1*9e255e2bSRandy Dunlap============================= 2675aaf05SMauro Carvalho ChehabVirtual TPM interface for Xen 3675aaf05SMauro Carvalho Chehab============================= 4675aaf05SMauro Carvalho Chehab 5675aaf05SMauro Carvalho ChehabAuthors: Matthew Fioravante (JHUAPL), Daniel De Graaf (NSA) 6675aaf05SMauro Carvalho Chehab 7675aaf05SMauro Carvalho ChehabThis document describes the virtual Trusted Platform Module (vTPM) subsystem for 8675aaf05SMauro Carvalho ChehabXen. The reader is assumed to have familiarity with building and installing Xen, 9675aaf05SMauro Carvalho ChehabLinux, and a basic understanding of the TPM and vTPM concepts. 10675aaf05SMauro Carvalho Chehab 11675aaf05SMauro Carvalho ChehabIntroduction 12675aaf05SMauro Carvalho Chehab------------ 13675aaf05SMauro Carvalho Chehab 14675aaf05SMauro Carvalho ChehabThe goal of this work is to provide a TPM functionality to a virtual guest 15675aaf05SMauro Carvalho Chehaboperating system (in Xen terms, a DomU). This allows programs to interact with 16675aaf05SMauro Carvalho Chehaba TPM in a virtual system the same way they interact with a TPM on the physical 17675aaf05SMauro Carvalho Chehabsystem. Each guest gets its own unique, emulated, software TPM. However, each 18675aaf05SMauro Carvalho Chehabof the vTPM's secrets (Keys, NVRAM, etc) are managed by a vTPM Manager domain, 19675aaf05SMauro Carvalho Chehabwhich seals the secrets to the Physical TPM. If the process of creating each of 20675aaf05SMauro Carvalho Chehabthese domains (manager, vTPM, and guest) is trusted, the vTPM subsystem extends 21675aaf05SMauro Carvalho Chehabthe chain of trust rooted in the hardware TPM to virtual machines in Xen. Each 22675aaf05SMauro Carvalho Chehabmajor component of vTPM is implemented as a separate domain, providing secure 23675aaf05SMauro Carvalho Chehabseparation guaranteed by the hypervisor. The vTPM domains are implemented in 24675aaf05SMauro Carvalho Chehabmini-os to reduce memory and processor overhead. 25675aaf05SMauro Carvalho Chehab 26675aaf05SMauro Carvalho ChehabThis mini-os vTPM subsystem was built on top of the previous vTPM work done by 27675aaf05SMauro Carvalho ChehabIBM and Intel corporation. 28675aaf05SMauro Carvalho Chehab 29675aaf05SMauro Carvalho Chehab 30675aaf05SMauro Carvalho ChehabDesign Overview 31675aaf05SMauro Carvalho Chehab--------------- 32675aaf05SMauro Carvalho Chehab 33675aaf05SMauro Carvalho ChehabThe architecture of vTPM is described below:: 34675aaf05SMauro Carvalho Chehab 35675aaf05SMauro Carvalho Chehab +------------------+ 36675aaf05SMauro Carvalho Chehab | Linux DomU | ... 37675aaf05SMauro Carvalho Chehab | | ^ | 38675aaf05SMauro Carvalho Chehab | v | | 39675aaf05SMauro Carvalho Chehab | xen-tpmfront | 40675aaf05SMauro Carvalho Chehab +------------------+ 41675aaf05SMauro Carvalho Chehab | ^ 42675aaf05SMauro Carvalho Chehab v | 43675aaf05SMauro Carvalho Chehab +------------------+ 44675aaf05SMauro Carvalho Chehab | mini-os/tpmback | 45675aaf05SMauro Carvalho Chehab | | ^ | 46675aaf05SMauro Carvalho Chehab | v | | 47675aaf05SMauro Carvalho Chehab | vtpm-stubdom | ... 48675aaf05SMauro Carvalho Chehab | | ^ | 49675aaf05SMauro Carvalho Chehab | v | | 50675aaf05SMauro Carvalho Chehab | mini-os/tpmfront | 51675aaf05SMauro Carvalho Chehab +------------------+ 52675aaf05SMauro Carvalho Chehab | ^ 53675aaf05SMauro Carvalho Chehab v | 54675aaf05SMauro Carvalho Chehab +------------------+ 55675aaf05SMauro Carvalho Chehab | mini-os/tpmback | 56675aaf05SMauro Carvalho Chehab | | ^ | 57675aaf05SMauro Carvalho Chehab | v | | 58675aaf05SMauro Carvalho Chehab | vtpmmgr-stubdom | 59675aaf05SMauro Carvalho Chehab | | ^ | 60675aaf05SMauro Carvalho Chehab | v | | 61675aaf05SMauro Carvalho Chehab | mini-os/tpm_tis | 62675aaf05SMauro Carvalho Chehab +------------------+ 63675aaf05SMauro Carvalho Chehab | ^ 64675aaf05SMauro Carvalho Chehab v | 65675aaf05SMauro Carvalho Chehab +------------------+ 66675aaf05SMauro Carvalho Chehab | Hardware TPM | 67675aaf05SMauro Carvalho Chehab +------------------+ 68675aaf05SMauro Carvalho Chehab 69675aaf05SMauro Carvalho Chehab* Linux DomU: 70675aaf05SMauro Carvalho Chehab The Linux based guest that wants to use a vTPM. There may be 71675aaf05SMauro Carvalho Chehab more than one of these. 72675aaf05SMauro Carvalho Chehab 73675aaf05SMauro Carvalho Chehab* xen-tpmfront.ko: 74675aaf05SMauro Carvalho Chehab Linux kernel virtual TPM frontend driver. This driver 75675aaf05SMauro Carvalho Chehab provides vTPM access to a Linux-based DomU. 76675aaf05SMauro Carvalho Chehab 77675aaf05SMauro Carvalho Chehab* mini-os/tpmback: 78675aaf05SMauro Carvalho Chehab Mini-os TPM backend driver. The Linux frontend driver 79675aaf05SMauro Carvalho Chehab connects to this backend driver to facilitate communications 80675aaf05SMauro Carvalho Chehab between the Linux DomU and its vTPM. This driver is also 81675aaf05SMauro Carvalho Chehab used by vtpmmgr-stubdom to communicate with vtpm-stubdom. 82675aaf05SMauro Carvalho Chehab 83675aaf05SMauro Carvalho Chehab* vtpm-stubdom: 84675aaf05SMauro Carvalho Chehab A mini-os stub domain that implements a vTPM. There is a 85675aaf05SMauro Carvalho Chehab one to one mapping between running vtpm-stubdom instances and 86675aaf05SMauro Carvalho Chehab logical vtpms on the system. The vTPM Platform Configuration 87675aaf05SMauro Carvalho Chehab Registers (PCRs) are normally all initialized to zero. 88675aaf05SMauro Carvalho Chehab 89675aaf05SMauro Carvalho Chehab* mini-os/tpmfront: 90675aaf05SMauro Carvalho Chehab Mini-os TPM frontend driver. The vTPM mini-os domain 91675aaf05SMauro Carvalho Chehab vtpm-stubdom uses this driver to communicate with 92675aaf05SMauro Carvalho Chehab vtpmmgr-stubdom. This driver is also used in mini-os 93675aaf05SMauro Carvalho Chehab domains such as pv-grub that talk to the vTPM domain. 94675aaf05SMauro Carvalho Chehab 95675aaf05SMauro Carvalho Chehab* vtpmmgr-stubdom: 96675aaf05SMauro Carvalho Chehab A mini-os domain that implements the vTPM manager. There is 97675aaf05SMauro Carvalho Chehab only one vTPM manager and it should be running during the 98675aaf05SMauro Carvalho Chehab entire lifetime of the machine. This domain regulates 99675aaf05SMauro Carvalho Chehab access to the physical TPM on the system and secures the 100675aaf05SMauro Carvalho Chehab persistent state of each vTPM. 101675aaf05SMauro Carvalho Chehab 102675aaf05SMauro Carvalho Chehab* mini-os/tpm_tis: 103675aaf05SMauro Carvalho Chehab Mini-os TPM version 1.2 TPM Interface Specification (TIS) 104675aaf05SMauro Carvalho Chehab driver. This driver used by vtpmmgr-stubdom to talk directly to 105675aaf05SMauro Carvalho Chehab the hardware TPM. Communication is facilitated by mapping 106675aaf05SMauro Carvalho Chehab hardware memory pages into vtpmmgr-stubdom. 107675aaf05SMauro Carvalho Chehab 108675aaf05SMauro Carvalho Chehab* Hardware TPM: 109675aaf05SMauro Carvalho Chehab The physical TPM that is soldered onto the motherboard. 110675aaf05SMauro Carvalho Chehab 111675aaf05SMauro Carvalho Chehab 112675aaf05SMauro Carvalho ChehabIntegration With Xen 113675aaf05SMauro Carvalho Chehab-------------------- 114675aaf05SMauro Carvalho Chehab 115675aaf05SMauro Carvalho ChehabSupport for the vTPM driver was added in Xen using the libxl toolstack in Xen 116675aaf05SMauro Carvalho Chehab4.3. See the Xen documentation (docs/misc/vtpm.txt) for details on setting up 117675aaf05SMauro Carvalho Chehabthe vTPM and vTPM Manager stub domains. Once the stub domains are running, a 118675aaf05SMauro Carvalho ChehabvTPM device is set up in the same manner as a disk or network device in the 119675aaf05SMauro Carvalho Chehabdomain's configuration file. 120675aaf05SMauro Carvalho Chehab 121675aaf05SMauro Carvalho ChehabIn order to use features such as IMA that require a TPM to be loaded prior to 122675aaf05SMauro Carvalho Chehabthe initrd, the xen-tpmfront driver must be compiled in to the kernel. If not 123675aaf05SMauro Carvalho Chehabusing such features, the driver can be compiled as a module and will be loaded 124675aaf05SMauro Carvalho Chehabas usual. 125