diff options
Diffstat (limited to 'Documentation/tpm')
-rw-r--r-- | Documentation/tpm/xen-tpmfront.txt | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/Documentation/tpm/xen-tpmfront.txt b/Documentation/tpm/xen-tpmfront.txt new file mode 100644 index 000000000000..69346de87ff3 --- /dev/null +++ b/Documentation/tpm/xen-tpmfront.txt | |||
@@ -0,0 +1,113 @@ | |||
1 | Virtual TPM interface for Xen | ||
2 | |||
3 | Authors: Matthew Fioravante (JHUAPL), Daniel De Graaf (NSA) | ||
4 | |||
5 | This document describes the virtual Trusted Platform Module (vTPM) subsystem for | ||
6 | Xen. The reader is assumed to have familiarity with building and installing Xen, | ||
7 | Linux, and a basic understanding of the TPM and vTPM concepts. | ||
8 | |||
9 | INTRODUCTION | ||
10 | |||
11 | The goal of this work is to provide a TPM functionality to a virtual guest | ||
12 | operating system (in Xen terms, a DomU). This allows programs to interact with | ||
13 | a TPM in a virtual system the same way they interact with a TPM on the physical | ||
14 | system. Each guest gets its own unique, emulated, software TPM. However, each | ||
15 | of the vTPM's secrets (Keys, NVRAM, etc) are managed by a vTPM Manager domain, | ||
16 | which seals the secrets to the Physical TPM. If the process of creating each of | ||
17 | these domains (manager, vTPM, and guest) is trusted, the vTPM subsystem extends | ||
18 | the chain of trust rooted in the hardware TPM to virtual machines in Xen. Each | ||
19 | major component of vTPM is implemented as a separate domain, providing secure | ||
20 | separation guaranteed by the hypervisor. The vTPM domains are implemented in | ||
21 | mini-os to reduce memory and processor overhead. | ||
22 | |||
23 | This mini-os vTPM subsystem was built on top of the previous vTPM work done by | ||
24 | IBM and Intel corporation. | ||
25 | |||
26 | |||
27 | DESIGN OVERVIEW | ||
28 | --------------- | ||
29 | |||
30 | The architecture of vTPM is described below: | ||
31 | |||
32 | +------------------+ | ||
33 | | Linux DomU | ... | ||
34 | | | ^ | | ||
35 | | v | | | ||
36 | | xen-tpmfront | | ||
37 | +------------------+ | ||
38 | | ^ | ||
39 | v | | ||
40 | +------------------+ | ||
41 | | mini-os/tpmback | | ||
42 | | | ^ | | ||
43 | | v | | | ||
44 | | vtpm-stubdom | ... | ||
45 | | | ^ | | ||
46 | | v | | | ||
47 | | mini-os/tpmfront | | ||
48 | +------------------+ | ||
49 | | ^ | ||
50 | v | | ||
51 | +------------------+ | ||
52 | | mini-os/tpmback | | ||
53 | | | ^ | | ||
54 | | v | | | ||
55 | | vtpmmgr-stubdom | | ||
56 | | | ^ | | ||
57 | | v | | | ||
58 | | mini-os/tpm_tis | | ||
59 | +------------------+ | ||
60 | | ^ | ||
61 | v | | ||
62 | +------------------+ | ||
63 | | Hardware TPM | | ||
64 | +------------------+ | ||
65 | |||
66 | * Linux DomU: The Linux based guest that wants to use a vTPM. There may be | ||
67 | more than one of these. | ||
68 | |||
69 | * xen-tpmfront.ko: Linux kernel virtual TPM frontend driver. This driver | ||
70 | provides vTPM access to a Linux-based DomU. | ||
71 | |||
72 | * mini-os/tpmback: Mini-os TPM backend driver. The Linux frontend driver | ||
73 | connects to this backend driver to facilitate communications | ||
74 | between the Linux DomU and its vTPM. This driver is also | ||
75 | used by vtpmmgr-stubdom to communicate with vtpm-stubdom. | ||
76 | |||
77 | * vtpm-stubdom: A mini-os stub domain that implements a vTPM. There is a | ||
78 | one to one mapping between running vtpm-stubdom instances and | ||
79 | logical vtpms on the system. The vTPM Platform Configuration | ||
80 | Registers (PCRs) are normally all initialized to zero. | ||
81 | |||
82 | * mini-os/tpmfront: Mini-os TPM frontend driver. The vTPM mini-os domain | ||
83 | vtpm-stubdom uses this driver to communicate with | ||
84 | vtpmmgr-stubdom. This driver is also used in mini-os | ||
85 | domains such as pv-grub that talk to the vTPM domain. | ||
86 | |||
87 | * vtpmmgr-stubdom: A mini-os domain that implements the vTPM manager. There is | ||
88 | only one vTPM manager and it should be running during the | ||
89 | entire lifetime of the machine. This domain regulates | ||
90 | access to the physical TPM on the system and secures the | ||
91 | persistent state of each vTPM. | ||
92 | |||
93 | * mini-os/tpm_tis: Mini-os TPM version 1.2 TPM Interface Specification (TIS) | ||
94 | driver. This driver used by vtpmmgr-stubdom to talk directly to | ||
95 | the hardware TPM. Communication is facilitated by mapping | ||
96 | hardware memory pages into vtpmmgr-stubdom. | ||
97 | |||
98 | * Hardware TPM: The physical TPM that is soldered onto the motherboard. | ||
99 | |||
100 | |||
101 | INTEGRATION WITH XEN | ||
102 | -------------------- | ||
103 | |||
104 | Support for the vTPM driver was added in Xen using the libxl toolstack in Xen | ||
105 | 4.3. See the Xen documentation (docs/misc/vtpm.txt) for details on setting up | ||
106 | the vTPM and vTPM Manager stub domains. Once the stub domains are running, a | ||
107 | vTPM device is set up in the same manner as a disk or network device in the | ||
108 | domain's configuration file. | ||
109 | |||
110 | In order to use features such as IMA that require a TPM to be loaded prior to | ||
111 | the initrd, the xen-tpmfront driver must be compiled in to the kernel. If not | ||
112 | using such features, the driver can be compiled as a module and will be loaded | ||
113 | as usual. | ||