[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 0/5] vTPM: Xen stubdom vTPM for HVM virtual machine



On Tue, 2014-12-30 at 23:44 -0500, Quan Xu wrote:

Please can you arrange for you patch submissions to be correctly
threaded i.e. with all the mails containing a reference header either to
the previous patch or to the 0/N introductory patch.

Take a look at the --chainreplyto and --thread options to git
send-email. If you use --dry-run then you should see each mail has a
suitable References: header if you have got it right.

Without this I end up with N+1 unrelated email in my INBOX which are
very hard to keep straight as a series once people start commenting on a
subset.

Thanks,
Ian.

> This patch series are only the Xen part to enable stubdom vTPM for HVM 
> virtual machine.
> it will work w/ Qemu patch series and seaBios patch series. Change 
> QEMU_STUBDOM_VTPM compile
> option from 'n' to 'y', when the Qemu/SeaBios patch series are merged.
> 
> ========================
>     *INTRODUCTION*
> ========================
> The goal of virtual Trusted Platform Module (vTPM) is to provide a TPM 
> functionality to virtual 
> machines (Fedora, Ubuntu, Redhat, Windows .etc). This allows programs to 
> interact with a TPM in 
> a virtual machine the same way they interact with a TPM on the physical 
> system. Each virtual 
> machine gets its own unique, emulated, software TPM. Each major component of 
> vTPM is implemented 
> as a stubdom, providing secure separation guaranteed by the hypervisor.
> 
> The vTPM stubdom is a Xen mini-OS domain that emulates a TPM for the virtual 
> machine to use. It 
> is a small wrapper around the Berlios TPM emulator. TPM commands are passed 
> from mini-os TPM 
> backend driver.
> 
> ========================
>      *ARCHITECTURE*
> ========================
> The architecture of stubdom vTPM for HVM virtual machine:
> 
>             +--------------------+
>             | Windows/Linux DomU | ...
>             |        |  ^        |
>             |        v  |        |
>             |  Qemu tpm1.2 Tis   |
>             |        |  ^        |
>             |        v  |        |
>             | XenStubdoms backend|
>             +--------------------+
>                      |  ^
>                      v  |
>             +--------------------+
>             |      XenDevOps     |
>             +--------------------+
>                      |  ^
>                      v  |
>             +--------------------+
>             |  mini-os/tpmback   |
>             |        |  ^        |
>             |        v  |        |
>             |   vtpm-stubdom     | ...
>             |        |  ^        |
>             |        v  |        |
>             |  mini-os/tpmfront  |
>             +--------------------+
>                      |  ^
>                      v  |
>             +--------------------+
>             |  mini-os/tpmback   |
>             |        |  ^        |
>             |        v  |        |
>             |  vtpmmgr-stubdom   |
>             |        |  ^        |
>             |        v  |        |
>             |  mini-os/tpm_tis   |
>             +--------------------+
>                      |  ^
>                      v  |
>             +--------------------+
>             |    Hardware TPM    |
>             +--------------------+
> 
> 
> 
>  * Windows/Linux DomU:
>     The HVM based guest that wants to use a vTPM. There may be
>     more than one of these.
> 
>  * Qemu tpm1.2 Tis:
>     Implementation of the tpm1.2 Tis interface for HVM virtual
>     machines. It is Qemu emulation device.
> 
>  * vTPM xenstubdoms driver:
>     Qemu vTPM driver. This driver provides vtpm initialization
>     and sending data and commends to a para-virtualized vtpm
>     stubdom.
> 
>  * XenDevOps:
>     Register Xen stubdom vTPM frontend driver, and transfer any
>     request/repond between TPM xenstubdoms driver and Xen vTPM
>     stubdom. Facilitate communications between Xen vTPM stubdom
>     and vTPM xenstubdoms driver.
> 
>  * mini-os/tpmback:
>     Mini-os TPM backend driver. The Linux frontend driver connects
>     to this backend driver to facilitate communications between the
>     Linux DomU and its vTPM. This driver is also used by vtpmmgr
>     stubdom to communicate with vtpm-stubdom.
> 
>  * vtpm-stubdom:
>     A mini-os stub domain that implements a vTPM. There is a
>     one to one mapping between running vtpm-stubdom instances and
>     logical vtpms on the system. The vTPM Platform Configuration
>     Registers (PCRs) are all initialized to zero.
> 
>  * mini-os/tpmfront:
>     Mini-os TPM frontend driver. The vTPM mini-os domain vtpm
>     stubdom uses this driver to communicate with vtpmmgr-stubdom.
>     This driver could also be used separately to implement a mini-os
>     domain that wishes to use a vTPM of its own.
> 
>  * vtpmmgr-stubdom:
>     A mini-os domain that implements the vTPM manager. There is only
>     one vTPM manager and it should be running during the entire lifetime
>     of the machine. vtpmmgr domain securely stores encryption keys for
>     each of the vtpms and accesses to the hardware TPM to get the root of
>     trust for the entire system.
> 
>  * mini-os/tpm_tis:
>     Mini-os TPM version 1.2 TPM Interface Specification (TIS) driver.
>     This driver used by vtpmmgr-stubdom to talk directly to the hardware
>     TPM. Communication is facilitated by mapping hardware memory pages
>     into vtpmmgr stubdom.
> 
>  * Hardware TPM: The physical TPM 1.2 that is soldered onto the motherboard.
> 
> ========================
>     *BUILD & TEST*
> ========================
> The following steps are how to build and test it: 
> 
> 1. SeaBios with my patch against upstream seabios is not submitted. I will
> submit seabios patch later. Now I archive my seabios patch against upstream
> seabios in Github: https://github.com/virt2x/seabios2 , try to build it for
> test. 
> 
> Configure it with Xen,
> --- <Xen> Config.mk
>     -SEABIOS_UPSTREAM_URL ?= git://xenbits.xen.org/seabios.git
>     +SEABIOS_UPSTREAM_URL ?= https://github.com/virt2x/seabios2
>     [...]
>     -SEABIOS_UPSTREAM_REVISION ?= rel-1.7.5
>     +SEABIOS_UPSTREAM_REVISION ?= ea94c083cc15875f46f0bf288b6531154b866f5a
> 
> 2. QEMU with my patch against upstream QEMU is 
>     '[PATCH v3 0/5] QEMU:Xen stubdom vTPM for HVM virtual machine'.
> I archive my QEMU patch series again Upstream QEMU in github:
>     https://github.com/virt2x/qemu-xen-unstable2 
> 
> Configure it with Xen, 
> --- <Xen> Config.mk
> 
>     -QEMU_UPSTREAM_URL ?= git://xenbits.xen.org/qemu-upstream-unstable.git
>     +QEMU_UPSTREAM_URL ?= https://github.com/virt2x/qemu-xen-unstable2
>     -QEMU_UPSTREAM_REVISION ?= qemu-xen-4.5.0-rc1
>     +QEMU_UPSTREAM_REVISION ?= 25694232b64104fd4fa2b8086f790b156a970e1e
> 
> 3. build/install Xen
> Change QEMU_STUBDOM_VTPM option from 'n' to 'y'
>     QEMU_STUBDOM_VTPM ?= y
> 
> ./configure --prefix=/usr
> make dist
> make install 
> 
> 4. try to launch vtpmmgr / vtpm domain via <Xen>/docs/misc/vtpm-platforms.txt.
> The reader is assumed to have familiarity with building and installing Xen, 
> Linux,
> and a basic understanding of the TPM and vTPM concepts.
> 
> The Linux / Windows HVM guest configuration file needs to be modified to 
> include the
> following line:
> 
>     [..]
>     vtpm=["backend=domu-vtpm"]
>     device_model_version = 'qemu-xen'
>     acpi = 1
>     [..]
> 
> #(domu-vtpm is the name vtpm domain, A mini-os stub domain that implements a 
> vTPM)
> 
> 5. enable native TPM 1.2 drvier in HVM virtual machine. for example enable 
> tpm_tis.ko
> in Linux HVM virtual machine. 
> If you have trousers and tpm_tools installed on the guest, the tpm_version 
> command should
> return the following:
> 
> The version command should return the following:
>   TPM 1.2 Version Info:
>   Chip Version:        1.2.0.7
>   Spec Level:          2
>   Errata Revision:     1
>   TPM Vendor ID:       ETHZ
>   TPM Version:         01010000
>   Manufacturer Info:   4554485a
> 
> Or check it with sysfs, /sys/class/misc/tpm0
> 
> 
> --Changes in v2:
>   -Delete HVM_PARAM_STUBDOM_VTPM parameter, QEMU Reads Xen vTPM status via 
> XenStore.
> 
> 
> 
> Quan Xu (5):
>   vTPM: event channel bind interdomain with para/hvm virtual machine
>   vTPM: limit libxl__add_vtpms() function to para virtual machine
>   vTPM: add TPM TCPA and SSDT for HVM virtual machine when vTPM is added
>   vTPM: add vTPM device for HVM virtual machine
>   vTPM: add QEMU_STUBDOM_VTPM compile option
> 
>  Config.mk                             |  4 +++
>  extras/mini-os/include/tpmback.h      |  3 ++
>  extras/mini-os/tpmback.c              | 20 +++++++++--
>  tools/Makefile                        |  7 ++++
>  tools/firmware/hvmloader/acpi/build.c |  5 +--
>  tools/libxl/libxl.c                   | 62 
> +++++++++++++++++++++++++++++++++++
>  tools/libxl/libxl_create.c            | 16 +++++++--
>  tools/libxl/libxl_dm.c                | 16 +++++++++
>  tools/libxl/libxl_internal.h          |  3 ++
>  tools/libxl/libxl_types.idl           |  1 +
>  tools/libxl/xl_cmdimpl.c              |  2 ++
>  11 files changed, 131 insertions(+), 8 deletions(-)
> 



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.