| 1 | // =================================================================== |
|---|
| 2 | // |
|---|
| 3 | // Copyright (c) 2005, Intel Corp. |
|---|
| 4 | // All rights reserved. |
|---|
| 5 | // |
|---|
| 6 | // Redistribution and use in source and binary forms, with or without |
|---|
| 7 | // modification, are permitted provided that the following conditions |
|---|
| 8 | // are met: |
|---|
| 9 | // |
|---|
| 10 | // * Redistributions of source code must retain the above copyright |
|---|
| 11 | // notice, this list of conditions and the following disclaimer. |
|---|
| 12 | // * Redistributions in binary form must reproduce the above |
|---|
| 13 | // copyright notice, this list of conditions and the following |
|---|
| 14 | // disclaimer in the documentation and/or other materials provided |
|---|
| 15 | // with the distribution. |
|---|
| 16 | // * Neither the name of Intel Corporation nor the names of its |
|---|
| 17 | // contributors may be used to endorse or promote products derived |
|---|
| 18 | // from this software without specific prior written permission. |
|---|
| 19 | // |
|---|
| 20 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
|---|
| 21 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
|---|
| 22 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS |
|---|
| 23 | // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
|---|
| 24 | // COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, |
|---|
| 25 | // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
|---|
| 26 | // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
|---|
| 27 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
|---|
| 28 | // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
|---|
| 29 | // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
|---|
| 30 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
|---|
| 31 | // OF THE POSSIBILITY OF SUCH DAMAGE. |
|---|
| 32 | // =================================================================== |
|---|
| 33 | |
|---|
| 34 | Directory Structure |
|---|
| 35 | =================== |
|---|
| 36 | tools/vtpm_manager/crypto -> crypto files |
|---|
| 37 | tools/vtpm_manager/TCS -> TCS implementation |
|---|
| 38 | tools/vtpm_manager/util -> Utility Library. Include disk-io and buffers. |
|---|
| 39 | tools/vtpm_manager/manager -> VTPM Manager |
|---|
| 40 | |
|---|
| 41 | Compile Flags |
|---|
| 42 | =================== |
|---|
| 43 | LOGGING_MODULES -> How extensive logging happens |
|---|
| 44 | see util/log.h for more info |
|---|
| 45 | |
|---|
| 46 | VTPM_MULTI_VM -> Defined: VTPMs run in their own VMs |
|---|
| 47 | Not Defined (default): VTPMs are processes |
|---|
| 48 | |
|---|
| 49 | # Debugging flags that may disappear without notice in the future |
|---|
| 50 | |
|---|
| 51 | DUMMY_BACKEND -> vtpm_manager listens on /tmp/in.fifo and |
|---|
| 52 | /tmp/out.fifo rather than backend |
|---|
| 53 | |
|---|
| 54 | MANUAL_DM_LAUNCH -> Must manually launch & kill VTPMs |
|---|
| 55 | |
|---|
| 56 | WELL_KNOWN_OWNER_AUTH -> Rather than randomly generating the password for the owner, |
|---|
| 57 | use a well known value. This is useful for debugging and for |
|---|
| 58 | poor bios which do not support clearing TPM if OwnerAuth is |
|---|
| 59 | lost. However this has no protection from malicious app |
|---|
| 60 | issuing a TPM_OwnerClear to wipe the TPM |
|---|
| 61 | |
|---|
| 62 | Requirements |
|---|
| 63 | ============ |
|---|
| 64 | - xen-unstable |
|---|
| 65 | - vtpm frontend/backend driver patch |
|---|
| 66 | - OpenSSL Library |
|---|
| 67 | |
|---|
| 68 | Single-VM Flow |
|---|
| 69 | ============================ |
|---|
| 70 | - Launch the VTPM manager (vtpm_managerd) which which begins listening to the BE with one thread |
|---|
| 71 | and listens to a named fifo that is shared by the vtpms to commuincate with the manager. |
|---|
| 72 | - VTPM Manager listens to TPM BE. |
|---|
| 73 | - When xend launches a tpm frontend equipped VM it contacts the manager over the vtpm backend. |
|---|
| 74 | - When the manager receives the open message from the BE, it launches a vtpm |
|---|
| 75 | - Xend allows the VM to continue booting. |
|---|
| 76 | - When a TPM request is issued to the front end, the front end transmits the TPM request to the backend. |
|---|
| 77 | - The manager receives the TPM requests and uses a named fifo to forward the request to the vtpm. |
|---|
| 78 | - The fifo listener begins listening for the reply from vtpm for the request. |
|---|
| 79 | - Vtpm processes request and replies to manager over shared named fifo. |
|---|
| 80 | - If needed, the vtpm may send a request to the vtpm_manager at any time to save it's secrets to disk. |
|---|
| 81 | - Manager receives response from vtpm and passes it back to backend for forwarding to guest. |
|---|
| 82 | |
|---|
| 83 | NOTES: |
|---|
| 84 | * SaveService SHOULD seal it's table before saving it to disk. However, |
|---|
| 85 | the current Xen infrastructure does not provide a mechanism for this to be |
|---|
| 86 | unsealed later. Specifically, the auth and wrapped key must be available ONLY |
|---|
| 87 | to the service, or it's not even worth encrypting |
|---|
| 88 | |
|---|
| 89 | In the future the vtpm manager will be protected by an early boot mechanism |
|---|
| 90 | that will allow for better protection of it's data. |
|---|
| 91 | |
|---|
| 92 | TODO: |
|---|
| 93 | - Timeout on crashed vtpms |
|---|
| 94 | - create lock for shared fifo for talking to vtpms. |
|---|
