1 | // =================================================================== |
---|
2 | // |
---|
3 | // Copyright (c) 2005, Intel Corp. |
---|
4 | // All rights reserved. |
---|
5 | // |
---|
6 | // Redistribution and use in source and binary forms, with or without |
---|
7 | // modification, are permitted provided that the following conditions |
---|
8 | // are met: |
---|
9 | // |
---|
10 | // * Redistributions of source code must retain the above copyright |
---|
11 | // notice, this list of conditions and the following disclaimer. |
---|
12 | // * Redistributions in binary form must reproduce the above |
---|
13 | // copyright notice, this list of conditions and the following |
---|
14 | // disclaimer in the documentation and/or other materials provided |
---|
15 | // with the distribution. |
---|
16 | // * Neither the name of Intel Corporation nor the names of its |
---|
17 | // contributors may be used to endorse or promote products derived |
---|
18 | // from this software without specific prior written permission. |
---|
19 | // |
---|
20 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
---|
21 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
---|
22 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS |
---|
23 | // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
---|
24 | // COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, |
---|
25 | // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
---|
26 | // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
---|
27 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
28 | // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
---|
29 | // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
---|
30 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
---|
31 | // OF THE POSSIBILITY OF SUCH DAMAGE. |
---|
32 | // =================================================================== |
---|
33 | |
---|
34 | Directory Structure |
---|
35 | =================== |
---|
36 | tools/vtpm_manager/crypto -> crypto files |
---|
37 | tools/vtpm_manager/TCS -> TCS implementation |
---|
38 | tools/vtpm_manager/util -> Utility Library. Include disk-io and buffers. |
---|
39 | tools/vtpm_manager/manager -> VTPM Manager |
---|
40 | |
---|
41 | Compile Flags |
---|
42 | =================== |
---|
43 | LOGGING_MODULES -> How extensive logging happens |
---|
44 | see util/log.h for more info |
---|
45 | |
---|
46 | VTPM_MULTI_VM -> Defined: VTPMs run in their own VMs |
---|
47 | Not Defined (default): VTPMs are processes |
---|
48 | |
---|
49 | # Debugging flags that may disappear without notice in the future |
---|
50 | |
---|
51 | DUMMY_BACKEND -> vtpm_manager listens on /tmp/in.fifo and |
---|
52 | /tmp/out.fifo rather than backend |
---|
53 | |
---|
54 | MANUAL_DM_LAUNCH -> Must manually launch & kill VTPMs |
---|
55 | |
---|
56 | WELL_KNOWN_OWNER_AUTH -> Rather than randomly generating the password for the owner, |
---|
57 | use a well known value. This is useful for debugging and for |
---|
58 | poor bios which do not support clearing TPM if OwnerAuth is |
---|
59 | lost. However this has no protection from malicious app |
---|
60 | issuing a TPM_OwnerClear to wipe the TPM |
---|
61 | |
---|
62 | Requirements |
---|
63 | ============ |
---|
64 | - xen-unstable |
---|
65 | - vtpm frontend/backend driver patch |
---|
66 | - OpenSSL Library |
---|
67 | |
---|
68 | Single-VM Flow |
---|
69 | ============================ |
---|
70 | - Launch the VTPM manager (vtpm_managerd) which which begins listening to the BE with one thread |
---|
71 | and listens to a named fifo that is shared by the vtpms to commuincate with the manager. |
---|
72 | - VTPM Manager listens to TPM BE. |
---|
73 | - When xend launches a tpm frontend equipped VM it contacts the manager over the vtpm backend. |
---|
74 | - When the manager receives the open message from the BE, it launches a vtpm |
---|
75 | - Xend allows the VM to continue booting. |
---|
76 | - When a TPM request is issued to the front end, the front end transmits the TPM request to the backend. |
---|
77 | - The manager receives the TPM requests and uses a named fifo to forward the request to the vtpm. |
---|
78 | - The fifo listener begins listening for the reply from vtpm for the request. |
---|
79 | - Vtpm processes request and replies to manager over shared named fifo. |
---|
80 | - If needed, the vtpm may send a request to the vtpm_manager at any time to save it's secrets to disk. |
---|
81 | - Manager receives response from vtpm and passes it back to backend for forwarding to guest. |
---|
82 | |
---|
83 | NOTES: |
---|
84 | * SaveService SHOULD seal it's table before saving it to disk. However, |
---|
85 | the current Xen infrastructure does not provide a mechanism for this to be |
---|
86 | unsealed later. Specifically, the auth and wrapped key must be available ONLY |
---|
87 | to the service, or it's not even worth encrypting |
---|
88 | |
---|
89 | In the future the vtpm manager will be protected by an early boot mechanism |
---|
90 | that will allow for better protection of it's data. |
---|
91 | |
---|
92 | TODO: |
---|
93 | - Timeout on crashed vtpms |
---|
94 | - create lock for shared fifo for talking to vtpms. |
---|