RE: [TrouSerS-users] vTPM data seal issue

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: [TrouSerS-users] vTPM data seal issue

Osborn, Justin D.
 

-----Original Message-----
From: Hal Finney [mailto:[hidden email]]
Sent: Wednesday, October 18, 2006 9:53 PM
To: Osborn, Justin D.
Cc: [hidden email];
[hidden email]; [hidden email]
Subject: Re: [TrouSerS-users] vTPM data seal issue

> That's neat that you got that to work. I've been interested in
experimenting with Xen and TPM but I've
> had trouble getting Xen to run at all on my Thinkpad. Maybe the
xen-unstable version would work better.
> What kernel are you using?

Xen-unstable works with kernel 2.6.16.29 (which has the tpm_tis driver
for TPM v. 1.2 support).

> One thing I don't understand is how the PCRs are shared between the
various VMs. I wonder if the idea
> is that user code doesn't talk to the "real" PCRs, at all, rather Xen
makes up a set of fake PCRs for each
> VM. The real PCRs are only used to measure Xen. Then I think most TPM
operations wouldn't even touch the
> real TPM. If you seal and unseal, it is Xen which is maintaining its
virtual PCRs, does the crypto, and
> decides if the unseal will work. Xen protects the user's secrets using
its virtual TPM code, and all of
> Xen's secrets are protected by the real TPM. Something like this,
anyway. I need to learn more about how
> all this will work.

Actually, you're right.  The vTPM PCRs are just a buffer in the memory
of vtpmd.  Right now they are just defined to be zero on initialization.
The original IBM vTPM paper says that vTPM PCRs 1-8 should be the same
as the physical TPM's PCRs, but from what I can tell people were in
disagreement on that so right now they're all set to zero.

Speaking of which, here's a question for the vTPM developers:  Is there
code out there to load the vTPM PCRs (1-8) with the values from the
physical TPM?  I'm about to (attempt to) write that, and it'd be helpful
if someone's already done it.

Thanks,
Justin

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

Re: RE: [TrouSerS-users] vTPM data seal issue

Stefan Berger

[hidden email] wrote on 10/19/2006 08:30:30 AM:

>  
>
> -----Original Message-----
> From: Hal Finney [mailto:[hidden email]]
> Sent: Wednesday, October 18, 2006 9:53 PM
> To: Osborn, Justin D.
> Cc: [hidden email];
> [hidden email]; [hidden email]
> Subject: Re: [TrouSerS-users] vTPM data seal issue
>
> > That's neat that you got that to work. I've been interested in
> experimenting with Xen and TPM but I've
> > had trouble getting Xen to run at all on my Thinkpad. Maybe the
> xen-unstable version would work better.
> > What kernel are you using?
>
> Xen-unstable works with kernel 2.6.16.29 (which has the tpm_tis driver
> for TPM v. 1.2 support).
>
> > One thing I don't understand is how the PCRs are shared between the
> various VMs. I wonder if the idea
> > is that user code doesn't talk to the "real" PCRs, at all, rather Xen
> makes up a set of fake PCRs for each
> > VM. The real PCRs are only used to measure Xen. Then I think most TPM
> operations wouldn't even touch the
> > real TPM. If you seal and unseal, it is Xen which is maintaining its
> virtual PCRs, does the crypto, and
> > decides if the unseal will work. Xen protects the user's secrets using
> its virtual TPM code, and all of
> > Xen's secrets are protected by the real TPM. Something like this,
> anyway. I need to learn more about how
> > all this will work.
>
> Actually, you're right.  The vTPM PCRs are just a buffer in the memory
> of vtpmd.  Right now they are just defined to be zero on initialization.
> The original IBM vTPM paper says that vTPM PCRs 1-8 should be the same
> as the physical TPM's PCRs, but from what I can tell people were in

The treatment of the lower PCRs that we describe there basically relays a TPM_PCRRead() originating in a VM to the hardware TPM for those PCRs that are configured as 'mapped'. So the PCRs 0-7 for example show the current state of the hardware TPM's PCR register 0-7 because they are 'mapped'. There are also measurement lists (taken by the BIOS or the Linux Integrity Measurement Architecture) associated with each PCR which also have to be relayed into the VM. This can all be done in drivers and should not require changes to applications or the TSS.

The support of mapping PCRs and measurement lists tries to solve the problem of attesting to virtualized systems and helping to find the hardware core root of trust. And, yes, there's disagreement on how to do this.

The problem with the mapping of PCRs is how to deal with signatures for quotes. We currently have the virtual TPM sign the complete quote, although logically it does not own the mapped PCRs. For unmodified OSes running inside a VM where one does not necessarily make changes to drivers, this isn't practial to do. There, if one wants to see the core root of trust, it's probably practical to challenge the VM that owns the hardware TPM.

> disagreement on that so right now they're all set to zero.

>
> Speaking of which, here's a question for the vTPM developers:  Is there
> code out there to load the vTPM PCRs (1-8) with the values from the
> physical TPM?  I'm about to (attempt to) write that, and it'd be helpful
> if someone's already done it.


With "loading" you probably mean setting the PCR values to the state of the PCRs at the time of the load. I think 'relaying' is probably better in order to show current state.

 Stefan

>
> Thanks,
> Justin
>
> _______________________________________________
> Xense-devel mailing list
> [hidden email]
> http://lists.xensource.com/xense-devel

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

RE: [TrouSerS-users] vTPM data seal issue

Scarlata, Vincent R
In reply to this post by Osborn, Justin D.
Below is a patch to the vtpm to copy all the hwPCRs into the vPCRs
during vtpm initialization. The reason that it's not part of the xen
tree is that it's not clear exactly what these PCRs mean in virtual
environment.

More precisely, PCRs 0-7 indicate the BIOS/firmware/MBR/loader,etc
configuration of the platform. For a physical platform, seems pretty
clean cut about what these are. Well, what about an HVM? HVMs have two
sets of these. For example, the platform BIOS and the BOCHS BIOS, which
one goes in vPCR 0? What about a paravirtualized VM? There is only 1
BIOS, but some other places in the PCR list are fuzzy. Like, the loader
measures the "kernel." Is the Xen or the Linux Kernel? How does an
attester know what to expect?

You quickly get into usage model discussions to determine what the
appropriate values for virtual PCRs should be. So for now, they are set
to the default boot configuration for a TPM.

-Vinnie Scarlata
 Trusted Platform Lab
 Corporate Technology Group
 Intel Corporation

-----Original Message-----
From: Osborn, Justin D. [mailto:[hidden email]]
Sent: Thursday, October 19, 2006 5:31 AM
To: Hal Finney
Cc: [hidden email];
[hidden email]; Scarlata, Vincent R
Subject: RE: [TrouSerS-users] vTPM data seal issue

> Speaking of which, here's a question for the vTPM developers:  Is
there
> code out there to load the vTPM PCRs (1-8) with the values from the
> physical TPM?  I'm about to (attempt to) write that, and it'd be
helpful
> if someone's already done it.

diff -uprN vtpm/tpm/tpm_startup.c vtpm-pcrcopy/tpm/tpm_startup.c
--- vtpm/tpm/tpm_startup.c      2006-08-14 15:28:46.000000000 -0700
+++ vtpm-pcrcopy/tpm/tpm_startup.c      2006-08-14 15:28:23.000000000
-0700
@@ -20,6 +20,93 @@
 #include "tpm_data.h"
 #include "tpm_handles.h"

+
+/*
+ * Copy hTPM PCRs from hTPM
+ *
+ */
+static int copy_pcrs()
+{
+  int res, out_data_size, in_header_size;
+  BYTE *ptr, *out_data, *in_header;
+  UINT32 result, len, in_rsp_size;
+  UINT16 tag = VTPM_TAG_REQ;
+  UINT32 index;
+
+  printf("Copying hTPM PCRs...\n");
+
+  for (index=0; index < TPM_NUM_PCR; index ++) {
+    if (index = 8) { // Skip pcrs 8-16
+       index = 17;
+       continue;
+    }
+
+    if (vtpm_tx_fh < 0) {
+      vtpm_tx_fh = open(VTPM_TX_FIFO, O_WRONLY);
+    }
+
+    if (vtpm_tx_fh < 0) {
+      return -1;
+    }
+
+    // Send request to VTPM Manager to encrypt data
+    out_data_size = len = VTPM_COMMAND_HEADER_SIZE_SRV + data_length;
+    out_data = ptr = (BYTE *) malloc(len);
+
+    if (ptr == NULL
+            || tpm_marshal_UINT32(&ptr, &len, dmi_id)
+            || tpm_marshal_UINT16(&ptr, &len, tag)
+            || tpm_marshal_UINT32(&ptr, &len, out_data_size -
sizeof(uint32_t))
+            || tpm_marshal_UINT32(&ptr, &len, VTPM_ORD_TPMCOMMAND)
+            || tpm_marshal_UINT32(&ptr, &len, index)) {
+          free(out_data);
+          return -1;
+    }
+    printf("\tCopying HW PCR %d.\n", index);
+    res = write(vtpm_tx_fh, out_data, out_data_size);
+    free(out_data);
+    if (res != out_data_size) return -1;
+
+    if (vtpm_rx_fh < 0) {
+      if (vtpm_rx_name == NULL) {
+        vtpm_rx_name = malloc(10 + strlen(VTPM_RX_FIFO_D));
+        sprintf(vtpm_rx_name, VTPM_RX_FIFO_D, (uint32_t) dmi_id);
+      }
+      vtpm_rx_fh = open(vtpm_rx_name, O_RDONLY);
+    }
+
+    if (vtpm_rx_fh < 0) {
+          return -1;
+    }
+
+    // Read Header of response so we can get the size & status
+    in_header_size = len = VTPM_COMMAND_HEADER_SIZE_SRV;
+    in_header = ptr = malloc(in_header_size);
+
+    res = read(vtpm_rx_fh, in_header, in_header_size);
+
+    if ( (res != in_header_size)
+             || tpm_unmarshal_UINT32(&ptr, &len, (UINT32*)&dmi_id)
+             || tpm_unmarshal_UINT16(&ptr, &len, &tag)
+             || tpm_unmarshal_UINT32(&ptr, &len, &in_rsp_size)
+             || tpm_unmarshal_UINT32(&ptr, &len, &result) ) {
+             || tpm_unmarshal_BYTE_ARRAY(&ptr, &len,
&tpmData.permanent.data.pc
rValue[index].digest, 20)) {
+            free(in_header);
+            return -1;
+    }
+    free(in_header);
+
+    if (result != VTPM_SUCCESS) {
+        return -1;
+    }
+  }
+
+  printf("\tFinishing up PCR Copy\n");
+  return (0);
+ }
+
+
+
 /*
  * Admin Startup and State ([TPM_Part3], Section 3)
  * This section describes the commands that start a TPM.
@@ -59,12 +146,13 @@ TPM_RESULT TPM_Startup(TPM_STARTUP_TYPE
     /* init session-context nonce */
     SET_TO_RAND(&tpmData.stany.data.contextNonceSession);
     /* reset PCR values */
-    for (i = 0; i < TPM_NUM_PCR; i++) {
-      if (!tpmData.permanent.data.pcrAttrib[i].pcrReset)
-        SET_TO_ZERO(&tpmData.permanent.data.pcrValue[i].digest);
-      else
-        SET_TO_0xFF(&tpmData.permanent.data.pcrValue[i].digest);
-    }
+    copy_pcrs();
+    //for (i = 0; i < TPM_NUM_PCR; i++) {
+    //  if (!tpmData.permanent.data.pcrAttrib[i].pcrReset)
+    //    SET_TO_ZERO(&tpmData.permanent.data.pcrValue[i].digest);
+    //  else
+    //    SET_TO_0xFF(&tpmData.permanent.data.pcrValue[i].digest);
+    //}
     /* reset STCLEAR_FLAGS */
     SET_TO_ZERO(&tpmData.stclear.flags);
     tpmData.stclear.flags.tag = TPM_TAG_STCLEAR_FLAGS;

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel
Reply | Threaded
Open this post in threaded view
|

RE: [TrouSerS-users] vTPM data seal issue

Osborn, Justin D.
In reply to this post by Osborn, Justin D.
Vinnie,
      Thanks for the response and the patch, that's a big help.  You
bring up a lot of good points.  Fortunately for us we're not doing
attestation (yet).  We just wanted Dom U to seal to PCRs set by the BIOS
and Trusted GRUB.

Justin

-----Original Message-----
From: Scarlata, Vincent R [mailto:[hidden email]]
Sent: Thursday, October 19, 2006 7:22 PM
To: Osborn, Justin D.; Hal Finney
Cc: [hidden email];
[hidden email]
Subject: RE: [TrouSerS-users] vTPM data seal issue

Below is a patch to the vtpm to copy all the hwPCRs into the vPCRs
during vtpm initialization. The reason that it's not part of the xen
tree is that it's not clear exactly what these PCRs mean in virtual
environment.

More precisely, PCRs 0-7 indicate the BIOS/firmware/MBR/loader,etc
configuration of the platform. For a physical platform, seems pretty
clean cut about what these are. Well, what about an HVM? HVMs have two
sets of these. For example, the platform BIOS and the BOCHS BIOS, which
one goes in vPCR 0? What about a paravirtualized VM? There is only 1
BIOS, but some other places in the PCR list are fuzzy. Like, the loader
measures the "kernel." Is the Xen or the Linux Kernel? How does an
attester know what to expect?

You quickly get into usage model discussions to determine what the
appropriate values for virtual PCRs should be. So for now, they are set
to the default boot configuration for a TPM.

-Vinnie Scarlata
 Trusted Platform Lab
 Corporate Technology Group
 Intel Corporation

-----Original Message-----
From: Osborn, Justin D. [mailto:[hidden email]]
Sent: Thursday, October 19, 2006 5:31 AM
To: Hal Finney
Cc: [hidden email];
[hidden email]; Scarlata, Vincent R
Subject: RE: [TrouSerS-users] vTPM data seal issue

> Speaking of which, here's a question for the vTPM developers:  Is
there
> code out there to load the vTPM PCRs (1-8) with the values from the
> physical TPM?  I'm about to (attempt to) write that, and it'd be
helpful
> if someone's already done it.

diff -uprN vtpm/tpm/tpm_startup.c vtpm-pcrcopy/tpm/tpm_startup.c
--- vtpm/tpm/tpm_startup.c      2006-08-14 15:28:46.000000000 -0700
+++ vtpm-pcrcopy/tpm/tpm_startup.c      2006-08-14 15:28:23.000000000
-0700
@@ -20,6 +20,93 @@
 #include "tpm_data.h"
 #include "tpm_handles.h"

+
+/*
+ * Copy hTPM PCRs from hTPM
+ *
+ */
+static int copy_pcrs()
+{
+  int res, out_data_size, in_header_size;
+  BYTE *ptr, *out_data, *in_header;
+  UINT32 result, len, in_rsp_size;
+  UINT16 tag = VTPM_TAG_REQ;
+  UINT32 index;
+
+  printf("Copying hTPM PCRs...\n");
+
+  for (index=0; index < TPM_NUM_PCR; index ++) {
+    if (index = 8) { // Skip pcrs 8-16
+       index = 17;
+       continue;
+    }
+
+    if (vtpm_tx_fh < 0) {
+      vtpm_tx_fh = open(VTPM_TX_FIFO, O_WRONLY);
+    }
+
+    if (vtpm_tx_fh < 0) {
+      return -1;
+    }
+
+    // Send request to VTPM Manager to encrypt data
+    out_data_size = len = VTPM_COMMAND_HEADER_SIZE_SRV + data_length;
+    out_data = ptr = (BYTE *) malloc(len);
+
+    if (ptr == NULL
+            || tpm_marshal_UINT32(&ptr, &len, dmi_id)
+            || tpm_marshal_UINT16(&ptr, &len, tag)
+            || tpm_marshal_UINT32(&ptr, &len, out_data_size -
sizeof(uint32_t))
+            || tpm_marshal_UINT32(&ptr, &len, VTPM_ORD_TPMCOMMAND)
+            || tpm_marshal_UINT32(&ptr, &len, index)) {
+          free(out_data);
+          return -1;
+    }
+    printf("\tCopying HW PCR %d.\n", index);
+    res = write(vtpm_tx_fh, out_data, out_data_size);
+    free(out_data);
+    if (res != out_data_size) return -1;
+
+    if (vtpm_rx_fh < 0) {
+      if (vtpm_rx_name == NULL) {
+        vtpm_rx_name = malloc(10 + strlen(VTPM_RX_FIFO_D));
+        sprintf(vtpm_rx_name, VTPM_RX_FIFO_D, (uint32_t) dmi_id);
+      }
+      vtpm_rx_fh = open(vtpm_rx_name, O_RDONLY);
+    }
+
+    if (vtpm_rx_fh < 0) {
+          return -1;
+    }
+
+    // Read Header of response so we can get the size & status
+    in_header_size = len = VTPM_COMMAND_HEADER_SIZE_SRV;
+    in_header = ptr = malloc(in_header_size);
+
+    res = read(vtpm_rx_fh, in_header, in_header_size);
+
+    if ( (res != in_header_size)
+             || tpm_unmarshal_UINT32(&ptr, &len, (UINT32*)&dmi_id)
+             || tpm_unmarshal_UINT16(&ptr, &len, &tag)
+             || tpm_unmarshal_UINT32(&ptr, &len, &in_rsp_size)
+             || tpm_unmarshal_UINT32(&ptr, &len, &result) ) {
+             || tpm_unmarshal_BYTE_ARRAY(&ptr, &len,
&tpmData.permanent.data.pc
rValue[index].digest, 20)) {
+            free(in_header);
+            return -1;
+    }
+    free(in_header);
+
+    if (result != VTPM_SUCCESS) {
+        return -1;
+    }
+  }
+
+  printf("\tFinishing up PCR Copy\n");
+  return (0);
+ }
+
+
+
 /*
  * Admin Startup and State ([TPM_Part3], Section 3)
  * This section describes the commands that start a TPM.
@@ -59,12 +146,13 @@ TPM_RESULT TPM_Startup(TPM_STARTUP_TYPE
     /* init session-context nonce */
     SET_TO_RAND(&tpmData.stany.data.contextNonceSession);
     /* reset PCR values */
-    for (i = 0; i < TPM_NUM_PCR; i++) {
-      if (!tpmData.permanent.data.pcrAttrib[i].pcrReset)
-        SET_TO_ZERO(&tpmData.permanent.data.pcrValue[i].digest);
-      else
-        SET_TO_0xFF(&tpmData.permanent.data.pcrValue[i].digest);
-    }
+    copy_pcrs();
+    //for (i = 0; i < TPM_NUM_PCR; i++) {
+    //  if (!tpmData.permanent.data.pcrAttrib[i].pcrReset)
+    //    SET_TO_ZERO(&tpmData.permanent.data.pcrValue[i].digest);
+    //  else
+    //    SET_TO_0xFF(&tpmData.permanent.data.pcrValue[i].digest);
+    //}
     /* reset STCLEAR_FLAGS */
     SET_TO_ZERO(&tpmData.stclear.flags);
     tpmData.stclear.flags.tag = TPM_TAG_STCLEAR_FLAGS;

_______________________________________________
Xense-devel mailing list
[hidden email]
http://lists.xensource.com/xense-devel