Xen users - Dec 2013 - Pass through physical TPM

I''m aware of the Xen vTPM capabilities, but is it possible to directly
pass
through the hardware TPM of a host to a domU?

My usecase is taking a machine running Windows with a Bitlocker encrypted
drive and starting it as an HVM without needing to monkey around in the
guest OS at all.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

On Mon, 2013-12-09 at 17:51 -0800, John Sherwood wrote:
> I''m aware of the Xen vTPM capabilities, but is it possible to
directly
> pass through the hardware TPM of a host to a domU?
I suppose ultimately a TPM is just hardware and therefore you can map it
through using either PCI passthrough (if it is a PCI device, I don''t
know about TPM) or "manually" map the individual i/o ports, mmio
regions
and interrupts using ioports, iomem and irqs directives in your guest
config (see the xl.cfg man page for details).

PCI passthrough certainly works with HVM guests. I''m not 100% sure
about
the others, I can see the hypervisor side code to make ioports work, but
the other two are too subtle for me to grok right now ;-) I suggest
trying it and seeing...

What I can''t advise on is all the TPM specific stuff like the
attestation and measurement which happens during boot and how that is
impacted by the need to start a VM. Maybe that''s not an issue  -- I
really have no idea how that all works or whether Bitlocker even needs
it to have happened.

Ian.