach to me as it
doesn't provide very good isolation for vTPMs. Furthermore the vTPM manager
becomes a real bottleneck if you have many VMs running on one platform. Apart
from that domain 0 already holds a lot of complexity of Xen and therefore it is
a good thing to move components out as much as possible. Running vTPMs in their
own VM will also protect domain 0 from malfunctioning TPM drivers.
Anna
________________________________________
From: Stefan Berger [mailto:stefanb@xxxxxxxxxx]
Sent: Donnerstag, 14. September 2006 17:36
To: Fischer, Anna
Cc: Xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xense-devel] Run vTPM in its own VM?
xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 09/14/2006 05:00:56 AM:
> The README of the current Xen unstable version says that setting
> VTPM_MULTI_VM allows running each vTPM in its own VM. However, compiling
> with this option doesn't work on my machine and the code doesn't seem to
> be complete for this option.
>
> Did I miss to configure something or is the current implementation in
> Xen not really ready for running a vTPM in a separate VM?
I am not familiar with the option above since I am running a different
implementation of a VTPM, but I can say that it should generally be possible to
run a vTPM in a separate domain, but I haven't done this in a long time. There
exists an option when defining the vtpm in the VM configuration file to have
it's backend located in a different domain than domain-0. Typically such an
entry looks like
vtpm=['backend=0,instance=1']
to talk to a vTPM in domain-0 ( => backend=0 ).
There's one catch, though, and that's that all the hotplug scripts that are
typically doing the life-cycle management of the vTPM instances now also have
to be installed in that domain along with hotplug daemon etc.. I myself haven't
run the vTPM in any other domain than domain-0 in a long time.
>
> Can you explain to me how a communication will look like for the planned
> implementation in Xen? Will all communication continue to go through the
> vTPM manager and the vTPM manager talks to a kind of FE that transmits
> TPM commands to a BE running in a separate domain? Or is it possible to
> set up direct connections between a user domain TPM FE and the vTPM
> running in an isolated VM?
It is possible to connect them directly with the vm configuration option above.
It should be possible to start a 2nd domain whose only purpose would be to run
the vTPM - along with the hotplug stuff mentioned above running in that domain.
That domain would have to be started from domain-0. However, you have a gap
then if it's about taking integrity measurements of applications and a correct
'trust' chain. The proper way of doing this would be to have that vTPM-hosting
domain started before domain 0 (including all the complications on how to
access persistent storage etc.).
Can you tell us a bit more about what you are planning on doing?
Stefan
>
> Regards,
> Anna
>
> _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel
_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
|
|
|
Home