ia64/xen-unstable

changeset 10791:110c1e853c53

[VTPM] Add a description for vTPM usage to the user docs.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
Signed-off-by: Vincent Scarlata <vincent.r.scarlata@intel.com>
author kfraser@localhost.localdomain
date Tue Jul 25 16:00:19 2006 +0100 (2006-07-25)
parents 33aca302b610
children 49f874c0bd98
files docs/src/user.tex
line diff
     1.1 --- a/docs/src/user.tex	Tue Jul 25 15:58:35 2006 +0100
     1.2 +++ b/docs/src/user.tex	Tue Jul 25 16:00:19 2006 +0100
     1.3 @@ -1374,8 +1374,136 @@ To configure a domU to receive a PCI dev
     1.4  %% There are two possible types of privileges: IO privileges and
     1.5  %% administration privileges.
     1.6  
     1.7 -
     1.8 -
     1.9 +\section{Support for virtual Trusted Platform Module (vTPM)}
    1.10 +\label{ss:vtpm}
    1.11 +
    1.12 +Paravirtualized domains can be given access to a virtualized version
    1.13 +of a TPM. This enables applications in these domains to use the services
    1.14 +of the TPM device for example through a TSS stack
    1.15 +\footnote{Trousers TSS stack: http://sourceforge.net/projects/trousers}.
    1.16 +The Xen source repository provides the necessary software components to
    1.17 +enable virtual TPM access. Support is provided through several
    1.18 +different pieces. First, a TPM emulator has been modified to provide TPM's
    1.19 +functionality for the virtual TPM subsystem. Second, a virtual TPM Manager
    1.20 +coordinates the virtual TPMs efforts, manages their creation, and provides
    1.21 +protected key storage using the TPM. Third, a device driver pair providing
    1.22 +a TPM front- and backend is available for XenLinux to deliver TPM commands
    1.23 +from the domain to the virtual TPM manager, which dispatches it to a
    1.24 +software TPM. Since the TPM Manager relies on a HW TPM for protected key
    1.25 +storage, therefore this subsystem requires a Linux-supported hardware TPM.
    1.26 +For development purposes, a TPM emulator is available for use on non-TPM
    1.27 +enabled platforms.
    1.28 +
    1.29 +\subsubsection{Compile-Time Setup}
    1.30 +To enable access to the virtual TPM, the virtual TPM backend driver must
    1.31 +be compiled for a privileged domain (e.g. domain 0). Using the XenLinux
    1.32 +configuration, the necessary driver can be selected in the Xen configuration
    1.33 +section. Unless the driver has been compiled into the kernel, its module
    1.34 +must be activated using the following command:
    1.35 +
    1.36 +\begin{verbatim}
    1.37 +modprobe tpmbk
    1.38 +\end{verbatim}
    1.39 +
    1.40 +Similarly, the TPM frontend driver must be compiled for the kernel trying
    1.41 +to use TPM functionality. Its driver can be selected in the kernel
    1.42 +configuration section Device Driver / Character Devices / TPM Devices.
    1.43 +Along with that the TPM driver for the built-in TPM must be selected.
    1.44 +If the virtual TPM driver has been compiled as module, it
    1.45 +must be activated using the following command:
    1.46 +
    1.47 +\begin{verbatim}
    1.48 +modprobe tpm_xenu
    1.49 +\end{verbatim}
    1.50 +
    1.51 +Furthermore, it is necessary to build the virtual TPM manager and software
    1.52 +TPM by making changes to entries in Xen build configuration files.
    1.53 +The following entry in the file Config.mk in the Xen root source
    1.54 +directory must be made:
    1.55 +
    1.56 +\begin{verbatim}
    1.57 +VTPM_TOOLS ?= y
    1.58 +\end{verbatim}
    1.59 +
    1.60 +After a build of the Xen tree and a reboot of the machine, the TPM backend
    1.61 +drive must be loaded. Once loaded, the virtual TPM manager daemon
    1.62 +must be started before TPM-enabled guest domains may be launched.
    1.63 +To enable being the destination of a virtual TPM Migration, the virtual TPM
    1.64 +migration daemon must also be loaded.
    1.65 +
    1.66 +\begin{verbatim}
    1.67 +vtpm_managerd
    1.68 +\end{verbatim}
    1.69 +\begin{verbatim}
    1.70 +vtpm_migratord
    1.71 +\end{verbatim}
    1.72 +
    1.73 +Once the VTPM manager is running, the VTPM can be accessed by loading the
    1.74 +front end driver in a guest domain.
    1.75 +
    1.76 +\subsubsection{Development and Testing TPM Emulator}
    1.77 +For development and testing on non-TPM enabled platforms, a TPM emulator
    1.78 +can be used in replacement of a platform TPM. First, the entry in the file
    1.79 +tools/vtpm/Rules.mk must look as follows:
    1.80 +
    1.81 +\begin{verbatim}
    1.82 +BUILD_EMULATOR = y
    1.83 +\end{verbatim}
    1.84 +
    1.85 +Second, the entry in the file tool/vtpm_manager/Rules.mk must be uncommented
    1.86 +as follows:
    1.87 +
    1.88 +\begin{verbatim}
    1.89 +# TCS talks to fifo's rather than /dev/tpm. TPM Emulator assumed on fifos
    1.90 +CFLAGS += -DDUMMY_TPM
    1.91 +\end{verbatim}
    1.92 +
    1.93 +Before starting the virtual TPM Manager, start the emulator by executing
    1.94 +the following in dom0:
    1.95 +
    1.96 +\begin{verbatim}
    1.97 +tpm_emulator clear
    1.98 +\end{verbatim}
    1.99 +
   1.100 +\subsubsection{vTPM Frontend Configuration}
   1.101 +To provide TPM functionality to a user domain, a line must be added to
   1.102 +the virtual TPM configuration file using the following format:
   1.103 +
   1.104 +\begin{verbatim}
   1.105 +vtpm = ['instance=<instance number>, backend=<domain id>']
   1.106 +\end{verbatim}
   1.107 +
   1.108 +The { \it instance number} reflects the preferred virtual TPM instance
   1.109 +to associate with the domain. If the selected instance is
   1.110 +already associated with another domain, the system will automatically
   1.111 +select the next available instance. An instance number greater than
   1.112 +zero must be provided. It is possible to omit the instance
   1.113 +parameter from the configuration file.
   1.114 +
   1.115 +The {\it domain id} provides the ID of the domain where the
   1.116 +virtual TPM backend driver and virtual TPM are running in. It should
   1.117 +currently always be set to '0'.
   1.118 +
   1.119 +
   1.120 +Examples for valid vtpm entries in the configuration file are
   1.121 +
   1.122 +\begin{verbatim}
   1.123 + vtpm = ['instance=1, backend=0']
   1.124 +\end{verbatim}
   1.125 +and
   1.126 +\begin{verbatim}
   1.127 + vtpm = ['backend=0'].
   1.128 +\end{verbatim}
   1.129 +
   1.130 +\subsubsection{Using the virtual TPM}
   1.131 +
   1.132 +Access to TPM functionality is provided by the virtual TPM frontend driver.
   1.133 +Similar to existing hardware TPM drivers, this driver provides basic TPM
   1.134 +status information through the {\it sysfs} filesystem. In a Xen user domain
   1.135 +the sysfs entries can be found in /sys/devices/xen/vtpm-0.
   1.136 +
   1.137 +Commands can be sent to the virtual TPM instance using the character
   1.138 +device /dev/tpm0 (major 10, minor 224).
   1.139  
   1.140  % Chapter Storage and FileSytem Management
   1.141  \chapter{Storage and File System Management}