[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 0/6] vTPM: Xen stubdom vTPM for HVM virtual machine


> -----Original Message-----
> From: Stefano Stabellini [mailto:stefano.stabellini@xxxxxxxxxxxxx]
> Sent: Monday, November 03, 2014 7:30 PM
> To: Xu, Quan
> Cc: xen-devel@xxxxxxxxxxxxx; keir@xxxxxxx; ian.campbell@xxxxxxxxxx;
> tim@xxxxxxx; ian.jackson@xxxxxxxxxxxxx; jbeulich@xxxxxxxx
> Subject: Re: [Xen-devel] [PATCH 0/6] vTPM: Xen stubdom vTPM for HVM
> virtual machine
> 
> On Thu, 30 Oct 2014, Quan Xu wrote:
> >
> > Signed-off-by: Quan Xu <quan.xu@xxxxxxxxx>
> >
> > This patch series are only the Xen part to enable stubdom vTPM for HVM
> virtual machine.
> > it will work w/ Qemu patch series and seaBios patch series. Change
> > QEMU_STUBDOM_VTPM compile option from 'n' to 'y', when the
> Qemu/SeaBios patch series are merged.
> 
> Please, could you add more detailed commit messages in your patches?
> Also spending a few more words here to explain why are you doing this and
> how would help.
> 
The goal of virtual Trusted Platform Module (vTPM) is to provide a TPM 
functionality
to virtual machines (Fedora, Ubuntu, Redhat, Windows .etc). This allows 
programs to
interact with a TPM in a virtual machine the same way they interact with a TPM 
on the
physical system. Each virtual machine gets its own unique, emulated, software 
TPM.
Each major component of vTPM is implemented as a stubdom, providing secure 
separation
guaranteed by the hypervisor.
The vTPM stubdom is a Xen mini-OS domain that emulates a TPM for the virtual 
machine
to use. It is a small wrapper around the Berlios TPM emulator. TPM commands are 
passed
from mini-os TPM backend driver.

This patch series are to enable Xen stubdom vTPM for HVM virtual machine. his 
allows 
programs to interact with a TPM in a HVM virtual machine(Fedora, Ubuntu, 
Redhat, Windows .etc)
the same way they interact with a TPM on the physical system.


> It looks like you are trying to introduce vTPM stubdomains. The QEMU
> changes have been posted against upstream QEMU, that is good, however as
> far as I know upstream QEMU doesn't build or work as a stubdomain yet.
> Where are the changes to make upstream QEMU based stubdoms work?
> I don't see them neither here nor in the QEMU series.
> 
It's Xen stubdom, not QEMU stubdom. Sorry for this confusion. 

> How are you testing this work?


The following steps are how to build and test it: 

1. SeaBios with my patch against upstream seabios is not submitted. I will 
submit seabios patch when I 
finish these questions from review. Now I archive my seabios patch against 
upstream seabios in 
Github: https://github.com/virt2x/seabios2 , try to build it for test. 

Configure it with Xen,
--- <Xen> Config.mk
-SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
+SEABIOS_UPSTREAM_URL ?= https://github.com/virt2x/seabios2
[...]
-SEABIOS_UPSTREAM_REVISION ?= rel-1.7.5
+SEABIOS_UPSTREAM_REVISION ?= ea94c083cc15875f46f0bf288b6531154b866f5a

2. qemu with my patch against upstream QEMU is not merged. now I archive my 
qemu patch series again Upstream QEMU in github: 
https://github.com/virt2x/qemu-xen-unstable2 

Configure it with Xen, 
--- <Xen> Config.mk

-QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-upstream-unstable.git
+QEMU_UPSTREAM_URL ?= https://github.com/virt2x/qemu-xen-unstable2
-QEMU_UPSTREAM_REVISION ?= qemu-xen-4.5.0-rc1
+QEMU_UPSTREAM_REVISION ?= e867e6cf86c8412ca516cf2d0ccad57130e3388c

3. build/install Xen
Change QEMU_STUBDOM_VTPM option from 'n' to 'y'
   QEMU_STUBDOM_VTPM ?= y
./configure --prefix=/usr
make dist
make install 

4. try to launch vtpmmgr / vtpm domain via <Xen>/docs/misc/vtpm-platforms.txt.
The reader is assumed to have familiarity with building and installing Xen, 
Linux, and a basic 
understanding of the TPM and vTPM concepts.

The Linux / Windows HVM guest configuration file needs to be modified to 
include the following line:
[..]
vtpm=["backend=domu-vtpm"]
device_model_version = 'qemu-xen'
acpi = 1
[..]

## domu-vtpm is the name vtpm domain, A mini-os stub domain that implements a 
vTPM. 

5. enable native TPM 1.2 drvier in HVM virtual machine. for example enable 
tpm_tis.ko in Linux 
HVM virtual machine. 
If you have trousers and tpm_tools installed on the guest, the tpm_version
command should return the following:

The version command should return the following:
  TPM 1.2 Version Info:
  Chip Version:        1.2.0.7
  Spec Level:          2
  Errata Revision:     1
  TPM Vendor ID:       ETHZ
  TPM Version:         01010000
  Manufacturer Info:   4554485a

Or check it with sysfs, /sys/class/misc/tpm0


BTW, Some local ISV are trying to integrate this feature into their cloud 
service for trusted services, 
Such as trusted virtual desktop infrastructure(HVM fedora/ubuntu/redhat/windows 
virtual machine).


> 
> 
> >  Config.mk                             |  4 ++++
> >  extras/mini-os/include/tpmback.h      |  3 +++
> >  extras/mini-os/tpmback.c              | 20 +++++++++++++++++---
> >  tools/Makefile                        |  7 +++++++
> >  tools/firmware/hvmloader/acpi/build.c |  5 +++--
> >  tools/libxl/libxl.c                   | 62
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> +++
> >  tools/libxl/libxl_create.c            | 16 +++++++++++++---
> >  tools/libxl/libxl_dm.c                | 16 ++++++++++++++++
> >  tools/libxl/libxl_dom.c               |  2 ++
> >  tools/libxl/libxl_internal.h          |  3 +++
> >  tools/libxl/libxl_types.idl           |  1 +
> >  tools/libxl/xl_cmdimpl.c              |  2 ++
> >  xen/arch/x86/hvm/hvm.c                |  3 +++
> >  xen/include/public/hvm/params.h       |  1 +
> >
> > I've tried to break it down to smaller patches:
> >
> >  *(Patch 1/6)*  event channel bind interdomain with para/hvm virtual
> > machine
> >
> >  *(Patch 2/6)*  add HVM_PARAM_STUBDOM_VTPM parameter for HVM
> virtual
> > machine
> >
> >  *(Patch 3/6)*  limit libxl__add_vtpms() function to para virtual
> > machine
> >
> >  *(Patch 4/6)*  add TPM TCPA and SSDT for HVM virtual machine when
> > vTPM is added
> >
> >  *(Patch 5/6)*  add vTPM device for HVM virtual machine
> >
> >  *(Patch 6/6)*  add QEMU_STUBDOM_VTPM compile option
> >
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@xxxxxxxxxxxxx
> > http://lists.xen.org/xen-devel
> >

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.