Xen users - Nov 2013 - Install vTPM on Xen-4.1.2

Hi,

I''m trying to install vTPM based on Xen-4.1.2, and I want to use a 3.x
kernel as Dom0. Which kernel has a TPM backend driver?
(I found that linux-kernel 3.9.1 doesn''t have CONFIG_XEN_TPMDEV_BACKEND
in the kernel config file.)

--
Best Regards,
Fei Lv


_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

Hi,
 
 
 
I‘m trying to install vTPM based on Xen-4.1.2, and I want to use a 3.x kernel as
Dom0. Which kernel has a TPM backend driver?
 
(I found that linux-kernel 3.9.1 doesn’t have CONFIG_XEN_TPMDEV_BACKEND in the
kernel config file.)
 
 
 
--
 
Best Regards,
 
Fei Lv

_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

Hi,
 
 
 
I‘m trying to install vTPM based on Xen-4.1.2, and I want to use a 3.x kernel as
Dom0. Which kernel has a TPM backend driver?
 
(I found that linux-kernel 3.9.1 doesn’t have CONFIG_XEN_TPMDEV_BACKEND in the
kernel config file.)
 
 
 
--
 
Best Regards,
 
Fei Lv

_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

On Wed, Nov 13, 2013 at 06:35:30AM +0000, Lv, FeiX
wrote:
> Hi,
> 
> I''m trying to install vTPM based on Xen-4.1.2, and I want to use a
3.x kernel as Dom0. Which kernel has a TPM backend driver?
> (I found that linux-kernel 3.9.1 doesn''t have
CONFIG_XEN_TPMDEV_BACKEND in the kernel config file.)
> 
AFAICT the modern way of using vtpm is to run backend in a vtpm stubdom,
not Dom0.

BTW if you''re not subscribed to list you probably need to wait for
moderator to approve your post. No need to send multiple emails.

Wei.
> --
> Best Regards,
> Fei Lv
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xen.org
> http://lists.xen.org/xen-users

Hi, Wei / Community
   We are working on support HVM domU based on vTPM stubdom. Now the vTPM
stubdom is just for PV domU in Xen 4.3.0. Xen supports HVM domU in previous
version 4.1.2, even though the backend is in Dom0.
In previous vTPM, the backend driver is in Linux 2.6.18, the kernel is tough to
build. I think it is helpful, if we enable the previous vTPM.
   Does anyone maintain the vTPM backend driver?
   
Quan Xu





-----Original Message-----
From: Lv, FeiX 
Sent: Thursday, November 14, 2013 11:13 AM
To: Xu, Quan
Subject: FW: [Xen-users] Install vTPM on Xen-4.1.2



-----Original Message-----
From: Wei Liu [mailto:wei.liu2@citrix.com]
Sent: Wednesday, November 13, 2013 8:04 PM
To: Lv, FeiX
Cc: xen-users@lists.xen.org; wei.liu2@citrix.com
Subject: Re: [Xen-users] Install vTPM on Xen-4.1.2

On Wed, Nov 13, 2013 at 06:35:30AM +0000, Lv, FeiX
wrote:
> Hi,
> 
> I''m trying to install vTPM based on Xen-4.1.2, and I want to use a
3.x kernel as Dom0. Which kernel has a TPM backend driver?
> (I found that linux-kernel 3.9.1 doesn''t have 
> CONFIG_XEN_TPMDEV_BACKEND in the kernel config file.)
> 
AFAICT the modern way of using vtpm is to run backend in a vtpm stubdom, not
Dom0.

BTW if you''re not subscribed to list you probably need to wait for
moderator to approve your post. No need to send multiple emails.

Wei.
> --
> Best Regards,
> Fei Lv
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xen.org
> http://lists.xen.org/xen-users

On Thu, Nov 14, 2013 at 05:50:24AM +0000, Xu, Quan
wrote:
> Hi, Wei / Community
>    We are working on support HVM domU based on vTPM stubdom. Now the vTPM
stubdom is just for PV domU in Xen 4.3.0. Xen supports HVM domU in previous
version 4.1.2, even though the backend is in Dom0.
> In previous vTPM, the backend driver is in Linux 2.6.18, the kernel is
tough to build. I think it is helpful, if we enable the previous vTPM.
>    Does anyone maintain the vTPM backend driver?
>    
> Quan Xu
> 
I''m not expert in this field. You can probably make use of the classic
2.6.18 kernel tree on xenbits.xen.org.

Wei.

>>-----Original Message-----
>>From: Wei Liu [mailto:wei.liu2@citrix.com] 
>>Sent: Thursday, November 14, 2013 6:36 PM
>>To: Xu, Quan
>>Cc: Lv, FeiX; xen-users@lists.xen.org; wei.liu2@citrix.com
>>Subject: Re: [Xen-users] Install vTPM on Xen-4.1.2
>>
>>On Thu, Nov 14, 2013 at 05:50:24AM +0000, Xu, Quan wrote:
>> Hi, Wei / Community
>>    We are working on support HVM domU based on vTPM stubdom. Now the
vTPM stubdom is just for PV domU in Xen 4.3.0. Xen supports HVM domU in previous
version 4.1.2, even though the backend is in Dom0.
>> In previous vTPM, the backend driver is in Linux 2.6.18, the kernel is
tough to build. I think it is helpful, if we enable the previous vTPM.
>>    Does anyone maintain the vTPM backend driver?
>>    
>> Quan Xu
>> 
>I''m not expert in this field. You can probably make use of the
classic
>2.6.18 kernel tree on xenbits.xen.org.
>
>Wei.

Thanks Wei, now I have cloned 2.6.18 kernel tree on xenbits.xen.org.

Quan Xu 
Intel

On 11/14/2013 05:35 AM, Wei Liu wrote:
> On Thu, Nov 14, 2013 at 05:50:24AM +0000, Xu, Quan wrote:
>> Hi, Wei / Community
>>     We are working on support HVM domU based on vTPM stubdom. Now the
vTPM stubdom is just for PV domU in Xen 4.3.0.
This is not correct; the frontend driver in Linux 3.12 will also work on
HVM, same as the other PV drivers.

An important caveat here is that you don''t have a complete measurement
of an HVM domain (hvmloader and grub don''t speak to the TPM), but that
wasn''t true in earlier versions of Xen for either PV or HVM, so using
the older version won''t improve that.
>> Xen supports HVM domU in previous version 4.1.2, even though the
backend is in Dom0.
>> In previous vTPM, the backend driver is in Linux 2.6.18, the kernel is
tough to build. I think it is helpful, if we enable the previous vTPM.
>>     Does anyone maintain the vTPM backend driver?
>>
>> Quan Xu
>>
I''m not sure building the 2.6.18 backend driver would be any more
helpful
to you, since it won''t talk to the frontend in 3.12. The PV stubdoms
have
no issues talking to an HVM frontend (at least from what I''ve tested).
>
> I''m not expert in this field. You can probably make use of the
classic
> 2.6.18 kernel tree on xenbits.xen.org.
>
> Wei.
>
-- 
Daniel De Graaf
National Security Agency

> -----Original Message-----
> From: Daniel De Graaf [mailto:dgdegra@tycho.nsa.gov]
> Sent: Thursday, November 14, 2013 11:09 PM
> To: Xu, Quan
> Cc: Wei Liu; Lv, FeiX; xen-users@lists.xen.org
> Subject: Re: [Xen-users] Install vTPM on Xen-4.1.2
> 
> On 11/14/2013 05:35 AM, Wei Liu wrote:
> > On Thu, Nov 14, 2013 at 05:50:24AM +0000, Xu, Quan wrote:
> >> Hi, Wei / Community
> >>     We are working on support HVM domU based on vTPM stubdom. Now
> the vTPM stubdom is just for PV domU in Xen 4.3.0.
> 
> This is not correct; the frontend driver in Linux 3.12 will also work on
HVM,
> same as the other PV drivers.
> 
Thanks , I will have a try based on Linux 3.12 for DomU. I have some question.
Does it work on xen 4.3.0 or xen-unstable ?

> An important caveat here is that you don''t have a complete
measurement of an
> HVM domain (hvmloader and grub don''t speak to the TPM), but that
wasn''t
> true in earlier versions of Xen for either PV or HVM, so using the older
version
> won''t improve that.
> 
> >> Xen supports HVM domU in previous version 4.1.2, even though the
backend
> is in Dom0.
> >> In previous vTPM, the backend driver is in Linux 2.6.18, the
kernel is tough to
> build. I think it is helpful, if we enable the previous vTPM.
> >>     Does anyone maintain the vTPM backend driver?
> >>
> >> Quan Xu
> >>
> 
> I''m not sure building the 2.6.18 backend driver would be any more
helpful to
> you, since it won''t talk to the frontend in 3.12. The PV stubdoms
have no issues
> talking to an HVM frontend (at least from what I''ve tested).
>
My team tries to enable HVM VM based stubdom vTPM. 2.6.18 kernel works for HVM
domU based on legacy vTPM. As my estimate, the hvmloader is enabled with TCG
BIOS.
Then my team can integrate the hvmloader with stubdom vTPM. 

> >
> > I''m not expert in this field. You can probably make use of
the classic
> > 2.6.18 kernel tree on xenbits.xen.org.
> >
> > Wei.
> >
> 
> --
> Daniel De Graaf
> National Security Agency

Quan Xu 
Intel

On 11/14/2013 09:34 PM, Xu, Quan wrote:
>
>
>> -----Original Message-----
>> From: Daniel De Graaf [mailto:dgdegra@tycho.nsa.gov]
>> Sent: Thursday, November 14, 2013 11:09 PM
>> To: Xu, Quan
>> Cc: Wei Liu; Lv, FeiX; xen-users@lists.xen.org
>> Subject: Re: [Xen-users] Install vTPM on Xen-4.1.2
>>
>> On 11/14/2013 05:35 AM, Wei Liu wrote:
>>> On Thu, Nov 14, 2013 at 05:50:24AM +0000, Xu, Quan wrote:
>>>> Hi, Wei / Community
>>>>      We are working on support HVM domU based on vTPM stubdom.
Now
>> the vTPM stubdom is just for PV domU in Xen 4.3.0.
>>
>> This is not correct; the frontend driver in Linux 3.12 will also work
on HVM,
>> same as the other PV drivers.
>>
> Thanks , I will have a try based on Linux 3.12 for DomU. I have some
question. Does it work on xen 4.3.0 or xen-unstable ?
>
The TPM stubdoms have not changed in the 4.4 development series, so it should
work on both.
>
>> An important caveat here is that you don''t have a complete
measurement of an
>> HVM domain (hvmloader and grub don''t speak to the TPM), but
that wasn''t
>> true in earlier versions of Xen for either PV or HVM, so using the
older version
>> won''t improve that.
>>
>>>> Xen supports HVM domU in previous version 4.1.2, even though
the backend
>> is in Dom0.
>>>> In previous vTPM, the backend driver is in Linux 2.6.18, the
kernel is tough to
>> build. I think it is helpful, if we enable the previous vTPM.
>>>>      Does anyone maintain the vTPM backend driver?
>>>>
>>>> Quan Xu
>>>>
>>
>> I''m not sure building the 2.6.18 backend driver would be any
more helpful to
>> you, since it won''t talk to the frontend in 3.12. The PV
stubdoms have no issues
>> talking to an HVM frontend (at least from what I''ve tested).
>>
>
> My team tries to enable HVM VM based stubdom vTPM. 2.6.18 kernel works for
HVM domU based on legacy vTPM. As my estimate, the hvmloader is enabled with TCG
BIOS.
> Then my team can integrate the hvmloader with stubdom vTPM.
Real integration on HVM will require integration with QEMU so that it can
emulate
the normal hardware interface (TIS). I haven''t looked at the
hvmloader''s TPM
support, but I would guess that it tries to use that interface since that is
what
a normal BIOS would do. Since emulation of TIS will be needed for unmodified
OSes,
I don''t see any reason to add a Xen tpmfront driver to hvmloader/*bios.

QEMU 1.5 has support for doing pass-through to /dev/tpm0, so a Linux stubdom
with
a 3.12+ kernel and attached vtpm would just require enabling the option. The
last
posted Linux stubdom (RFC by Anthony Perard back in April) was using an older
Linux and QEMU, but it still may be a good starting point.
>>>
>>> I''m not expert in this field. You can probably make use of
the classic
>>> 2.6.18 kernel tree on xenbits.xen.org.
>>>
>>> Wei.
>>>
>>
>> --
>> Daniel De Graaf
>> National Security Agency
>
>
> Quan Xu
> Intel
>
>

-- 
Daniel De Graaf
National Security Agency

> -----Original Message-----
> From: Daniel De Graaf [mailto:dgdegra@tycho.nsa.gov]
> Sent: Friday, November 15, 2013 11:10 PM
> To: Xu, Quan
> Cc: Wei Liu; xen-users@lists.xen.org
> Subject: Re: [Xen-users] Install vTPM on Xen-4.1.2
> 
> On 11/14/2013 09:34 PM, Xu, Quan wrote:
> >
> >
> >> -----Original Message-----
> >> From: Daniel De Graaf [mailto:dgdegra@tycho.nsa.gov]
> >> Sent: Thursday, November 14, 2013 11:09 PM
> >> To: Xu, Quan
> >> Cc: Wei Liu; Lv, FeiX; xen-users@lists.xen.org
> >> Subject: Re: [Xen-users] Install vTPM on Xen-4.1.2
> >>
> >> On 11/14/2013 05:35 AM, Wei Liu wrote:
> >>> On Thu, Nov 14, 2013 at 05:50:24AM +0000, Xu, Quan wrote:
> >>>> Hi, Wei / Community
> >>>>      We are working on support HVM domU based on vTPM
stubdom.
> Now
> >> the vTPM stubdom is just for PV domU in Xen 4.3.0.
> >>
> >> This is not correct; the frontend driver in Linux 3.12 will also
work
> >> on HVM, same as the other PV drivers.
> >>
> > Thanks , I will have a try based on Linux 3.12 for DomU. I have some
question.
> Does it work on xen 4.3.0 or xen-unstable ?
> >
> 
> The TPM stubdoms have not changed in the 4.4 development series, so it
> should work on both.
> 
> >
> >> An important caveat here is that you don''t have a
complete
> >> measurement of an HVM domain (hvmloader and grub don''t
speak to the
> >> TPM), but that wasn''t true in earlier versions of Xen for
either PV
> >> or HVM, so using the older version won''t improve that.
> >>
> >>>> Xen supports HVM domU in previous version 4.1.2, even
though the
> >>>> backend
> >> is in Dom0.
> >>>> In previous vTPM, the backend driver is in Linux 2.6.18,
the kernel
> >>>> is tough to
> >> build. I think it is helpful, if we enable the previous vTPM.
> >>>>      Does anyone maintain the vTPM backend driver?
> >>>>
> >>>> Quan Xu
> >>>>
> >>
> >> I''m not sure building the 2.6.18 backend driver would be
any more
> >> helpful to you, since it won''t talk to the frontend in
3.12. The PV
> >> stubdoms have no issues talking to an HVM frontend (at least from
what
> I''ve tested).
> >>
> >
> > My team tries to enable HVM VM based stubdom vTPM. 2.6.18 kernel works
> for HVM domU based on legacy vTPM. As my estimate, the hvmloader is
> enabled with TCG BIOS.
> > Then my team can integrate the hvmloader with stubdom vTPM.
> 
> Real integration on HVM will require integration with QEMU so that it can
> emulate the normal hardware interface (TIS). I haven''t looked at
the
> hvmloader''s TPM support, but I would guess that it tries to use
that interface
> since that is what a normal BIOS would do. Since emulation of TIS will be
> needed for unmodified OSes, I don''t see any reason to add a Xen
tpmfront
> driver to hvmloader/*bios.
> 
> QEMU 1.5 has support for doing pass-through to /dev/tpm0, so a Linux
> stubdom with a 3.12+ kernel and attached vtpm would just require enabling
the
> option. The last posted Linux stubdom (RFC by Anthony Perard back in April)
> was using an older Linux and QEMU, but it still may be a good starting
point.
> 
Thanks Graaf, my team will try to set it up. Share some QEMU patches in the
archive first:
 http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg00674.html 
 http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg00675.html 
 http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg00676.html 
 http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg00678.html 
 http://lists.nongnu.org/archive/html/qemu-devel/2013-11/msg00677.html 
In those patches, the seabios code is not yet upstream
(http://www.seabios.org/SeaBIOS ) that is required to run with this support,
and provide support such as initialization, ACPI table updates, and menu
updates.

But I have found some seabios patches, "Add TPM support to SeaBIOS".
        http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00424.html 
		http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00419.html 
		http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00421.html 
		http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00417.html 
		http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00426.html 
		http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00423.html 
		http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00420.html 
		http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00418.html 
		http://lists.gnu.org/archive/html/qemu-devel/2011-04/msg00422.html 

I will go through all of patches/ stubdom vTPM / legacy dom0 vtpm daemon, and
give you some further feedback. BTW, could you help me to
Review those patches too?

=== 

BTW,
1. My team starts to develop stubdom vTPM based on TPM 2.0 for PV domU, which I
mentioned before. I hope that Berlios TPM Emulator can work well for TPM 2.0.
  Could you share some debug experience ?
2. My team have integrated
OpenAttestation(https://github.com/OpenAttestation/OpenAttestation ) with
stubdom vTPM. OpenAttestation project
  is to provide SDK, Software Development Kit, to add cloud management tools
with capability of establishing hosts integrity information by remotely
  retrieving and verifying Hosts'' integrity with TPM quote. oat-client
can work in RHEL 6.4 VM with vtpm, while comment out "check_drivers ||
  load_drivers || exit 1" in /etc/init.d/tcsd file. Also we can integrate
stubdom vtpm into openstack.





> >>>
> >>> I''m not expert in this field. You can probably make
use of the
> >>> classic
> >>> 2.6.18 kernel tree on xenbits.xen.org.
> >>>
> >>> Wei.
> >>>
> >>
> >> --
> >> Daniel De Graaf
> >> National Security Agency
> >
> >
> > Quan Xu
> > Intel
> >
> >
> 
> 
> --
> Daniel De Graaf
> National Security Agency

Quan Xu
Intel