1*4882a593Smuzhiyun============================= 2*4882a593SmuzhiyunVirtual TPM interface for Xen 3*4882a593Smuzhiyun============================= 4*4882a593Smuzhiyun 5*4882a593SmuzhiyunAuthors: Matthew Fioravante (JHUAPL), Daniel De Graaf (NSA) 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunThis document describes the virtual Trusted Platform Module (vTPM) subsystem for 8*4882a593SmuzhiyunXen. The reader is assumed to have familiarity with building and installing Xen, 9*4882a593SmuzhiyunLinux, and a basic understanding of the TPM and vTPM concepts. 10*4882a593Smuzhiyun 11*4882a593SmuzhiyunIntroduction 12*4882a593Smuzhiyun------------ 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunThe goal of this work is to provide a TPM functionality to a virtual guest 15*4882a593Smuzhiyunoperating system (in Xen terms, a DomU). This allows programs to interact with 16*4882a593Smuzhiyuna TPM in a virtual system the same way they interact with a TPM on the physical 17*4882a593Smuzhiyunsystem. Each guest gets its own unique, emulated, software TPM. However, each 18*4882a593Smuzhiyunof the vTPM's secrets (Keys, NVRAM, etc) are managed by a vTPM Manager domain, 19*4882a593Smuzhiyunwhich seals the secrets to the Physical TPM. If the process of creating each of 20*4882a593Smuzhiyunthese domains (manager, vTPM, and guest) is trusted, the vTPM subsystem extends 21*4882a593Smuzhiyunthe chain of trust rooted in the hardware TPM to virtual machines in Xen. Each 22*4882a593Smuzhiyunmajor component of vTPM is implemented as a separate domain, providing secure 23*4882a593Smuzhiyunseparation guaranteed by the hypervisor. The vTPM domains are implemented in 24*4882a593Smuzhiyunmini-os to reduce memory and processor overhead. 25*4882a593Smuzhiyun 26*4882a593SmuzhiyunThis mini-os vTPM subsystem was built on top of the previous vTPM work done by 27*4882a593SmuzhiyunIBM and Intel corporation. 28*4882a593Smuzhiyun 29*4882a593Smuzhiyun 30*4882a593SmuzhiyunDesign Overview 31*4882a593Smuzhiyun--------------- 32*4882a593Smuzhiyun 33*4882a593SmuzhiyunThe architecture of vTPM is described below:: 34*4882a593Smuzhiyun 35*4882a593Smuzhiyun +------------------+ 36*4882a593Smuzhiyun | Linux DomU | ... 37*4882a593Smuzhiyun | | ^ | 38*4882a593Smuzhiyun | v | | 39*4882a593Smuzhiyun | xen-tpmfront | 40*4882a593Smuzhiyun +------------------+ 41*4882a593Smuzhiyun | ^ 42*4882a593Smuzhiyun v | 43*4882a593Smuzhiyun +------------------+ 44*4882a593Smuzhiyun | mini-os/tpmback | 45*4882a593Smuzhiyun | | ^ | 46*4882a593Smuzhiyun | v | | 47*4882a593Smuzhiyun | vtpm-stubdom | ... 48*4882a593Smuzhiyun | | ^ | 49*4882a593Smuzhiyun | v | | 50*4882a593Smuzhiyun | mini-os/tpmfront | 51*4882a593Smuzhiyun +------------------+ 52*4882a593Smuzhiyun | ^ 53*4882a593Smuzhiyun v | 54*4882a593Smuzhiyun +------------------+ 55*4882a593Smuzhiyun | mini-os/tpmback | 56*4882a593Smuzhiyun | | ^ | 57*4882a593Smuzhiyun | v | | 58*4882a593Smuzhiyun | vtpmmgr-stubdom | 59*4882a593Smuzhiyun | | ^ | 60*4882a593Smuzhiyun | v | | 61*4882a593Smuzhiyun | mini-os/tpm_tis | 62*4882a593Smuzhiyun +------------------+ 63*4882a593Smuzhiyun | ^ 64*4882a593Smuzhiyun v | 65*4882a593Smuzhiyun +------------------+ 66*4882a593Smuzhiyun | Hardware TPM | 67*4882a593Smuzhiyun +------------------+ 68*4882a593Smuzhiyun 69*4882a593Smuzhiyun* Linux DomU: 70*4882a593Smuzhiyun The Linux based guest that wants to use a vTPM. There may be 71*4882a593Smuzhiyun more than one of these. 72*4882a593Smuzhiyun 73*4882a593Smuzhiyun* xen-tpmfront.ko: 74*4882a593Smuzhiyun Linux kernel virtual TPM frontend driver. This driver 75*4882a593Smuzhiyun provides vTPM access to a Linux-based DomU. 76*4882a593Smuzhiyun 77*4882a593Smuzhiyun* mini-os/tpmback: 78*4882a593Smuzhiyun Mini-os TPM backend driver. The Linux frontend driver 79*4882a593Smuzhiyun connects to this backend driver to facilitate communications 80*4882a593Smuzhiyun between the Linux DomU and its vTPM. This driver is also 81*4882a593Smuzhiyun used by vtpmmgr-stubdom to communicate with vtpm-stubdom. 82*4882a593Smuzhiyun 83*4882a593Smuzhiyun* vtpm-stubdom: 84*4882a593Smuzhiyun A mini-os stub domain that implements a vTPM. There is a 85*4882a593Smuzhiyun one to one mapping between running vtpm-stubdom instances and 86*4882a593Smuzhiyun logical vtpms on the system. The vTPM Platform Configuration 87*4882a593Smuzhiyun Registers (PCRs) are normally all initialized to zero. 88*4882a593Smuzhiyun 89*4882a593Smuzhiyun* mini-os/tpmfront: 90*4882a593Smuzhiyun Mini-os TPM frontend driver. The vTPM mini-os domain 91*4882a593Smuzhiyun vtpm-stubdom uses this driver to communicate with 92*4882a593Smuzhiyun vtpmmgr-stubdom. This driver is also used in mini-os 93*4882a593Smuzhiyun domains such as pv-grub that talk to the vTPM domain. 94*4882a593Smuzhiyun 95*4882a593Smuzhiyun* vtpmmgr-stubdom: 96*4882a593Smuzhiyun A mini-os domain that implements the vTPM manager. There is 97*4882a593Smuzhiyun only one vTPM manager and it should be running during the 98*4882a593Smuzhiyun entire lifetime of the machine. This domain regulates 99*4882a593Smuzhiyun access to the physical TPM on the system and secures the 100*4882a593Smuzhiyun persistent state of each vTPM. 101*4882a593Smuzhiyun 102*4882a593Smuzhiyun* mini-os/tpm_tis: 103*4882a593Smuzhiyun Mini-os TPM version 1.2 TPM Interface Specification (TIS) 104*4882a593Smuzhiyun driver. This driver used by vtpmmgr-stubdom to talk directly to 105*4882a593Smuzhiyun the hardware TPM. Communication is facilitated by mapping 106*4882a593Smuzhiyun hardware memory pages into vtpmmgr-stubdom. 107*4882a593Smuzhiyun 108*4882a593Smuzhiyun* Hardware TPM: 109*4882a593Smuzhiyun The physical TPM that is soldered onto the motherboard. 110*4882a593Smuzhiyun 111*4882a593Smuzhiyun 112*4882a593SmuzhiyunIntegration With Xen 113*4882a593Smuzhiyun-------------------- 114*4882a593Smuzhiyun 115*4882a593SmuzhiyunSupport for the vTPM driver was added in Xen using the libxl toolstack in Xen 116*4882a593Smuzhiyun4.3. See the Xen documentation (docs/misc/vtpm.txt) for details on setting up 117*4882a593Smuzhiyunthe vTPM and vTPM Manager stub domains. Once the stub domains are running, a 118*4882a593SmuzhiyunvTPM device is set up in the same manner as a disk or network device in the 119*4882a593Smuzhiyundomain's configuration file. 120*4882a593Smuzhiyun 121*4882a593SmuzhiyunIn order to use features such as IMA that require a TPM to be loaded prior to 122*4882a593Smuzhiyunthe initrd, the xen-tpmfront driver must be compiled in to the kernel. If not 123*4882a593Smuzhiyunusing such features, the driver can be compiled as a module and will be loaded 124*4882a593Smuzhiyunas usual. 125