docs/misc/vtpm.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

Copyright: IBM Corporation (C), Intel Corporation
17 August 2005
Authors: Stefan Berger <stefanb@us.ibm.com> (IBM), 
         Employees of Intel Corp

This document gives a short introduction to the virtual TPM support
in XEN and goes as far as connecting a user domain to a virtual TPM
instance and doing a short test to verify success. It is assumed
that the user is fairly familiar with compiling and installing XEN
and Linux on a machine. 
 
Production Prerequisites: An x86-based machine machine with an ATMEL or
National Semiconductor (NSC) TPM on the motherboard.
Development Prerequisites: An emulator for TESTING ONLY is provided


Compiling XEN tree:
-------------------

Compile the XEN tree as usual after the following lines set in the
linux-2.6.??-xen/.config file:

CONFIG_XEN_TPMDEV_BACKEND=y
CONFIG_XEN_TPMDEV_GRANT=y

CONFIG_TCG_TPM=m
CONFIG_TCG_NSC=m
CONFIG_TCG_ATMEL=m

You must also enable the virtual TPM to be built:

In Config.mk in the Xen root directory set the line

VTPM_TOOLS ?= y

Now build the Xen sources from Xen's root directory:

make install


Also build the initial RAM disk if necessary.

Reboot the machine with the created Xen kernel.

Note: If you do not want any TPM-related code compiled into your
kernel or built as module then comment all the above lines like
this example:
# CONFIG_TCG_TPM is not set


Modifying VM Configuration files:
---------------------------------

VM configuration files need to be adapted to make a TPM instance
available to a user domain. The following VM configuration file is
an example of how a user domain can be configured to have a TPM
available. It works similar to making a network interface
available to a domain.

kernel = "/boot/vmlinuz-2.6.12-xenU"
ramdisk = "/xen/initrd_domU/U1_ramdisk.img"
memory = 32
name = "TPMUserDomain0"
vtpm = ['instance=1,backend=0']
root = "/dev/ram0 cosole=tty ro"
vif = ['backend=0']

In the above configuration file the line 'vtpm = ...' provides
information about the domain where the virtual TPM is running and
where the TPM backend has been compiled into - this has to be 
domain 0  at the moment - and which TPM instance the user domain
is supposed to talk to. Note that each running VM must use a 
different instance and that using instance 0 is NOT allowed. The
instance parameter is taken as the desired instance number, but
the actual instance number that is assigned to the virtual machine
can be different. This is the case if for example that particular
instance is already used by another virtual machine. The association
of which TPM instance number is used by which virtual machine is
kept in the file /etc/xen/vtpm.db. Associations are maintained by
domain name and instance number.

Note: If you do not want TPM functionality for your user domain simply
leave out the 'vtpm' line in the configuration file.


Running the TPM:
----------------

To run the vTPM, dev device /dev/vtpm must be available.
Verify that 'ls -l /dev/vtpm' shows the following output:

crw-------  1 root root 10, 225 Aug 11 06:58 /dev/vtpm

If it is not available, run the following command as 'root'.
mknod /dev/vtpm c 10 225

Make sure that the vTPM is running in domain 0. To do this run the
following

/usr/bin/vtpm_managerd

Start a user domain using the 'xm create' command. Once you are in the
shell of the user domain, you should be able to do the following:

> cd /sys/devices/vtpm
> ls
cancel  caps   pcrs    pubek
> cat pcrs
PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[...]

At this point the user domain has been sucessfully connected to its
virtual TPM instance.

For further information please read the documentation in 
tools/vtpm_manager/README and tools/vtpm/README

Stefan Berger and Employees of the Intel Corp