Hi, I have custom compiled the linux-konrad-xen (3.10.0+) with VTPM patch from (http://lists.xen.org/archives/html/xen-devel/2013-03/msg01923.html) as DomU kernel. It has the following configuration: CONFIG_XEN=y CONFIG_TCG_TPM=y CONFIG_TCG_XEN=y CONFIG_IMA=y When I boot the above DomU kernel *WITHOUT* ima_tcb=1, DomU boots properly. However, when I enable IMA (through extras="ima_tcb=1" in domu.cfg), the booting hangs at [info] Using makefile-style concurrent boot in runlevel S. Could anyone point me in a direction where I can debug this? I have vtpmmgr and domu-vtpm running in different VMS and each of them get messages from when DomU boots. This is confirmed by> Saved hash and key for vtpm <uuid>in vtpmmgr and> vtpmblk.c Info: Wrote 6992 bytes to NVM persistent storagein domu-vtpm. I am using Xen 4.3.1-rc1. Any help will be really appreciated. Thanks! -- Karthick Ramachandran _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
The VTPM patch is from https://lkml.org/lkml/2013/7/1/540, not the one specified in the previous mail. Sorry about that. On Fri, Nov 8, 2013 at 8:13 PM, Karthick R <karthick.ramachandran@gmail.com>wrote:> Hi, > > I have custom compiled the linux-konrad-xen (3.10.0+) with VTPM patch > from (http://lists.xen.org/archives/html/xen-devel/2013-03/msg01923.html) > as DomU kernel. It has the following configuration: > > CONFIG_XEN=y > CONFIG_TCG_TPM=y > CONFIG_TCG_XEN=y > CONFIG_IMA=y > > When I boot the above DomU kernel *WITHOUT* ima_tcb=1, DomU boots > properly. > > However, when I enable IMA (through extras="ima_tcb=1" in domu.cfg), the > booting hangs at > > [info] Using makefile-style concurrent boot in runlevel S. > > Could anyone point me in a direction where I can debug this? > > I have vtpmmgr and domu-vtpm running in different VMS and each of them get > messages from when DomU boots. This is confirmed by > > > Saved hash and key for vtpm <uuid> > > in vtpmmgr and > > > vtpmblk.c Info: Wrote 6992 bytes to NVM persistent storage > > in domu-vtpm. > > I am using Xen 4.3.1-rc1. > > Any help will be really appreciated. > > > Thanks! > > -- > Karthick Ramachandran >-- Karthick Ramachandran _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
On 11/08/2013 08:18 PM, Karthick R wrote:> The VTPM patch is from https://lkml.org/lkml/2013/7/1/540, not the one > specified in the previous mail. Sorry about that. > > > On Fri, Nov 8, 2013 at 8:13 PM, Karthick R > <karthick.ramachandran@gmail.com>wrote: > >> Hi, >> >> I have custom compiled the linux-konrad-xen (3.10.0+) with VTPM patch >> from (http://lists.xen.org/archives/html/xen-devel/2013-03/msg01923.html) >> as DomU kernel. It has the following configuration: >> >> CONFIG_XEN=y >> CONFIG_TCG_TPM=y >> CONFIG_TCG_XEN=y >> CONFIG_IMA=y >> >> When I boot the above DomU kernel *WITHOUT* ima_tcb=1, DomU boots >> properly. >> >> However, when I enable IMA (through extras="ima_tcb=1" in domu.cfg), the >> booting hangs at >> >> [info] Using makefile-style concurrent boot in runlevel S. >> >> Could anyone point me in a direction where I can debug this?This is past the point where userspace is up and working; you should be able to add debugging output to your init scripts or the dispatcher script that outputs that message. The exact method for doing this is distro-dependent and should be independent of xen/vtpm issues. You may want to look at what loads your real IMA-TCB policy (to replace the initial measure-everything policy) or tcsd/trousers; nothing else should be waiting on a TPM. You could also add debug output in the driver or check that the vTPM is not stuck processing a command (and causing the kernel to time out on extends).>> I have vtpmmgr and domu-vtpm running in different VMS and each of them get >> messages from when DomU boots. This is confirmed by >> >>> Saved hash and key for vtpm <uuid> >> >> in vtpmmgr and >> >>> vtpmblk.c Info: Wrote 6992 bytes to NVM persistent storage >> >> in domu-vtpm. >> >> I am using Xen 4.3.1-rc1. >> >> Any help will be really appreciated. >> >> >> Thanks! >> >> -- >> Karthick Ramachandran >> >-- Daniel De Graaf National Security Agency
On Thu, Nov 14, 2013 at 9:58 AM, Daniel De Graaf <dgdegra@tycho.nsa.gov>wrote:> This is past the point where userspace is up and working; you should be > able > to add debugging output to your init scripts or the dispatcher script that > outputs that message. The exact method for doing this is distro-dependent > and > should be independent of xen/vtpm issues. > > You may want to look at what loads your real IMA-TCB policy (to replace the > initial measure-everything policy) or tcsd/trousers; nothing else should be > waiting on a TPM. > > You could also add debug output in the driver or check that the vTPM is not > stuck processing a command (and causing the kernel to time out on extends). >Thank you Daniel for the pointers. The init script was hanging in the startpar line in RC script, that was spawning the other init scripts in parallel. I was not able to pin point the exact script in my installed distro (Debian Wheezy). As the client distro is not very important for my experiments, I changed it to Ubuntu Quantal as DomU distro and now domU boots by logging the hashes as expected in securityfs. I am at the same time curious if someone has got Debian Wheezy working with IMA and vTPM. Thanks! -- Karthick Ramachandran _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users