[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 0/5] QEMU:Xen stubdom vTPM for HVM virtual ma
From: |
Stefano Stabellini |
Subject: |
Re: [Qemu-devel] [PATCH v3 0/5] QEMU:Xen stubdom vTPM for HVM virtual machine |
Date: |
Mon, 19 Jan 2015 17:52:30 +0000 |
User-agent: |
Alpine 2.02 (DEB 1266 2009-07-14) |
On Mon, 19 Jan 2015, Stefano Stabellini wrote:
> Hi Quan,
> thanks for the update: this version is much much better than the
> previous one.
>
> I am not familiar enough with QAPI, HMP and TPM to review the first and
> the last patches though.
I meant the first and the fourth. The last one is fine.
> Cheers,
>
> Stefano
>
>
> On Tue, 30 Dec 2014, Quan Xu wrote:
> > *INTRODUCTION*
> > The goal of virtual Trusted Platform Module (vTPM) is to provide a TPM
> > functionality to virtual machines (Fedora, Ubuntu, Redhat, Windows .etc).
> > This allows programs to interact with a TPM in a virtual machine the same
> > way they interact with a TPM on the physical system. Each virtual machine
> > gets its own unique, emulated, software TPM. Each major component of vTPM
> > is implemented as a stubdom, providing secure separation guaranteed by the
> > hypervisor.
> >
> > The vTPM stubdom is a Xen mini-OS domain that emulates a TPM for the
> > virtual machine to use. It is a small wrapper around the Berlios TPM
> > emulator. TPM commands are passed from mini-os TPM backend driver.
> >
> > *ARCHITECTURE*
> > The architecture of stubdom vTPM for HVM virtual machine:
> >
> > +--------------------+
> > | Windows/Linux DomU | ...
> > | | ^ |
> > | v | |
> > | Qemu tpm1.2 Tis |
> > | | ^ |
> > | v | |
> > | XenStubdoms backend|
> > +--------------------+
> > | ^
> > v |
> > +--------------------+
> > | XenDevOps |
> > +--------------------+
> > | ^
> > v |
> > +--------------------+
> > | mini-os/tpmback |
> > | | ^ |
> > | v | |
> > | vtpm-stubdom | ...
> > | | ^ |
> > | v | |
> > | mini-os/tpmfront |
> > +--------------------+
> > | ^
> > v |
> > +--------------------+
> > | mini-os/tpmback |
> > | | ^ |
> > | v | |
> > | vtpmmgr-stubdom |
> > | | ^ |
> > | v | |
> > | mini-os/tpm_tis |
> > +--------------------+
> > | ^
> > v |
> > +--------------------+
> > | Hardware TPM |
> > +--------------------+
> >
> >
> >
> > * Windows/Linux DomU:
> > The HVM based guest that wants to use a vTPM. There may be
> > more than one of these.
> >
> > * Qemu tpm1.2 Tis:
> > Implementation of the tpm1.2 Tis interface for HVM virtual
> > machines. It is Qemu emulation device.
> >
> > * vTPM xenstubdoms driver:
> > Qemu vTPM driver. This driver provides vtpm initialization
> > and sending data and commends to a para-virtualized vtpm
> > stubdom.
> >
> > * XenDevOps:
> > Register Xen stubdom vTPM frontend driver, and transfer any
> > request/repond between TPM xenstubdoms driver and Xen vTPM
> > stubdom. Facilitate communications between Xen vTPM stubdom
> > and vTPM xenstubdoms driver.
> >
> > * mini-os/tpmback:
> > Mini-os TPM backend driver. The Linux frontend driver connects
> > to this backend driver to facilitate communications between the
> > Linux DomU and its vTPM. This driver is also used by vtpmmgr
> > stubdom to communicate with vtpm-stubdom.
> >
> > * vtpm-stubdom:
> > A mini-os stub domain that implements a vTPM. There is a
> > one to one mapping between running vtpm-stubdom instances and
> > logical vtpms on the system. The vTPM Platform Configuration
> > Registers (PCRs) are all initialized to zero.
> >
> > * mini-os/tpmfront:
> > Mini-os TPM frontend driver. The vTPM mini-os domain vtpm
> > stubdom uses this driver to communicate with vtpmmgr-stubdom.
> > This driver could also be used separately to implement a mini-os
> > domain that wishes to use a vTPM of its own.
> >
> > * vtpmmgr-stubdom:
> > A mini-os domain that implements the vTPM manager. There is only
> > one vTPM manager and it should be running during the entire lifetime
> > of the machine. vtpmmgr domain securely stores encryption keys for
> > each of the vtpms and accesses to the hardware TPM to get the root of
> > trust for the entire system.
> >
> > * mini-os/tpm_tis:
> > Mini-os TPM version 1.2 TPM Interface Specification (TIS) driver.
> > This driver used by vtpmmgr-stubdom to talk directly to the hardware
> > TPM. Communication is facilitated by mapping hardware memory pages
> > into vtpmmgr stubdom.
> >
> > * Hardware TPM: The physical TPM 1.2 that is soldered onto the motherboard.
> >
> > --Changes in v3:
> > -New xen_frontend.c file
> > -Adjust the format of command line options
> > -Move xenbus_switch_state() to xen_frontend.c
> > -Move xen_stubdom_be() to xenstore_fe_read_be_str()
> > -Move *_stubdom_*() to *_fe_*()
> > -Move xen_stubdom_vtpm.c to xen_vtpm_frontend.c
> > -Read Xen vTPM status via XenStore
> > -Call vtpm_send() and vtpm_recv() directly.
> >
> > --Changes in v2:
> > -adding xen_fe_register() that handle any Xen PV frontend registration
> > -remove a private structure 'QEMUBH'
> > -change version number to 2.3 in qapi-schema.json
> > -move hw/xen/xen_stubdom_vtpm.c to hw/tpm/xen_stubdom_vtpm.c
> >
> > Quan Xu (5):
> > Qemu-Xen-vTPM: Support for Xen stubdom vTPM command line options
> > Qemu-Xen-vTPM: Xen frontend driver infrastructure
> > Qemu-Xen-vTPM: Register Xen stubdom vTPM frontend driver
> > Qemu-Xen-vTPM: Qemu vTPM xenstubdoms backen.
> > Qemu-Xen-vTPM: QEMU machine class is initialized before tpm_init()
> >
> > configure | 14 ++
> > hmp.c | 7 +
> > hw/tpm/Makefile.objs | 1 +
> > hw/tpm/tpm_xenstubdoms.c | 245 ++++++++++++++++++++++++++++++++
> > hw/tpm/xen_vtpm_frontend.c | 264 +++++++++++++++++++++++++++++++++++
> > hw/xen/Makefile.objs | 2 +-
> > hw/xen/xen_backend.c | 45 +++++-
> > hw/xen/xen_frontend.c | 323
> > +++++++++++++++++++++++++++++++++++++++++++
> > include/hw/xen/xen_backend.h | 19 +++
> > include/hw/xen/xen_common.h | 6 +
> > qapi-schema.json | 19 ++-
> > qemu-options.hx | 13 +-
> > tpm.c | 7 +-
> > vl.c | 16 ++-
> > xen-hvm.c | 16 +++
> > 15 files changed, 983 insertions(+), 14 deletions(-)
> > create mode 100644 hw/tpm/tpm_xenstubdoms.c
> > create mode 100644 hw/tpm/xen_vtpm_frontend.c
> > create mode 100644 hw/xen/xen_frontend.c
> >
> > --
> > 1.8.3.2
> >
>