[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] vTPM Deep Quote validation



TPM_ORD_DeepQuote is a custom command used just with vTPMs so a domU user can get a quote signed with vTPM PCRs and also physical PCRs. It is not included in 1.2 specification.

On Mon, Mar 9, 2015 at 4:51 PM, Xu, Quan <quan.xu@xxxxxxxxx> wrote:

For âTPM_ORD_DeepQuoteâcmd, it looks like a specific TPM 1.2 emulator command, instead of TPM physic cmd. I canât find it in TPM 1.2 spec.

(my TPM Main Part2 TPM Structures is Specification version 1.2/ Level 2 Revision 116 / 1 March 2011)

Â

Â

-Quan

Â

From: xen-devel-bounces@xxxxxxxxxxxxx [mailto:xen-devel-bounces@xxxxxxxxxxxxx] On Behalf Of Emil Condrea
Sent: Sunday, March 08, 2015 7:41 PM
To: xen-devel@xxxxxxxxxxxxx
Cc: Daniel De Graaf
Subject: [Xen-devel] vTPM Deep Quote validation

Â

I am trying to validate a Deep Quote request made by domU but I feel that something is missing. Right now when a domU requests TPM_ORD_DeepQuote:

1. vTPM:

- unpacks the params: nonce, vTPM PCR selection and physical PCR selection

- packs PCR_INFO_SHORT structure into buf that contains the selected vTPM PCRs

- computes nonce as a SHA1 of: dquot_hdr, nonce, and previous packed buf

- packs: nonce, physical PCR selection

- receives physical pcr data and signature from manager and returns them to DomU

2. vTPM Manager

- unpacks the params: nonce, PCR selection

- execute TPM_Quote with: externalData = nonce

- returns pcr data and signature to vTPM


If domU user wants to validate the signature it has to do the exact process that the vtpm and manager did but the virtual PCR values are not included in response, just physical ones.

We can include the vTPM PCRS in response or the manager must perform TPM_Quote using the nonce received from domU in order to be able to have a successful validation on the client side.

What do you think? Is there something that I am missing ?


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.