Re: [Xen-devel] [v9 00/19] QEMU:Xen stubdom vTPM for HVM virtual machine(QEMU Part)
Hi Quan, thanks for CC'ing me. sstabell...@kernel.org is the right address to reach me now. I am also CC'ing Anthony Perard who is Xen co-maintainer in QEMU. Cheers, Stefano On Wed, 13 Jul 2016, Xu, Quan wrote: > Emil, Thanks for your effort ( today I just come back to return my laptop). > > btw, sstabell...@kernel.org may be the right email. > Stefan / Stefano, could you help us review these patches? Thanks in > advance!! > > Quan > > > On July 10, 2016 7:48 PM, Emil Condreawrote: > > *INTRODUCTION* > > The goal of virtual Trusted Platform Module (vTPM) is to provide a TPM > > functionality to virtual machines (Fedora, Ubuntu, Redhat, Windows .etc). > > This allows programs to interact with a TPM in a virtual machine the same > > way > > they interact with a TPM on the physical system. Each virtual machine gets > > its > > own unique, emulated, software TPM. Each major component of vTPM is > > implemented as a stubdom, providing secure separation guaranteed by the > > hypervisor. > > > > The vTPM stubdom is a Xen mini-OS domain that emulates a TPM for the > > virtual machine to use. It is a small wrapper around the Berlios TPM > > emulator. > > TPM commands are passed from mini-os TPM backend driver. > > > > *ARCHITECTURE* > > The architecture of stubdom vTPM for HVM virtual machine: > > > > ++ > > | Windows/Linux DomU | ... > > || ^| > > |v || > > | Qemu tpm1.2 Tis | > > || ^| > > |v || > > | XenStubdoms backend| > > ++ > > | ^ > > v | > > ++ > > | XenDevOps | > > ++ > > | ^ > > v | > > ++ > > | mini-os/tpmback | > > || ^| > > |v || > > | vtpm-stubdom | ... > > || ^| > > |v || > > | mini-os/tpmfront | > > ++ > > | ^ > > v | > > ++ > > | mini-os/tpmback | > > || ^| > > |v || > > | vtpmmgr-stubdom | > > || ^| > > |v || > > | mini-os/tpm_tis | > > ++ > > | ^ > > v | > > ++ > > |Hardware TPM| > > ++ > > > > * Windows/Linux DomU: > > The HVM based guest that wants to use a vTPM. There may be > > more than one of these. > > > > * Qemu tpm1.2 Tis: > > Implementation of the tpm1.2 Tis interface for HVM virtual > > machines. It is Qemu emulation device. > > > > * vTPM xenstubdoms driver: > > Qemu vTPM driver. This driver provides vtpm initialization > > and sending data and commends to a para-virtualized vtpm > > stubdom. > > > > * XenDevOps: > > Register Xen stubdom vTPM frontend driver, and transfer any > > request/repond between TPM xenstubdoms driver and Xen vTPM > > stubdom. Facilitate communications between Xen vTPM stubdom > > and vTPM xenstubdoms driver. > > > > * mini-os/tpmback: > > Mini-os TPM backend driver. The Linux frontend driver connects > > to this backend driver to facilitate communications between the > > Linux DomU and its vTPM. This driver is also used by vtpmmgr > > stubdom to communicate with vtpm-stubdom. > > > > * vtpm-stubdom: > > A mini-os stub domain that implements a vTPM. There is a > > one to one mapping between running vtpm-stubdom instances and > > logical vtpms on the system. The vTPM Platform Configuration > > Registers (PCRs) are all initialized to zero. > > > > * mini-os/tpmfront: > > Mini-os TPM frontend driver. The vTPM mini-os domain vtpm > > stubdom uses this driver to communicate with vtpmmgr-stubdom. > > This driver could also be used separately to implement a mini-os > > domain that wishes to use a vTPM of its own. > > > > * vtpmmgr-stubdom: > > A mini-os domain that implements the vTPM manager. There is only > > one vTPM manager and it should be running during the entire lifetime > > of the machine. vtpmmgr domain securely stores encryption keys for > > each of the vtpms and accesses to the hardware TPM to get the root of > > trust for the entire system. > > > > * mini-os/tpm_tis: > > Mini-os TPM version 1.2 TPM Interface Specification (TIS) driver. > > This driver used by vtpmmgr-stubdom
Re: [Xen-devel] [v9 00/19] QEMU:Xen stubdom vTPM for HVM virtual machine(QEMU Part)
Emil, Thanks for your effort ( today I just come back to return my laptop). btw, sstabell...@kernel.org may be the right email. Stefan / Stefano, could you help us review these patches? Thanks in advance!! Quan On July 10, 2016 7:48 PM, Emil Condreawrote: > *INTRODUCTION* > The goal of virtual Trusted Platform Module (vTPM) is to provide a TPM > functionality to virtual machines (Fedora, Ubuntu, Redhat, Windows .etc). > This allows programs to interact with a TPM in a virtual machine the same way > they interact with a TPM on the physical system. Each virtual machine gets its > own unique, emulated, software TPM. Each major component of vTPM is > implemented as a stubdom, providing secure separation guaranteed by the > hypervisor. > > The vTPM stubdom is a Xen mini-OS domain that emulates a TPM for the > virtual machine to use. It is a small wrapper around the Berlios TPM emulator. > TPM commands are passed from mini-os TPM backend driver. > > *ARCHITECTURE* > The architecture of stubdom vTPM for HVM virtual machine: > > ++ > | Windows/Linux DomU | ... > || ^| > |v || > | Qemu tpm1.2 Tis | > || ^| > |v || > | XenStubdoms backend| > ++ > | ^ > v | > ++ > | XenDevOps | > ++ > | ^ > v | > ++ > | mini-os/tpmback | > || ^| > |v || > | vtpm-stubdom | ... > || ^| > |v || > | mini-os/tpmfront | > ++ > | ^ > v | > ++ > | mini-os/tpmback | > || ^| > |v || > | vtpmmgr-stubdom | > || ^| > |v || > | mini-os/tpm_tis | > ++ > | ^ > v | > ++ > |Hardware TPM| > ++ > > * Windows/Linux DomU: > The HVM based guest that wants to use a vTPM. There may be > more than one of these. > > * Qemu tpm1.2 Tis: > Implementation of the tpm1.2 Tis interface for HVM virtual > machines. It is Qemu emulation device. > > * vTPM xenstubdoms driver: > Qemu vTPM driver. This driver provides vtpm initialization > and sending data and commends to a para-virtualized vtpm > stubdom. > > * XenDevOps: > Register Xen stubdom vTPM frontend driver, and transfer any > request/repond between TPM xenstubdoms driver and Xen vTPM > stubdom. Facilitate communications between Xen vTPM stubdom > and vTPM xenstubdoms driver. > > * mini-os/tpmback: > Mini-os TPM backend driver. The Linux frontend driver connects > to this backend driver to facilitate communications between the > Linux DomU and its vTPM. This driver is also used by vtpmmgr > stubdom to communicate with vtpm-stubdom. > > * vtpm-stubdom: > A mini-os stub domain that implements a vTPM. There is a > one to one mapping between running vtpm-stubdom instances and > logical vtpms on the system. The vTPM Platform Configuration > Registers (PCRs) are all initialized to zero. > > * mini-os/tpmfront: > Mini-os TPM frontend driver. The vTPM mini-os domain vtpm > stubdom uses this driver to communicate with vtpmmgr-stubdom. > This driver could also be used separately to implement a mini-os > domain that wishes to use a vTPM of its own. > > * vtpmmgr-stubdom: > A mini-os domain that implements the vTPM manager. There is only > one vTPM manager and it should be running during the entire lifetime > of the machine. vtpmmgr domain securely stores encryption keys for > each of the vtpms and accesses to the hardware TPM to get the root of > trust for the entire system. > > * mini-os/tpm_tis: > Mini-os TPM version 1.2 TPM Interface Specification (TIS) driver. > This driver used by vtpmmgr-stubdom to talk directly to the hardware > TPM. Communication is facilitated by mapping hardware memory pages > into vtpmmgr stubdom. > > * Hardware TPM: The physical TPM 1.2 that is soldered onto the > motherboard. > > --- > Changes in v9 > High level changes: (each patch has a detailed history versioning) > * rebase on upstream qemu > * refactor qemu xendevs, xenstore functions in order to be shared with both > backend and frontends > * convert tpm