[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] vTPM Manager shuts down

On 05/23/2013 10:35 AM, Ross Philipson wrote:

-----Original Message-----
From: Konrad Rzeszutek Wilk [mailto:konrad.wilk@xxxxxxxxxx]
Sent: Wednesday, May 22, 2013 4:54 PM
To: Ross Philipson
Cc: Daniel De Graaf; Jordi Cucurull Juan; xen-devel@xxxxxxxxxxxxx
Subject: Re: [Xen-devel] vTPM Manager shuts down

On Wed, May 22, 2013 at 07:14:04PM +0000, Ross Philipson wrote:

-----Original Message-----
From: xen-devel-bounces@xxxxxxxxxxxxx [mailto:xen-devel-
bounces@xxxxxxxxxxxxx] On Behalf Of Ross Philipson
Sent: Wednesday, May 22, 2013 3:06 PM
To: Konrad Rzeszutek Wilk; Daniel De Graaf
Cc: Jordi Cucurull Juan; xen-devel@xxxxxxxxxxxxx
Subject: Re: [Xen-devel] vTPM Manager shuts down


-----Original Message-----
From: xen-devel-bounces@xxxxxxxxxxxxx [mailto:xen-devel-
bounces@xxxxxxxxxxxxx] On Behalf Of Konrad Rzeszutek Wilk
Sent: Wednesday, May 22, 2013 2:00 PM
To: Daniel De Graaf
Cc: Jordi Cucurull Juan; xen-devel@xxxxxxxxxxxxx
Subject: Re: [Xen-devel] vTPM Manager shuts down


(XEN) General information for domain 5:
(XEN)     refcnt=3 dying=0 pause_count=0
(XEN)     nr_pages=7168 xenheap_pages=5 shared_pages=0

paged_pages=0

dirty_cpus={} max_pages=7424

(XEN)     handle=3097d8b9-8d80-4bde-94b6-978c98c37296

vm_assist=00000000

(XEN) Rangesets belonging to domain 5:
(XEN)     I/O Ports  { }
(XEN)     Interrupts { }
(XEN)     I/O Memory { fed40 }

Note: my config contains "iomem=['fed40,1']" not

"iomem=['fed40,5']"

so your

output will differ there.


Is that address (fed40) standard? Are there other TPM devices at

other

locations?


Yes that is defined in the TCG's TPM spec. That is the beginning of

the

PCRs
for locality 0 and they range up to locality 4: FED4_0xxxh -

FED4_4xxxh


If you search for something like TCG_PCClientTPMSpecification_1-

21_1-

00_FINAL.pdf
you can find that information (chapter 9 is on locality).


How does one find them? lspci?


The TPM lives on the LPC bus. Some of its features are exported in
sysfs:

/sys/class/misc/tpm0


Oh and sorry I sent it before I finished what I was going to say. You

can

find information about it in ACPI. E.g. this Dell I have has a

Broadcom

1.2 TPM:

     Device (\_SB.PCI0.LPCB.TPM)
     {
         Name (_HID, EisaId ("BCM0102"))
         Name (_CID, 0x310CD041)
         Name (_STR, Unicode ("TPM 1.2 Device"))
         Name (_CRS, ResourceTemplate ()
         {
             Memory32Fixed (ReadOnly,
                 0xFED40000,         // Address Base
                 0x00005000,         // Address Length
                 )
         })
         ...
     }


Would it make sense to have libxl when creating one of the TPM manager
domains to automatically get that info from /sys/class/misc/tpm0?


Do you mean to get that address? It is pretty well fixed (at least on PC
platforms). In fact the tpm_tis Linux driver has it hard coded in its
defaults:

enum tis_defaults {
        TIS_MEM_BASE = 0xFED40000,
        TIS_MEM_LEN = 0x5000,
        TIS_SHORT_TIMEOUT = 750,        /* ms */
        TIS_LONG_TIMEOUT = 2000,        /* 2 sec */
};

Though the pnp code in tpm_tis can take external values for
the memory base. I guess the best place to find the actual value(s)
would be in ACPI firmware (reading the _CRS).


The ACPI firmware entry is meant to be present for ease of use in an OS
that expects devices to have ACPI entries, not as the primary source of
the address. In an environment using TBOOT, for example, this ACPI table
may not be trusted to report the address correctly.


As to your other question, I guess I never thought about whether there
could or would be more than one actual TPM on a platform. I am not sure
what that would be used for and it seems like the answer is "no" on the
surface but I could be wrong.


The TPM PC Client specification mandates that a TPM 1.2 be located at
0xFED40000 (in section 9.1 of the PC Client Specific TIS 1.21 or 5.2
in version 1.3, among other documents). This prevents multiple TPMs
claiming to be a PC Client TPM.

In general, having multiple TPMs on a single platform is not a useful
configuration because it causes confusion when updating PCRs - which
is a primary reason you would want your keys on TPM.



Hm, I guess it wouldn't really work unless you added some new
config option called 'vtpm_manager=1' to do this.


The TPM manager already requires a command-line argument to change the
locality (and therefore the address it uses to access the TPM), so it's
not useful to try to auto-detect the address in one location while the
other is still manual.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.