[Q] about vTPM

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[Q] about vTPM

sakaia
I have several questions on vTPM implementation on Xen.
I would be appreciated if you answer the questions.

1.GVTPM is seems like ideal model of current vTPM implementaion.
  Is this true?
  (for example, securestorege.c is in vtpm_manager)

2.I think vTPM key functionality is migration of vTPM instance.
  But It seems not implemented. Is this true?
  It seems like the migration key is the builtin HW-TPM function only.

3.Currently vTPM implementaion is only ParaVM.
  Is there any plan to support FullVM?

4.vtpm document(docs/misc/vtpm.txt) is little bit old.
  So the documentation does not infar the Infineon chip.
  I think Infineon chip is supported.

Related Links
 vTPM: Virtualizing the Trusted Platform Module
http://domino.research.ibm.com/library/cyberdig.nsf/1e4115aea78b6e7c85256b360066f0d4/a0163fff5b1a61fe85257178004eee39?OpenDocument&Highlight=0,RC23879

Intel's Presentation on Xen Security
http://www.xensource.com/files/XenSecurity_Intel_CRozas.pdf


Thanks.

Atsushi SAKAI




_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Q] about vTPM

Stefan Berger

[hidden email] wrote on 06/29/2006 01:50:38 AM:

> I have several questions on vTPM implementation on Xen.
> I would be appreciated if you answer the questions.


As you show at the end of your email, there are different ideas about the virtual TPM. IBM's contribution to the Xen repository are the split TPM drivers, vTPM managment scripts and test cases. We have our own virtual TPM implementation as described in the research report, but it is not freely available.

>
> 1.GVTPM is seems like ideal model of current vTPM implementaion.
>   Is this true?
>   (for example, securestorege.c is in vtpm_manager)
>
> 2.I think vTPM key functionality is migration of vTPM instance.
>   But It seems not implemented. Is this true?
>   It seems like the migration key is the builtin HW-TPM function only.
>
> 3.Currently vTPM implementaion is only ParaVM.
>   Is there any plan to support FullVM?


This is likely to be done in the future.

>
> 4.vtpm document(docs/misc/vtpm.txt) is little bit old.
>   So the documentation does not infar the Infineon chip.
>   I think Infineon chip is supported.


Thanks. I will update the document. Although it explicitly mentions some manufacturer's TPMs, it does not mean that the vTPM implementation does not work with other TPMs where drivers are available.

>
> Related Links
>  vTPM: Virtualizing the Trusted Platform Module
> http://domino.research.ibm.com/library/cyberdig.
> nsf/1e4115aea78b6e7c85256b360066f0d4/a0163fff5b1a61fe85257178004eee39?
> OpenDocument&Highlight=0,RC23879
>
> Intel's Presentation on Xen Security
> http://www.xensource.com/files/XenSecurity_Intel_CRozas.pdf
>
>
> Thanks.
>
> Atsushi SAKAI
>


Regards,
   Stefan

>
>
>
> _______________________________________________
> Xense-devel mailing list
> [hidden email]
> http://lists.xensource.com/xense-devel

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Q] about vTPM

sakaia
Hello Stefan

 Thank you for answering my questions.
Now I understand the situation on Xen security implementation.

Thanks

Atsushi SAKAI

>[hidden email] wrote on 06/29/2006 01:50:38 AM:
>
>> I have several questions on vTPM implementation on Xen.
>> I would be appreciated if you answer the questions.
>
>As you show at the end of your email, there are different ideas about the
>virtual TPM. IBM's contribution to the Xen repository are the split TPM
>drivers, vTPM managment scripts and test cases. We have our own virtual
>TPM implementation as described in the research report, but it is not
>freely available.
>
>>
>> 1.GVTPM is seems like ideal model of current vTPM implementaion.
>>   Is this true?
>>   (for example, securestorege.c is in vtpm_manager)
>>
>> 2.I think vTPM key functionality is migration of vTPM instance.
>>   But It seems not implemented. Is this true?
>>   It seems like the migration key is the builtin HW-TPM function only.
>>
>> 3.Currently vTPM implementaion is only ParaVM.
>>   Is there any plan to support FullVM?
>
>This is likely to be done in the future.
>
>>
>> 4.vtpm document(docs/misc/vtpm.txt) is little bit old.
>>   So the documentation does not infar the Infineon chip.
>>   I think Infineon chip is supported.
>
>Thanks. I will update the document. Although it explicitly mentions some
>manufacturer's TPMs, it does not mean that the vTPM implementation does
>not work with other TPMs where drivers are available.
>
>>
>> Related Links
>>  vTPM: Virtualizing the Trusted Platform Module
>> http://domino.research.ibm.com/library/cyberdig.
>> nsf/1e4115aea78b6e7c85256b360066f0d4/a0163fff5b1a61fe85257178004eee39?
>> OpenDocument&Highlight=0,RC23879
>>
>> Intel's Presentation on Xen Security
>> http://www.xensource.com/files/XenSecurity_Intel_CRozas.pdf
>>
>>
>> Thanks.
>>
>> Atsushi SAKAI
>>
>
>Regards,
>   Stefan
>
>>
>>
>>
>> _______________________________________________
>> Xense-devel mailing list
>> [hidden email]
>> http://lists.xensource.com/xense-devel







_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

RE: [Q] about vTPM

Scarlata, Vincent R
In reply to this post by sakaia
 

>-----Original Message-----
>From: Atsushi SAKAI
>Sent: Wednesday, June 28, 2006 10:51 PM
>To: [hidden email]
>Subject: [Xense-devel] [Q] about vTPM
>
>I have several questions on vTPM implementation on Xen.
>I would be appreciated if you answer the questions.
>
>1.GVTPM is seems like ideal model of current vTPM implementaion.
>  Is this true?
>  (for example, securestorege.c is in vtpm_manager)

Certain parts of the implementation are not specific to any model.
Specifically the driver pair that IBM contributed and the common portion
of the vtpm management scripts. However, you are correct in the
observation that the vtpm_managerd contributed by Intel is an
implementations of the GVTPM model.

>2.I think vTPM key functionality is migration of vTPM instance.
>  But It seems not implemented. Is this true?
>  It seems like the migration key is the builtin HW-TPM function only.

VTPM Migration support in the vtpm_managerd is nearly complete and I
will be submitted to the tree soon.

>3.Currently vTPM implementaion is only ParaVM.
>  Is there any plan to support FullVM?
>
>4.vtpm document(docs/misc/vtpm.txt) is little bit old.
>  So the documentation does not infar the Infineon chip.
>  I think Infineon chip is supported.
>
>Related Links
> vTPM: Virtualizing the Trusted Platform Module
>http://domino.research.ibm.com/library/cyberdig.nsf/1e4115aea78b6e7c852
56b360066f0d4/a0163fff5b1a61fe85257178004eee39?OpenDocument&Highlight=0,
RC23879
>
>Intel's Presentation on Xen Security
>http://www.xensource.com/files/XenSecurity_Intel_CRozas.pdf

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Q] about vTPM

Martin Hermanowski-5
In reply to this post by Stefan Berger
Stefan Berger wrote:

>
> [hidden email] wrote on 06/29/2006 01:50:38 AM:
>
> > I have several questions on vTPM implementation on Xen.
> > I would be appreciated if you answer the questions.
>
> As you show at the end of your email, there are different ideas about
> the virtual TPM. IBM's contribution to the Xen repository are the
> split TPM drivers, vTPM managment scripts and test cases. We have our
> own virtual TPM implementation as described in the research report,
> but it is not freely available.
So there are two different VTPM implementation at the moment? Are there
plans to release the one described in the research report?

Regards,
Martin

--
Martin Hermanowski
http://martin.hermanowski.name


_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Q] about vTPM

Ronald Perez

Martin Hermanowski wrote on 06/30/2006 05:10:24 AM:

> So there are two different VTPM implementation at the moment? Are there
> plans to release the one described in the research report?

Martin,

I think it would be more accurate to say that there are at least two different vTPM implementations for Xen (supporting a diversity of vTPM implementations was one of the design points from the beginning).

While the vTPM implementation described in the IBM research report is not available (at least not as open source), we have discussed releasing in the past. However, we currently have no plans to do so. We feel that version supported by Intel, based on an existing open source TPM emulator, should be made adequate for most purposes. If you feel differently, please let us know.

-Ron

Ronald Perez

STSM / Manager, Secure Systems Department
IBM Thomas J. Watson Research Center, Hawthorne, NY

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Q] about vTPM

Martin Hermanowski-5
Ronald Perez wrote:

>
> Martin Hermanowski wrote on 06/30/2006 05:10:24 AM:
>
>> So there are two different VTPM implementation at the moment? Are there
>> plans to release the one described in the research report?
>
> Martin,
>
> I think it would be more accurate to say that there are at least two
> different vTPM implementations for Xen (supporting a diversity of vTPM
> implementations was one of the design points from the beginning).

OK

> While the vTPM implementation described in the IBM research report is
> not available (at least not as open source), we have discussed releasing
> in the past. However, we currently have no plans to do so. We feel that
> version supported by Intel, based on an existing open source TPM
> emulator, should be made adequate for most purposes. If you feel
> differently, please let us know.

One thing that surprised me after reading the report was, that the
current vTPM implementation in xen-testing did not do any measurements
to PCRs, and that it seems like the vTPM is created when the tpm-xen
module is loaded in DomU, and not when the DomU is created.

If I understood the vTPM architecture correctly, this is not
implementation specific (this is only the vtpm_managerd part, right?),
but a Xen issue.

I will try to switch to xen-unstable, to have the latest vTPM
development that's available.

Thanks,
Martin

--
Martin Hermanowski
http://martin.hermanowski.name

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

RE: [Q] about vTPM

Scarlata, Vincent R
In reply to this post by sakaia
 

>-----Original Message-----
>From: [hidden email]
>[mailto:[hidden email]] On Behalf Of
>Martin Hermanowski
>Sent: Saturday, July 01, 2006 6:43 AM
>To: Ronald Perez
>Cc: [hidden email]
>Subject: Re: [Xense-devel] [Q] about vTPM
>
>One thing that surprised me after reading the report was, that the
>current vTPM implementation in xen-testing did not do any measurements
>to PCRs, and that it seems like the vTPM is created when the tpm-xen
>module is loaded in DomU, and not when the DomU is created.
>
>If I understood the vTPM architecture correctly, this is not
>implementation specific (this is only the vtpm_managerd part, right?),
>but a Xen issue.

I think a couple of different issues are being combined here.

1) As an artifact of xen's FE/BE structure and the way we *were*
signaling the vtpm manager about new domains, a new VTPM instance wasn't
created until the FE driver executed and told the BE about it. When
Dom0/DomU merged into one kernel tree, the FE has become a module, which
is far to late to start the vTPM. This, however, has changed in the
unstable tree. The instance is now created during domain construction
before the domain starts executing.

2) The boot process and xen and the currently trusted dom 0 are not
measured into the TPM. This requires you to install a TPM enhanced GRUB
on your system. This is not included in xen, but is a standard part of
TPM enabling your linux-based system.

3) When the guest comes up, PCRRead indicates that all the PCRs are
empty. This has 2 causes. One is that standard linux does not have a TPM
measurement facility. If you want your OS measured, you will need to
install something like IBM's Integrity Measurement Agent (IMA). Second,
we are currently not preloading any of the low PCRs with appropriate
boot information. This is mostly because we haven't bottomed out on what
they should be, and TCG hasn't declared the correct behavior in the form
of a spec. There are legitimate arguments in several different
directions, depending on a variety of factors. I would be happy to break
out into a discussion about various was to represent a virtual
environment in VTPM, but I would want to take it off the list as it is
not a xen discussion.

-Vinnie Scarlata
Trusted Platforms Lab
System Technology Lab, CTG
Intel Corporation

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

RE: [Q] about vTPM

Reiner Sailer

Vincent,

>This has 2 causes. One is that standard linux does not have a TPM
>measurement facility. If you want your OS measured, you will need to
>install something like IBM's Integrity Measurement Agent (IMA). Second,

this is a good point. There is no reason why Linux should not have an integrity module that offers generic integrity-related services (measurements included). Probably a good topic to discuss with the Linux Kernel community on the upcoming Ottawa Linux Symposium (OLS) in July. The core Linux kernel does support application access to the hardware TPM, so it seems natural to also support the core TPM operations in the kernel.

In fact, when we released the IBM Integrity Measurement Architecture  to the Linux Kernel Mailing list some time ago, the objective discussion went along these lines. Rather than being bound to the Linux Security Module inteface (currently IMA uses LSM), the better approach is to make it a core kernel service.

We have also discussed releasing an IMA patch exactly for the purpose cited in this mail threat ( we have experiment internally with it for some time) but we concluded that there should be a generic solution that is integrated into the core Linux kernel. There was not a lot of (positive :-) interest in this area at that time so priorities took over.

For those interested to learn more about the Integrity Measurement Architecture:
Open-source code: http://sourceforge.net/projects/linux-ima
Some descriptive information and code links:
http://domino.research.ibm.com/comm/research_people.nsf/pages/sailer.ima.html
and http://www.research.ibm.com/ssd_ima.

Reiner
__________________________________________________________
Reiner Sailer, Research Staff Member, Secure Systems Department
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, [hidden email]  
http://www.research.ibm.com/people/s/sailer/



"Scarlata, Vincent R" <[hidden email]>
Sent by: [hidden email]

07/01/2006 01:21 PM

To
"Martin Hermanowski" <[hidden email]>
cc
[hidden email]
Subject
RE: [Xense-devel] [Q] about vTPM





 

>-----Original Message-----
>From: [hidden email]
>[mailto:[hidden email]] On Behalf Of
>Martin Hermanowski
>Sent: Saturday, July 01, 2006 6:43 AM
>To: Ronald Perez
>Cc: [hidden email]
>Subject: Re: [Xense-devel] [Q] about vTPM
>
>One thing that surprised me after reading the report was, that the
>current vTPM implementation in xen-testing did not do any measurements
>to PCRs, and that it seems like the vTPM is created when the tpm-xen
>module is loaded in DomU, and not when the DomU is created.
>
>If I understood the vTPM architecture correctly, this is not
>implementation specific (this is only the vtpm_managerd part, right?),
>but a Xen issue.

I think a couple of different issues are being combined here.

1) As an artifact of xen's FE/BE structure and the way we *were*
signaling the vtpm manager about new domains, a new VTPM instance wasn't
created until the FE driver executed and told the BE about it. When
Dom0/DomU merged into one kernel tree, the FE has become a module, which
is far to late to start the vTPM. This, however, has changed in the
unstable tree. The instance is now created during domain construction
before the domain starts executing.

2) The boot process and xen and the currently trusted dom 0 are not
measured into the TPM. This requires you to install a TPM enhanced GRUB
on your system. This is not included in xen, but is a standard part of
TPM enabling your linux-based system.

3) When the guest comes up, PCRRead indicates that all the PCRs are
empty. This has 2 causes. One is that standard linux does not have a TPM
measurement facility. If you want your OS measured, you will need to
install something like IBM's Integrity Measurement Agent (IMA). Second,
we are currently not preloading any of the low PCRs with appropriate
boot information. This is mostly because we haven't bottomed out on what
they should be, and TCG hasn't declared the correct behavior in the form
of a spec. There are legitimate arguments in several different
directions, depending on a variety of factors. I would be happy to break
out into a discussion about various was to represent a virtual
environment in VTPM, but I would want to take it off the list as it is
not a xen discussion.

-Vinnie Scarlata
Trusted Platforms Lab
System Technology Lab, CTG
Intel Corporation

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel


_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Q] about vTPM

Martin Hermanowski-5
In reply to this post by Scarlata, Vincent R
Scarlata, Vincent R wrote:

>  
>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of
>> Martin Hermanowski
>> Sent: Saturday, July 01, 2006 6:43 AM
>> To: Ronald Perez
>> Cc: [hidden email]
>> Subject: Re: [Xense-devel] [Q] about vTPM
>>
>> One thing that surprised me after reading the report was, that the
>> current vTPM implementation in xen-testing did not do any measurements
>> to PCRs, and that it seems like the vTPM is created when the tpm-xen
>> module is loaded in DomU, and not when the DomU is created.
>>
>> If I understood the vTPM architecture correctly, this is not
>> implementation specific (this is only the vtpm_managerd part, right?),
>> but a Xen issue.
>
> I think a couple of different issues are being combined here.
>
> 1) As an artifact of xen's FE/BE structure and the way we *were*
> signaling the vtpm manager about new domains, a new VTPM instance wasn't
> created until the FE driver executed and told the BE about it. When
> Dom0/DomU merged into one kernel tree, the FE has become a module, which
> is far to late to start the vTPM. This, however, has changed in the
> unstable tree. The instance is now created during domain construction
> before the domain starts executing.

OK, I will have a look at -unstable. This behaviour is what I expected
to find.

> 2) The boot process and xen and the currently trusted dom 0 are not
> measured into the TPM. This requires you to install a TPM enhanced GRUB
> on your system. This is not included in xen, but is a standard part of
> TPM enabling your linux-based system.

Yes, I am aware of this. This does not differ from "normal" TPM secured
systems.

> 3) When the guest comes up, PCRRead indicates that all the PCRs are
> empty. This has 2 causes. One is that standard linux does not have a TPM
> measurement facility. If you want your OS measured, you will need to
> install something like IBM's Integrity Measurement Agent (IMA). Second,
> we are currently not preloading any of the low PCRs with appropriate
> boot information. This is mostly because we haven't bottomed out on what
> they should be, and TCG hasn't declared the correct behavior in the form
> of a spec. There are legitimate arguments in several different
> directions, depending on a variety of factors. I would be happy to break
> out into a discussion about various was to represent a virtual
> environment in VTPM, but I would want to take it off the list as it is
> not a xen discussion.

I understand that extending the PCR concept to support virtualization is
still in discussion, and thus problematic to implement. While I think
that the idea expressed in the RC23879 report (Measuring Dom0 to PCR 8
and marking it read-only in DomU) looks very nice, it might run into
problems when HVM domains should be supported, which want to use PCR 8
for their own measurements...

Is there a public list for this discussion?

Thanks a lot for the clarifications!
Regards,
Martin

--
Martin Hermanowski
http://martin.hermanowski.name

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Q] about vTPM

Stefan Berger

[hidden email] wrote on 07/02/2006 09:53:54 AM:

> Scarlata, Vincent R wrote:
> >  
> >

>
> > 3) When the guest comes up, PCRRead indicates that all the PCRs are
> > empty. This has 2 causes. One is that standard linux does not have a TPM
> > measurement facility. If you want your OS measured, you will need to
> > install something like IBM's Integrity Measurement Agent (IMA). Second,
> > we are currently not preloading any of the low PCRs with appropriate
> > boot information. This is mostly because we haven't bottomed out on what
> > they should be, and TCG hasn't declared the correct behavior in the form
> > of a spec. There are legitimate arguments in several different
> > directions, depending on a variety of factors. I would be happy to break
> > out into a discussion about various was to represent a virtual
> > environment in VTPM, but I would want to take it off the list as it is
> > not a xen discussion.
>
> I understand that extending the PCR concept to support virtualization is
> still in discussion, and thus problematic to implement. While I think
> that the idea expressed in the RC23879 report (Measuring Dom0 to PCR 8
> and marking it read-only in DomU) looks very nice, it might run into
> problems when HVM domains should be supported, which want to use PCR 8
> for their own measurements...
>

The mapping concept requires awareness of the OS trying to use a PCR. A possibility would be to react upon the error message returned from the extend operation and try to use the next available PCR. An OS implementing this would still be using the usual PCR if run directly on hardware. Another possibility would be to support the allocation of the usage of a PCR (shared, exclusive), though the TPM itself might be too low of a level to support this.

 Regards,
    Stefan

> Is there a public list for this discussion?
>
> Thanks a lot for the clarifications!
> Regards,
> Martin
>
> --
> Martin Hermanowski
> http://martin.hermanowski.name
>
> _______________________________________________
> Xense-devel mailing list
> [hidden email]
> http://lists.xensource.com/xense-devel

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel