1=head1 Authors
2
3=over 4
4
5=item Daniel De Graaf <dgdegra@tycho.nsa.gov>
6
7=item Quan Xu <quan.xu@intel.com>
8
9=back
10
11This document describes the operation and command line interface of
12vtpmmgr-stubdom. See L<xen-vtpm(7)> for details on the vTPM subsystem as a
13whole.
14
15=head1 Overview
16
17The TPM Manager has three primary functions:
18
19=over 4
20
21=item 1. Securely store the encryption keys for vTPMs
22
23=item 2. Provide a single controlled path of access to the physical TPM
24
25=item 3. Provide evidence (via TPM Quotes) of the current configuration
26
27=back
28
29When combined with a platform that provides a trusted method for creating
30domains, the TPM Manager provides assurance that the private keys in a vTPM are
31only available in specific trusted configurations.
32
33The manager accepts commands from the vtpm-stubdom domains via the mini-os TPM
34backend driver. The vTPM manager communicates directly with hardware TPM using
35the mini-os tpm_tis driver.
36
37=head1 Boot Configurations and TPM Groups
38
39The TPM Manager's data is secured by using the physical TPM's seal operation,
40which allows data to be bound to specific PCRs. These PCRs are populated in the
41physical TPM during the boot process, either by the firmware/BIOS or by a
42dynamic launch environment such as TBOOT. In order to provide assurance of the
43system's security, the PCRs used to seal the TPM manager's data must contain
44measurements for domains used to bootstrap the TPM Manager and vTPMs.
45
46Because these measurements are based on hashes, they will change any time that
47any component of the system is upgraded. Since it is not possible to construct a
48list of all possible future good measurements, the job of approving
49configurations is delegated to a third party, referred to here as the system
50approval agent (SAA). The SAA is identified by its public (RSA) signature key,
51which is used to sign lists of valid configurations. A single TPM manager can
52support multiple SAAs via the use of vTPM groups. Each group is associated with
53a single SAA; this allows the creation of a multi-tenant environment where
54tenants may not all choose to trust the same SAA.
55
56Each vTPM is bound to a vTPM group at the time of its creation. Each vTPM group
57has its own AIK in the physical TPM for quotes of the hardware TPM state; when
58used with a conforming Privacy CA, this allows each group on the system to form
59the basis of a distinct identity.
60
61=head1 Initial Provisioning
62
63When the TPM Manager first boots up, it will create a stub vTPM group along with
64entries for any vTPMs that communicate with it. This stub group must be
65provisioned with an SAA and a boot configuration in order to survive a reboot.
66
67When a vTPM is connected to the TPM Manager using a UUID that is not recognized,
68a slot will be created in group 0 for it. In the future, this auto-creation may
69be restricted to specific UUIDs (such as the all-zero UUID) to enforce the use
70of the TPM manager as the generator of the UUID. The first vTPM to be connected
71is given administrative privileges for the TPM Manager, and should be attached
72to dom0 or a control domain in order to send provisioning commands.
73
74Provisioning a vTPM group for the system requires the public key of the SAA and
75privacy CA data used to certify the AIK (see the TPM spec for details). Once the
76group is created, a signed list of boot measurements can be installed. The
77initial group controls the ability to boot the system as a whole, and cannot be
78deleted once provisioned.
79
80=head1 Command Line Arguments
81
82Command line arguments are passed to the domain via the 'extra' parameter in the
83VM config file. Each parameter is separated by white space. For example:
84
85    extra="foo=bar baz"
86
87Valid arguments:
88
89=over 4
90
91=item owner_auth=<AUTHSPEC>
92
93=item srk_auth=<AUTHSPEC>
94
95Set the owner and SRK authdata for the TPM. If not specified, the
96default is 160 zero bits (the well-known auth value). Valid values of
97<AUTHSPEC> are:
98
99=over 4
100
101=item well-known
102
103Use the well known auth (default)
104
105=item hash:<HASH>
106
107Use the given 40-character ASCII hex string
108
109=item text:<STR>
110
111Use sha1 hash of <STR>.
112
113=back
114
115=item tpmdriver=<DRIVER>
116
117Choose the driver used for communication with the hardware TPM. Values
118other than tpm_tis should only be used for testing.
119
120The possible values of <DRIVER> are:
121
122=over 4
123
124=item tpm_tis
125
126Direct communication with a hardware TPM 1.2.  The
127domain must have access to TPM IO memory. (default)
128
129=item tpmfront
130
131Use the Xen tpmfront interface to talk to another
132domain which provides access to the TPM.
133
134=back
135
136=back
137
138The following options only apply to the tpm_tis driver:
139
140=over 4
141
142=item tpmiomem=<ADDR>
143
144The base address of the hardware memory pages of the TPM.
145The default is 0xfed40000, as defined by the TCG's PC Client spec.
146
147=item tpmirq=<IRQ>
148
149The irq of the hardware TPM if using interrupts. A value of
150"probe" can be set to probe for the irq. A value of 0 disables
151interrupts and uses polling (default 0).
152
153=item tpmlocality=<LOC>
154
155Attempt to use locality <LOC> of the hardware TPM.
156For full functionality of the TPM Manager, this should be set to "2".
157
158=back
159
160=head1 Platform Security Assumptions
161
162While the TPM Manager has the ability to check the hash of the vTPM requesting a
163key, there is currently no trusted method to inform the TPM Manager of the hash
164of each new domain.  Because of this, the TPM Manager trusts the UUID key in
165Xenstore to identify a vTPM in a trusted manner.  The XSM policy may be used to
166strengthen this assumption if the creation of vTPM-labeled domains is more
167constrained (for example, only permitted to a domain builder service): the only
168grants mapped by the TPM Manager should belong to vTPM domains, so restricting
169the ability to map other domain's granted pages will prevent other domains from
170directly requesting keys from the TPM Manager.  The TPM Manager uses the hash of
171the XSM label of the attached vTPM as the kernel hash, so vTPMs with distinct
172labels may be further partitioned using vTPM groups.
173
174A domain with direct access to the hardware TPM will be able to decrypt the TPM
175Manager's disk image if the haredware TPM's PCR values are in a permitted
176configuration.  To protect the TPM Manager's data, the list of permitted
177configurations should be chosen to include PCRs that measure the hypervisor,
178domain 0, the TPM Manager, and other critical configuration such as the XSM
179policy.  If the TPM Manager is configured to use locality 2 as recommended, it
180is safe to permit the hardware domain to access locality 0 (the default in
181Linux), although concurrent use of the TPM should be avoided as it can result in
182unexpected busy errors from the TPM driver.  The ability to access locality 2 of
183the TPM should be enforced using IO memory labeling in the XSM policy; the
184physical address 0xFED42xxx is always locality 2 for TPMs using the TIS driver.
185
186=head1 Appendix: unsecured migration process for vtpmmgr domain upgrade
187
188There is no direct upgrade supported from previous versions of the vtpmmgr
189domain due to changes in the on-disk format and the method used to seal data.
190If a vTPM domain supports migration, this feature should be used to migrate the
191vTPM's data; however, the vTPM packaged with Xen does not yet support migration.
192
193If adding migration support to the vTPM is not desired, a simpler migration
194domain usable only for local migration can be constructed. The migration process
195would look like the following:
196
197=over 4
198
199=item 1. Start the old vtpmmgr
200
201=item 2. Start the vTPM migration domain
202
203=item 3. Attach the vTPM migration domain's vtpm/0 device to the old vtpmmgr
204
205=item 4. Migration domain executes vtpmmgr_LoadHashKey on vtpm/0
206
207=item 5. Start the new vtpmmgr, possibly shutting down the old one first
208
209=item 6. Attach the vTPM migration domain's vtpm/1 device to the new vtpmmgr
210
211=item 7. Migration domain executes vtpmmgr_SaveHashKey on vtpm/1
212
213=back
214
215This requires the migration domain to be added to the list of valid vTPM kernel
216hashes. In the current version of the vtpmmgr domain, this is the hash of the
217XSM label, not the kernel.
218
219=head1 Appendix B: vtpmmgr on TPM 2.0
220
221=head2 Manager disk image setup:
222
223The vTPM Manager requires a disk image to store its encrypted data. The image
224does not require a filesystem and can live anywhere on the host disk. The image
225is not large; the Xen 4.5 vtpmmgr is limited to using the first 2MB of the image
226but can support more than 20,000 vTPMs.
227
228    dd if=/dev/zero of=/home/vtpm2/vmgr bs=16M count=1
229
230=head2 Manager config file:
231
232The vTPM Manager domain (vtpmmgr-stubdom) must be started like any other Xen
233virtual machine and requires a config file.  The manager requires a disk image
234for storage and permission to access the hardware memory pages for the TPM. The
235disk must be presented as "hda", and the TPM memory pages are passed using the
236iomem configuration parameter. The TPM TIS uses 5 pages of IO memory (one per
237locality) that start at physical address 0xfed40000. By default, the TPM manager
238uses locality 0 (so only the page at 0xfed40 is needed).
239
240Add:
241
242     extra="tpm2=1"
243
244extra option to launch vtpmmgr-stubdom domain on TPM 2.0, and ignore it on TPM
2451.x. for example:
246
247    kernel="/usr/lib/xen/boot/vtpmmgr-stubdom.gz"
248    memory=128
249    disk=["file:/home/vtpm2/vmgr,hda,w"]
250    name="vtpmmgr"
251    iomem=["fed40,5"]
252    extra="tpm2=1"
253
254
255=head2 Key Hierarchy
256
257    +------------------+
258    |  vTPM's secrets  | ...
259    +------------------+
260            |  ^
261            |  |(Bind / Unbind)
262- - - - -  -v  |- - - - - - - - TPM 2.0
263    +------------------+
264    |        SK        +
265    +------------------+
266            |  ^
267            v  |
268    +------------------+
269    |       SRK        |
270    +------------------+
271            |  ^
272            v  |
273    +------------------+
274    | TPM 2.0 Storage  |
275    |   Primary Seed   |
276    +------------------+
277
278Now the secrets for the vTPMs are only being bound to the presence of thephysical
279TPM 2.0. Since using PCRs to seal the data can be an important security feature
280that users of the vtpmmgr rely on. I will replace TPM2_Bind/TPM2_Unbind with
281TPM2_Seal/TPM2_Unseal to provide as much security as it did for TPM 1.2 in later
282series of patch.
283
284=head2 Design Overview
285
286The architecture of vTPM subsystem on TPM 2.0 is described below:
287
288    +------------------+
289    |    Linux DomU    | ...
290    |       |  ^       |
291    |       v  |       |
292    |   xen-tpmfront   |
293    +------------------+
294            |  ^
295            v  |
296    +------------------+
297    | mini-os/tpmback  |
298    |       |  ^       |
299    |       v  |       |
300    |  vtpm-stubdom    | ...
301    |       |  ^       |
302    |       v  |       |
303    | mini-os/tpmfront |
304    +------------------+
305            |  ^
306            v  |
307    +------------------+
308    | mini-os/tpmback  |
309    |       |  ^       |
310    |       v  |       |
311    | vtpmmgr-stubdom  |
312    |       |  ^       |
313    |       v  |       |
314    | mini-os/tpm2_tis |
315    +------------------+
316            |  ^
317            v  |
318    +------------------+
319    | Hardware TPM 2.0 |
320    +------------------+
321
322=over 4
323
324=item Linux DomU
325
326The Linux based guest that wants to use a vTPM. There many be
327more than one of these.
328
329=item xen-tpmfront.ko
330
331Linux kernel virtual TPM frontend driver. This driver
332provides vTPM access to a para-virtualized Linux based DomU.
333
334=item mini-os/tpmback
335
336Mini-os TPM backend driver. The Linux frontend driver
337connects to this backend driver to facilitate
338communications between the Linux DomU and its vTPM. This
339driver is also used by vtpmmgr-stubdom to communicate with
340vtpm-stubdom.
341
342=item vtpm-stubdom
343
344A mini-os stub domain that implements a vTPM. There is a
345one to one mapping between running vtpm-stubdom instances and
346logical vtpms on the system. The vTPM Platform Configuration
347Registers (PCRs) are all initialized to zero.
348
349=item mini-os/tpmfront
350
351Mini-os TPM frontend driver. The vTPM mini-os domain
352vtpm-stubdom uses this driver to communicate with
353vtpmmgr-stubdom. This driver could also be used separately to
354implement a mini-os domain that wishes to use a vTPM of
355its own.
356
357=item vtpmmgr-stubdom
358
359A mini-os domain that implements the vTPM manager.
360There is only one vTPM manager and it should be running during
361the entire lifetime of the machine.  This domain regulates
362access to the physical TPM on the system and secures the
363persistent state of each vTPM.
364
365=item mini-os/tpm2_tis
366
367Mini-os TPM version 2.0 TPM Interface Specification (TIS)
368driver. This driver used by vtpmmgr-stubdom to talk directly
369to the hardware TPM 2.0. Communication is facilitated by mapping
370hardware memory pages into vtpmmgr-stubdom.
371
372=item Hardware TPM 2.0
373
374The physical TPM 2.0 that is soldered onto the motherboard.
375
376=back
377
378Noted:
379    functionality for a virtual guest operating system (a DomU) is still TPM 1.2.
380