|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2 1/5] vTPM: event channel bind interdomain with para/hvm virtual machine
On 01/08/2015 03:20 AM, Xu, Quan wrote: -----Original Message----- From: Daniel De Graaf [mailto:dgdegra@xxxxxxxxxxxxx] Sent: Wednesday, January 07, 2015 3:47 AM To: Xu, Quan; xen-devel@xxxxxxxxxxxxx Cc: samuel.thibault@xxxxxxxxxxxx; stefano.stabellini@xxxxxxxxxxxxx Subject: Re: [PATCH v2 1/5] vTPM: event channel bind interdomain with para/hvm virtual machine On 01/06/2015 11:46 AM, Xu, Quan wrote:-----Original Message----- From: Daniel De Graaf [mailto:dgdegra@xxxxxxxxxxxxx] On 12/30/2014 11:44 PM, Quan Xu wrote:[...]diff --git a/extras/mini-os/tpmback.c b/extras/mini-os/tpmback.c[...]+ domid = (domtype == T_DOMAIN_TYPE_HVM) ? 0 : tpmif->domid;Unless I'm missing something, this still assumes that the HVM device model is located in domain 0, and so it will not work if a stub domain is used for qemu.QEMU is running in Dom0 as usual, so the domid is 0. as similar to Linux PV frontend driver, this frontend driver is enabled inQEMU. This is a valid configuration of Xen and these patches do suffice to make it work. I am trying to ensure that an additional type of guest setup will also work with these patches. A useful feature of Xen is the ability to execute the QEMU device model in a domain instead of a process in dom0. When combined with driver domains for devices, this can significantly reduce both the attack surface of and amount of trust required of domain 0.Any doubt, feel free to contact. I will try my best to explain. I think yoursuggestions are very helpful in previous email(Oct. 31th, 2014.' Re: FW: [PATCH 1/6] vTPM: event channel bind interdomain with para/hvm virtual machine') Maybe this is still a vague description :( I like the /local/domain/0/frontend/* path better than my initial qemu suggestion, but I think the domain ID used should be the domain ID of the vTPM domain, similar to how backends for the qemu stubdom are done. In this example, the paths would be "/local/domain/0/frontend/vtpm/2/0" and "/local/domain/2/backend/vtpm/0/0". This avoids introducing a dependency on the domain ID of the guest in a connection that does not directly involve that domain. If a guest ever needs two vTPMs or multiple guests share a vTPM, this method of constructing the paths will avoid unneeded conflicts (though I don't expect either of these situations to be normal). /local/domain/4/backend/vtpm/5/0/*: backend B-QEMU /local/domain/5/device/vtpm/0/*: frontend B-QEMU /local/domain/4/backend/vtpm/6/0/*: backend B-PV /local/domain/6/device/vtpm/0/*: frontend B-PV Connections A-PV, B-PV, and B-QEMU would be created in the same manner as the existing "xl vtpm-attach" command does now. If the HVM guest is not running Linux with the Xen tpmfront.ko loaded, the A-PV and B-PV devices will remain unconnected; this is fine. Connection A-QEMU has a modified frontend state path to prevent Linux from attaching its own TPM driver to the guest's TPM.Your design is working. For this case, Domain 4: vTPM for guest B Domain 5: QEMU stubdom for guest B Domain 6: HVM guest B As my understanding, Xl tools will create Donmain 5 as a PV domain. It works as Existing solutions. I think it can extend with libvirt too. You can make Domain 6 connected Domain 5 by QEMU command line options, and it Is quite similar to TPM passthrough. Yes, this setup should be possible today once the proper device configuration is added to the QEMU configuration. So in this case, we don't care '-PV' or '-Qemu'. also '-pv'/'-QEMU' are confusing in XenStore. Yes; this was one reason I did not want to introduce an "HVM" type in Xenstore. -- Daniel De Graaf National Security Agency _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |