1xen-vtpmmgr(7) Xen xen-vtpmmgr(7)
2
6 Daniel De Graaf <dgdegra@tycho.nsa.gov>
7 Quan Xu <quan.xu@intel.com>
8 This document describes the operation and command line interface of
10 vtpmmgr-stubdom. See xen-vtpm(7) for details on the vTPM subsystem as a
11 whole.
12
14 The TPM Manager has three primary functions:
15 1. Securely store the encryption keys for vTPMs
17 2. Provide a single controlled path of access to the physical TPM
18 3. Provide evidence (via TPM Quotes) of the current configuration
19 When combined with a platform that provides a trusted method for
21 creating domains, the TPM Manager provides assurance that the private
22 keys in a vTPM are only available in specific trusted configurations.
23 The manager accepts commands from the vtpm-stubdom domains via the
25 mini-os TPM backend driver. The vTPM manager communicates directly with
26 hardware TPM using the mini-os tpm_tis driver.
27
29 The TPM Manager's data is secured by using the physical TPM's seal
30 operation, which allows data to be bound to specific PCRs. These PCRs
31 are populated in the physical TPM during the boot process, either by
32 the firmware/BIOS or by a dynamic launch environment such as TBOOT. In
33 order to provide assurance of the system's security, the PCRs used to
34 seal the TPM manager's data must contain measurements for domains used
35 to bootstrap the TPM Manager and vTPMs.
36 Because these measurements are based on hashes, they will change any
38 time that any component of the system is upgraded. Since it is not
39 possible to construct a list of all possible future good measurements,
40 the job of approving configurations is delegated to a third party,
41 referred to here as the system approval agent (SAA). The SAA is
42 identified by its public (RSA) signature key, which is used to sign
43 lists of valid configurations. A single TPM manager can support
44 multiple SAAs via the use of vTPM groups. Each group is associated with
45 a single SAA; this allows the creation of a multi-tenant environment
46 where tenants may not all choose to trust the same SAA.
47 Each vTPM is bound to a vTPM group at the time of its creation. Each
49 vTPM group has its own AIK in the physical TPM for quotes of the
50 hardware TPM state; when used with a conforming Privacy CA, this allows
51 each group on the system to form the basis of a distinct identity.
52
54 When the TPM Manager first boots up, it will create a stub vTPM group
55 along with entries for any vTPMs that communicate with it. This stub
56 group must be provisioned with an SAA and a boot configuration in order
57 to survive a reboot.
58 When a vTPM is connected to the TPM Manager using a UUID that is not
60 recognized, a slot will be created in group 0 for it. In the future,
61 this auto-creation may be restricted to specific UUIDs (such as the
62 all-zero UUID) to enforce the use of the TPM manager as the generator
63 of the UUID. The first vTPM to be connected is given administrative
64 privileges for the TPM Manager, and should be attached to dom0 or a
65 control domain in order to send provisioning commands.
66 Provisioning a vTPM group for the system requires the public key of the
68 SAA and privacy CA data used to certify the AIK (see the TPM spec for
69 details). Once the group is created, a signed list of boot measurements
70 can be installed. The initial group controls the ability to boot the
71 system as a whole, and cannot be deleted once provisioned.
72
74 Command line arguments are passed to the domain via the 'extra'
75 parameter in the VM config file. Each parameter is separated by white
76 space. For example:
77 extra="foo=bar baz"
79 Valid arguments:
81 owner_auth=<AUTHSPEC>
83 srk_auth=<AUTHSPEC>
84 Set the owner and SRK authdata for the TPM. If not specified, the
85 default is 160 zero bits (the well-known auth value). Valid values
86 of <AUTHSPEC> are:
87 well-known
89 Use the well known auth (default)
90 hash:<HASH>
92 Use the given 40-character ASCII hex string
93 text:<STR>
95 Use sha1 hash of <STR>.
96 tpmdriver=<DRIVER>
98 Choose the driver used for communication with the hardware TPM.
99 Values other than tpm_tis should only be used for testing.
100 The possible values of <DRIVER> are:
102 tpm_tis
104 Direct communication with a hardware TPM 1.2. The domain must
105 have access to TPM IO memory. (default)
106 tpmfront
108 Use the Xen tpmfront interface to talk to another domain which
109 provides access to the TPM.
110 The following options only apply to the tpm_tis driver:
112 tpmiomem=<ADDR>
114 The base address of the hardware memory pages of the TPM. The
115 default is 0xfed40000, as defined by the TCG's PC Client spec.
116 tpmirq=<IRQ>
118 The irq of the hardware TPM if using interrupts. A value of "probe"
119 can be set to probe for the irq. A value of 0 disables interrupts
120 and uses polling (default 0).
121 tpmlocality=<LOC>
123 Attempt to use locality <LOC> of the hardware TPM. For full
124 functionality of the TPM Manager, this should be set to "2".
125
127 While the TPM Manager has the ability to check the hash of the vTPM
128 requesting a key, there is currently no trusted method to inform the
129 TPM Manager of the hash of each new domain. Because of this, the TPM
130 Manager trusts the UUID key in Xenstore to identify a vTPM in a trusted
131 manner. The XSM policy may be used to strengthen this assumption if
132 the creation of vTPM-labeled domains is more constrained (for example,
133 only permitted to a domain builder service): the only grants mapped by
134 the TPM Manager should belong to vTPM domains, so restricting the
135 ability to map other domain's granted pages will prevent other domains
136 from directly requesting keys from the TPM Manager. The TPM Manager
137 uses the hash of the XSM label of the attached vTPM as the kernel hash,
138 so vTPMs with distinct labels may be further partitioned using vTPM
139 groups.
140 A domain with direct access to the hardware TPM will be able to decrypt
142 the TPM Manager's disk image if the haredware TPM's PCR values are in a
143 permitted configuration. To protect the TPM Manager's data, the list
144 of permitted configurations should be chosen to include PCRs that
145 measure the hypervisor, domain 0, the TPM Manager, and other critical
146 configuration such as the XSM policy. If the TPM Manager is configured
147 to use locality 2 as recommended, it is safe to permit the hardware
148 domain to access locality 0 (the default in Linux), although concurrent
149 use of the TPM should be avoided as it can result in unexpected busy
150 errors from the TPM driver. The ability to access locality 2 of the
151 TPM should be enforced using IO memory labeling in the XSM policy; the
152 physical address 0xFED42xxx is always locality 2 for TPMs using the TIS
153 driver.
154
156 There is no direct upgrade supported from previous versions of the
157 vtpmmgr domain due to changes in the on-disk format and the method used
158 to seal data. If a vTPM domain supports migration, this feature should
159 be used to migrate the vTPM's data; however, the vTPM packaged with Xen
160 does not yet support migration.
161 If adding migration support to the vTPM is not desired, a simpler
163 migration domain usable only for local migration can be constructed.
164 The migration process would look like the following:
165 1. Start the old vtpmmgr
167 2. Start the vTPM migration domain
168 3. Attach the vTPM migration domain's vtpm/0 device to the old vtpmmgr
169 4. Migration domain executes vtpmmgr_LoadHashKey on vtpm/0
170 5. Start the new vtpmmgr, possibly shutting down the old one first
171 6. Attach the vTPM migration domain's vtpm/1 device to the new vtpmmgr
172 7. Migration domain executes vtpmmgr_SaveHashKey on vtpm/1
173 This requires the migration domain to be added to the list of valid
175 vTPM kernel hashes. In the current version of the vtpmmgr domain, this
176 is the hash of the XSM label, not the kernel.
177
179 Manager disk image setup:
180 The vTPM Manager requires a disk image to store its encrypted data. The
181 image does not require a filesystem and can live anywhere on the host
182 disk. The image is not large; the Xen 4.5 vtpmmgr is limited to using
183 the first 2MB of the image but can support more than 20,000 vTPMs.
184 dd if=/dev/zero of=/home/vtpm2/vmgr bs=16M count=1
186 Manager config file:
188 The vTPM Manager domain (vtpmmgr-stubdom) must be started like any
189 other Xen virtual machine and requires a config file. The manager
190 requires a disk image for storage and permission to access the hardware
191 memory pages for the TPM. The disk must be presented as "hda", and the
192 TPM memory pages are passed using the iomem configuration parameter.
193 The TPM TIS uses 5 pages of IO memory (one per locality) that start at
194 physical address 0xfed40000. By default, the TPM manager uses locality
195 0 (so only the page at 0xfed40 is needed).
196 Add:
198 extra="tpm2=1"
200 extra option to launch vtpmmgr-stubdom domain on TPM 2.0, and ignore it
202 on TPM 1.x. for example:
203 kernel="/usr/lib/xen/boot/vtpmmgr-stubdom.gz"
205 memory=128
206 disk=["file:/home/vtpm2/vmgr,hda,w"]
207 name="vtpmmgr"
208 iomem=["fed40,5"]
209 extra="tpm2=1"
210 Key Hierarchy
212 +------------------+
213 | vTPM's secrets | ...
214 +------------------+
215 | ^
216 | |(Bind / Unbind)
217 - - - - - -v |- - - - - - - - TPM 2.0
218 +------------------+
219 | SK +
220 +------------------+
221 | ^
222 v |
223 +------------------+
224 | SRK |
225 +------------------+
226 | ^
227 v |
228 +------------------+
229 | TPM 2.0 Storage |
230 | Primary Seed |
231 +------------------+
232 Now the secrets for the vTPMs are only being bound to the presence of
234 thephysical TPM 2.0. Since using PCRs to seal the data can be an
235 important security feature that users of the vtpmmgr rely on. I will
236 replace TPM2_Bind/TPM2_Unbind with TPM2_Seal/TPM2_Unseal to provide as
237 much security as it did for TPM 1.2 in later series of patch.
238 Design Overview
240 The architecture of vTPM subsystem on TPM 2.0 is described below:
241 +------------------+
243 | Linux DomU | ...
244 | | ^ |
245 | v | |
246 | xen-tpmfront |
247 +------------------+
248 | ^
249 v |
250 +------------------+
251 | mini-os/tpmback |
252 | | ^ |
253 | v | |
254 | vtpm-stubdom | ...
255 | | ^ |
256 | v | |
257 | mini-os/tpmfront |
258 +------------------+
259 | ^
260 v |
261 +------------------+
262 | mini-os/tpmback |
263 | | ^ |
264 | v | |
265 | vtpmmgr-stubdom |
266 | | ^ |
267 | v | |
268 | mini-os/tpm2_tis |
269 +------------------+
270 | ^
271 v |
272 +------------------+
273 | Hardware TPM 2.0 |
274 +------------------+
275 Linux DomU
277 The Linux based guest that wants to use a vTPM. There many be more
278 than one of these.
279 xen-tpmfront.ko
281 Linux kernel virtual TPM frontend driver. This driver provides vTPM
282 access to a para-virtualized Linux based DomU.
283 mini-os/tpmback
285 Mini-os TPM backend driver. The Linux frontend driver connects to
286 this backend driver to facilitate communications between the Linux
287 DomU and its vTPM. This driver is also used by vtpmmgr-stubdom to
288 communicate with vtpm-stubdom.
289 vtpm-stubdom
291 A mini-os stub domain that implements a vTPM. There is a one to one
292 mapping between running vtpm-stubdom instances and logical vtpms on
293 the system. The vTPM Platform Configuration Registers (PCRs) are
294 all initialized to zero.
295 mini-os/tpmfront
297 Mini-os TPM frontend driver. The vTPM mini-os domain vtpm-stubdom
298 uses this driver to communicate with vtpmmgr-stubdom. This driver
299 could also be used separately to implement a mini-os domain that
300 wishes to use a vTPM of its own.
301 vtpmmgr-stubdom
303 A mini-os domain that implements the vTPM manager. There is only
304 one vTPM manager and it should be running during the entire
305 lifetime of the machine. This domain regulates access to the
306 physical TPM on the system and secures the persistent state of each
307 vTPM.
308 mini-os/tpm2_tis
310 Mini-os TPM version 2.0 TPM Interface Specification (TIS) driver.
311 This driver used by vtpmmgr-stubdom to talk directly to the
312 hardware TPM 2.0. Communication is facilitated by mapping hardware
313 memory pages into vtpmmgr-stubdom.
314 Hardware TPM 2.0
316 The physical TPM 2.0 that is soldered onto the motherboard.
317 Noted:
319 functionality for a virtual guest operating system (a DomU) is
320 still TPM 1.2.
3214.11.1 2018-11-29 xen-vtpmmgr(7)