source: trunk/packages/xen-3.1/xen-3.1/docs/misc/vtpm.txt @ 34

Last change on this file since 34 was 34, checked in by hartmans, 18 years ago

Add xen and xen-common

File size: 4.7 KB
Line 
1Copyright: IBM Corporation (C), Intel Corporation
229 June 2006
3Authors: Stefan Berger <stefanb@us.ibm.com> (IBM),
4         Employees of Intel Corp
5
6This document gives a short introduction to the virtual TPM support
7in XEN and goes as far as connecting a user domain to a virtual TPM
8instance and doing a short test to verify success. It is assumed
9that the user is fairly familiar with compiling and installing XEN
10and Linux on a machine.
11 
12Production Prerequisites: An x86-based machine machine with a
13Linux-supported TPM on the motherboard (NSC, Atmel, Infineon, TPM V1.2).
14Development Prerequisites: An emulator for TESTING ONLY is provided
15
16
17Compiling the XEN tree:
18-----------------------
19
20Compile the XEN tree as usual after the following lines set in the
21linux-2.6.??-xen/.config file:
22
23CONFIG_XEN_TPMDEV_BACKEND=m
24
25CONFIG_TCG_TPM=m
26CONFIG_TCG_TIS=m      (supported after 2.6.17-rc4)
27CONFIG_TCG_NSC=m
28CONFIG_TCG_ATMEL=m
29CONFIG_TCG_INFINEON=m
30CONFIG_TCG_XEN=m
31<possible other TPM drivers supported by Linux>
32
33If the frontend driver needs to be compiled into the user domain
34kernel, then the following two lines should be changed.
35
36CONFIG_TCG_TPM=y
37CONFIG_TCG_XEN=y
38
39
40You must also enable the virtual TPM to be built:
41
42In Config.mk in the Xen root directory set the line
43
44VTPM_TOOLS ?= y
45
46and in
47
48tools/vtpm/Rules.mk set the line
49
50BUILD_EMULATOR = y
51
52Now build the Xen sources from Xen's root directory:
53
54make install
55
56
57Also build the initial RAM disk if necessary.
58
59Reboot the machine with the created Xen kernel.
60
61Note: If you do not want any TPM-related code compiled into your
62kernel or built as module then comment all the above lines like
63this example:
64# CONFIG_TCG_TPM is not set
65
66
67Modifying VM Configuration files:
68---------------------------------
69
70VM configuration files need to be adapted to make a TPM instance
71available to a user domain. The following VM configuration file is
72an example of how a user domain can be configured to have a TPM
73available. It works similar to making a network interface
74available to a domain.
75
76kernel = "/boot/vmlinuz-2.6.x"
77ramdisk = "/xen/initrd_domU/U1_ramdisk.img"
78memory = 32
79name = "TPMUserDomain0"
80vtpm = ['instance=1,backend=0']
81root = "/dev/ram0 cosole=tty ro"
82vif = ['backend=0']
83
84In the above configuration file the line 'vtpm = ...' provides
85information about the domain where the virtual TPM is running and
86where the TPM backend has been compiled into - this has to be
87domain 0  at the moment - and which TPM instance the user domain
88is supposed to talk to. Note that each running VM must use a
89different instance and that using instance 0 is NOT allowed. The
90instance parameter is taken as the desired instance number, but
91the actual instance number that is assigned to the virtual machine
92can be different. This is the case if for example that particular
93instance is already used by another virtual machine. The association
94of which TPM instance number is used by which virtual machine is
95kept in the file /etc/xen/vtpm.db. Associations are maintained by
96domain name and instance number.
97
98Note: If you do not want TPM functionality for your user domain simply
99leave out the 'vtpm' line in the configuration file.
100
101
102Running the TPM:
103----------------
104
105To run the vTPM, the device /dev/vtpm must be available.
106Verify that 'ls -l /dev/vtpm' shows the following output:
107
108crw-------  1 root root 10, 225 Aug 11 06:58 /dev/vtpm
109
110If it is not available, run the following command as 'root'.
111mknod /dev/vtpm c 10 225
112
113Make sure that the vTPM is running in domain 0. To do this run the
114following:
115
116modprobe tpmbk
117
118/usr/bin/vtpm_managerd
119
120Start a user domain using the 'xm create' command. Once you are in the
121shell of the user domain, you should be able to do the following as
122user 'root':
123
124Insert the TPM frontend into the kernel if it has been compiled as a
125kernel module.
126
127> modprobe tpm_xenu
128
129Check the status of the TPM
130
131> cd /sys/devices/xen/vtpm-0
132> ls
133[...]  cancel  caps   pcrs    pubek   [...]
134> cat pcrs
135PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
136PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
137PCR-02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
138PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
139PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
140PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
141PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
142PCR-07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
143PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
144[...]
145
146At this point the user domain has been sucessfully connected to its
147virtual TPM instance.
148
149For further information please read the documentation in
150tools/vtpm_manager/README and tools/vtpm/README
151
152Stefan Berger and Employees of the Intel Corp
Note: See TracBrowser for help on using the repository browser.