Re: [Xense-devel] Run vTPM in its own VM?

xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 09/14/2006 05:00:56 AM: > The README of the current Xen unstable version says that setting > VTPM_MULTI_VM allows running each vTPM in its own VM. However, compiling > with this option doesn't work on my machine and the code doesn't seem to > be complete for this option. > > Did I miss to configure something or is the current implementation in > Xen not really ready for running a vTPM in a separate VM?

I am not familiar with the option above since I am running a different implementation of a VTPM, but I can say that it should generally be possible to run a vTPM in a separate domain, but I haven't done this in a long time. There exists an option when defining the vtpm in the VM configuration file to have it's backend located in a different domain than domain-0. Typically such an entry looks like

vtpm=['backend=0,instance=1']

to talk to a vTPM in domain-0 ( => backend=0 ).

There's one catch, though, and that's that all the hotplug scripts that are typically doing the life-cycle management of the vTPM instances now also have to be installed in that domain along with hotplug daemon etc.. I myself haven't run the vTPM in any other domain than domain-0 in a long time.
> > Can you explain to me how a communication will look like for the planned > implementation in Xen? Will all communication continue to go through the > vTPM manager and the vTPM manager talks to a kind of FE that transmits > TPM commands to a BE running in a separate domain? Or is it possible to > set up direct connections between a user domain TPM FE and the vTPM > running in an isolated VM?

It is possible to connect them directly with the vm configuration option above.
It should be possible to start a 2nd domain whose only purpose would be to run the vTPM - along with the hotplug stuff mentioned above running in that domain. That domain would have to be started from domain-0. However, you have a gap then if it's about taking integrity measurements of applications and a correct 'trust' chain. The proper way of doing this would be to have that vTPM-hosting domain started before domain 0 (including all the complications on how to access persistent storage etc.).
Can you tell us a bit more about what you are planning on doing?

Stefan
> > Regards, > Anna > > _______________________________________________ > Xense-devel mailing list > Xense-devel@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xense-devel

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

[Xense-devel] Run vTPM in its own VM?, Fischer, Anna

Next by Date:

RE: [Xense-devel] Run vTPM in its own VM?, Scarlata, Vincent R

Previous by Thread:

[Xense-devel] Run vTPM in its own VM?, Fischer, Anna

Next by Thread:

RE: [Xense-devel] Run vTPM in its own VM?, Fischer, Anna

Indexes:

[Date] [Thread] [Top] [All Lists]