[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xense-devel] vtpm_managerd locks the TPM
Thanks to Vinnie for getting into more background on why the vTPM Manager isn't using a gneral TSS. This fills-in the background on my previous answer to this same question: http://lists.xensource.com/archives/html/xen-devel/2007-07/msg00812.html . In your (Luke's) original reply to this, you stated that you wanted to: My goal is to be able to do all of the following, though no two need to occur simultaneously 1) Run vtpm_managerd 2) create tpm keys in the dom0 3) create vtpm keys in the domu and then later that you had gotten 1) and 3) working. As Vinnie explained, if you have a need for a somewhat privileged domain to use keys, it would be preferable to do that within a secure domU. It has long been a goal of the Xen security community to disaggregate dom0, and in such a case, the vTPM Manager would most likely end up in a small domain to itself. So a forward-looking design would be to use a secure domU for any TPM operations. Is your intended use something that cannot work in such a model and requires access to the hardware TPM? Joe ________________________________ From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Scarlata, Vincent R Sent: Thursday, September 20, 2007 8:08 PM To: Luke; Xense-devel@xxxxxxxxxxxxxxxxxxx Subject: RE: [Xense-devel] vtpm_managerd locks the TPM Due to the TPM's interface, only one application can access the TPM at a time, so "locking" is somewhat implicit. In a general purpose OS, it is the expectation of TCG that the single application that uses the TPM is the system service implementing the TPM Software Stack (TSS) (ie trousers). Many applications can then use RPCs to communicate with the TSS, which multiplexes their requests to the TPM. That said, TPM virtualization is a very security sensitive operation that is meant to be done in a static minimalist environment. This is because any root exploit in the domain housing the vTPM processes would yield a compromise in vTPM keys. It's not expected that a full TSS, other TPM apps, or any user apps will be running along side the vTPM manager. For example, an ideal configuration would be to put the vTPM manager & vTPMs in a dedicated domain. An alternative would be a to run it in a very stripped down, static, Dom0 that runs off an initrd. In both these configurations, the vTPM manager should talk directly to the TPM driver rather than require the inclusion of a TSS service. If you do want to run the vTPM manager in a more general purpose Dom0 that has other TPM applications, you would need a new vtsp.c file that calls trousers rather than the internal stack to the TPM driver. -Vinnie Scarlata ________________________________ From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xense-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Luke Sent: Thursday, September 20, 2007 10:45 PM To: Xense-devel@xxxxxxxxxxxxxxxxxxx Subject: [Xense-devel] vtpm_managerd locks the TPM It seems like vtpm_managerd locks the TPM when I try to use it. I can't run bindfile/unbindfile commands, do a tpm_demo, etc when vtpm_managerd is running. I get I/O errors or get_capability errors (using the old IBM TPM command suite), which seems to suggest that vtpm_managerd locks the TPM from other commands. Have other people found this to be the case as well? Is there any fix for this? Why does vtpm_managerd need to lock the TPM? Anyone try Trousers with vtpm_manager simultaneously? Thanks for the help - -- Luke _______________________________________________ Xense-devel mailing list Xense-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xense-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |