Re: Questions about the usage of the vTPM implemented in Xen 4.3

[Jordi Cucurull Juan <jordi.cucurull@scytl.com>]

[-- Attachment #1: Type: text/plain, Size: 3180 bytes --]

Hello Ian,

I am using the "xl" toolstack. I have included the configuration and
screen logs of the vTPM-Mgr stub domain, vTPM stub domain and DomU.

As you can see in the logs, I have enabled the vTPM Mgr and vTPM stub
domains once. Then I have enabled the DomU two consecutive times without
disconnecting the stub domains (in all the cases issuing the command "xl
create -c /var/xen/configuration.cfg).

When the DomU shuts down (after issuing a poweroff command with an ssh
connection) the vTPM stub domain does not stop. Instead the following
entries appear on its log:

Tpmback:Info Frontend 14/0 disconnected^M
Failed to read /local/domain/14/device/vtpm/0/state.^M
Tpmback:Info Frontend 14/0 disconnected^M

and later, when the DomU is started again:

Tpmback:Info Frontend 15/0 connected^M

In addition, one can see that the measurements performed by the
"pv-grub" differ from the first to the second boot of the DomU (since
the vTPM domain instance has been kept alive):

[root@localhost ~]# cat /sys/class/misc/tpm0/device/pcrs
...
PCR-04: 5A 4D CA AA C4 90 19 78 9A CB 7A C9 87 A6 08 A8 7C A2 7B DB
PCR-05: E5 6C FC F9 65 D2 D0 FC 7A 24 7F 42 66 28 D5 F9 D3 10 EF 72
...

[root@localhost ~]# cat /sys/class/misc/tpm0/device/pcrs
...
PCR-04: BB 67 AA F3 9E B6 4B 8F 7E 76 57 7A 16 14 FB 0C B2 57 DF 69
PCR-05: C0 A5 04 68 85 93 1B CD AE 61 F7 DA 49 ED 72 9E 2E D7 06 F0
...


Does anybody know if this is the expected behaviour? Can this be changed?


Thanks!
Jordi.



On 02/10/2014 03:27 PM, Ian Campbell wrote:
> CCing the vTPM maintainer.
>
> On Wed, 2014-02-05 at 17:52 +0100, Jordi Cucurull Juan wrote:
>> Dear all,
>>
>> I have recently configured a Xen 4.3 server with the vTPM enabled and a
>> guest virtual machine that takes advantage of it. After playing a bit
>> with it, I have a few questions:
>>
>> 1.According to the documentation, to shutdown the vTPM stubdom it is
>> only needed to normally shutdown the guest VM. Theoretically, the vTPM
>> stubdom automatically shuts down after this. Nevertheless, if I shutdown
>> the guest the vTPM stubdom continues active and, moreover, I can start
>> the machine again and the values of the vTPM are the last ones there
>> were in the previous instance of the guest. Is this normal?
> I don't know much about vTPM but this seems odd to me. Which toolstack
> are you using? Can you provide details of your config and logs from both
> the startup and shutdown etc please.
>
> I've no clue about #2 or #3 I'm afraid.
>
>> 2.In the documentation it is recommended to avoid accessing the physical
>> TPM from Dom0 at the same time than the vTPM Manager stubdom.
>> Nevertheless, I currently have the IMA and the Trousers enabled in Dom0
>> without any apparent issue. Why is not recommended directly accessing
>> the physical TPM of Dom0?
>>
>> 3.If it is not recommended to directly accessing the physical TPM in
>> Dom0, which is the advisable way to check the integrity of this domain?
>> With solutions such as TBOOT and IntelTXT?
>>
>> Best regards,
>> Jordi.
>>
>>
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xen.org
>> http://lists.xen.org/xen-devel
>


[-- Attachment #2: conf-domu.cfg --]
[-- Type: text/plain, Size: 356 bytes --]

# Configuration of pv-grub
kernel = "/usr/local/lib/xen/boot/pv-grub-x86_64.gz"
extra= "(hd0,0)/grub/grub.conf"

# Configuration of guest
name = "virtual1"
memory = "512"
disk = [ 'tap:aio:/var/xen/virtual1/virtual1.img,xvda,w' ]
vif = [ 'mac=00:16:3E:5C:48:A2,ip=10.0.0.1' ]
vcpus=1
on_reboot = 'destroy'
on_crash = 'destroy'
vtpm=["backend=domu-vtpm1"]


[-- Attachment #3: conf-vtpm.cfg --]
[-- Type: text/plain, Size: 225 bytes --]

kernel="/usr/local/lib/xen/boot/vtpm-stubdom.gz"
memory=8
disk=["file:/home/jcucurull/Xen/virtual1/vtpm.img,hda,w"]
name="domu-vtpm1"
vtpm=["backend=vtpmmgr,uuid=b85cd52c-d39c-4364-9306-2bfa476be2e2"]
extra="hwinitpcr=none"


[-- Attachment #4: conf-vtpmmgr.cfg --]
[-- Type: text/plain, Size: 145 bytes --]

kernel="/usr/local/lib/xen/boot/vtpmmgr-stubdom.gz"
memory=16
disk=["file:/var/xen/vtpmmgr-stubdom.img,hda,w"]
name="vtpmmgr"
iomem=["fed40,5"]


[-- Attachment #5: enable-domu.log.gz --]
[-- Type: application/x-gzip, Size: 3214 bytes --]

[-- Attachment #6: enable-vtpm.log.gz --]
[-- Type: application/x-gzip, Size: 7172 bytes --]

[-- Attachment #7: enable-vtpmmgr.log.gz --]
[-- Type: application/x-gzip, Size: 3060 bytes --]

[-- Attachment #8: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel