The isolation of the VTPM architecture comes from the domain isolation that Xen provides. In the optional compile mode, further isolation between VTPM instances is also provided by Xen’s domain isolation. The shared memory driver is simply referring to the fact that the TPM FE/BE driver uses a shared page (as most FE/BE pairs do) in order to transmit the TPM command from the guest to the domain with the VTPM manager.
I think there is a little bit of confusion on the GVTPM. Generalized VTPM is the VTPM framework, but it realizes that the architecture doesn’t need to be limited to TPM functionality. It can be generalized to create virtual secure coprocessors for nearly any function. However in the context of TCG or current Xen implementation we are talking strictly about VTPMs and no other use of the framework.
TCG’s opinion about VTPMs is that there are a couple of condoned proposals for ways to provide trustworthy VTPMs, and TCG members are not discounting virtual environments in their work. IBM and Intel both are working in TCG to make sure that our industry efforts and TCG work are complimentary and not opposing.
Unfortunately, we do not have any public documentation on VTPM at this time beyond presentations; however, I can answer any questions you have over email directly.
Trusted Platform Lab
System Technology Lab, CTG
[mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of jackyhuangq@xxxxxxxx
I am interesting in vitrualization and tcpa.I want to do some research on Xen platform to present a more trusted VMM. I think the key points are isolation and integrity.
With isoliation, I want to use uninterference policy to confine the communication between xen and domains with device channel.That is to say, map the formal model to xen. I think now the MAC mechanism also does some isolation, the channel-control analyse with formal model is another way, especially used for confine the TCB where access control can do nothing.By the way,I think critical application also is a part of TCB.
And from Reiner, I see Xen is not a isolation VMM,or separation VMM.But I think formal analyze can benefit confinement of Xen's I/O device.
With integrity, I want to examine the GVTPM architecture and do something based on it.
My questions are: does the isolation provided by Xen for domains is strong enough from your developer's view? Is there anybody can help me to learn more about GVTPM except for a .ppt document? Something like what the function of "shared memory TPM driver" in the code? is it a backend driver? Or what is the opinion of TCG about GVTPM?
I am already much inspired by your help in the mail list.Hope I can do something to the community. Thanks!
_______________________________________________ Xense-devel mailing list Xense-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xense-devel