Xen 		  
Home About Xen.org Xen Xen Summit Wiki Mailing List Bug Tracker Xen Downloads
 
   
 

xense-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xense-devel] RE: [TrouSerS-users] vTPM data seal issue

from [Osborn, Justin D.] [Permanent Link][Original]
To: "Hal Finney" <hal.finney@xxxxxxxxx>
Subject: [Xense-devel] RE: [TrouSerS-users] vTPM data seal issue
From: "Osborn, Justin D." <Justin.Osborn@xxxxxxxxxx>
Date: Thu, 19 Oct 2006 08:30:30 -0400
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx, trousers-users@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 19 Oct 2006 05:30:48 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcbzIiGSPyNVHCnmT8WP/2wWf9vkNwAVX06g
Thread-topic: [TrouSerS-users] vTPM data seal issue 
 

-----Original Message-----
From: Hal Finney [mailto:hal.finney@xxxxxxxxx] 
Sent: Wednesday, October 18, 2006 9:53 PM
To: Osborn, Justin D.
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx;
trousers-users@xxxxxxxxxxxxxxxxxxxxx; vincent.r.scarlata@xxxxxxxxx
Subject: Re: [TrouSerS-users] vTPM data seal issue

> That's neat that you got that to work. I've been interested in
experimenting with Xen and TPM but I've 
> had trouble getting Xen to run at all on my Thinkpad. Maybe the
xen-unstable version would work better. 
> What kernel are you using?

Xen-unstable works with kernel 2.6.16.29 (which has the tpm_tis driver
for TPM v. 1.2 support).

> One thing I don't understand is how the PCRs are shared between the
various VMs. I wonder if the idea 
> is that user code doesn't talk to the "real" PCRs, at all, rather Xen
makes up a set of fake PCRs for each
> VM. The real PCRs are only used to measure Xen. Then I think most TPM
operations wouldn't even touch the 
> real TPM. If you seal and unseal, it is Xen which is maintaining its
virtual PCRs, does the crypto, and 
> decides if the unseal will work. Xen protects the user's secrets using
its virtual TPM code, and all of 
> Xen's secrets are protected by the real TPM. Something like this,
anyway. I need to learn more about how 
> all this will work.

Actually, you're right.  The vTPM PCRs are just a buffer in the memory
of vtpmd.  Right now they are just defined to be zero on initialization.
The original IBM vTPM paper says that vTPM PCRs 1-8 should be the same
as the physical TPM's PCRs, but from what I can tell people were in
disagreement on that so right now they're all set to zero.

Speaking of which, here's a question for the vTPM developers:  Is there
code out there to load the vTPM PCRs (1-8) with the values from the
physical TPM?  I'm about to (attempt to) write that, and it'd be helpful
if someone's already done it.

Thanks,
Justin

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xense-devel] vTPM data seal issue, Osborn, Justin D.
Next by Date:  Re: [Xense-devel] RE: [TrouSerS-users] vTPM data seal issue, Stefan Berger
Previous by Thread:  [Xense-devel] vTPM data seal issue, Osborn, Justin D.
Next by Thread:  Re: [Xense-devel] RE: [TrouSerS-users] vTPM data seal issue, Stefan Berger
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , XenSource, Inc. All rights reserved. Note: the xen.org trademark policy
is changing. For information please email legalxen.org, Legal and Privacy