1=head1 NAME 2 3xen-vtpmgr - Xen virtual TPM stubdomain 4 5=head1 Authors 6 7=over 4 8 9=item Daniel De Graaf <dgdegra@tycho.nsa.gov> 10 11=item Quan Xu <quan.xu@intel.com> 12 13=back 14 15This document describes the operation and command line interface of 16vtpmmgr-stubdom. See L<xen-vtpm(7)> for details on the vTPM subsystem as a 17whole. 18 19=head1 Overview 20 21The TPM Manager has three primary functions: 22 23=over 4 24 25=item 1. Securely store the encryption keys for vTPMs 26 27=item 2. Provide a single controlled path of access to the physical TPM 28 29=item 3. Provide evidence (via TPM Quotes) of the current configuration 30 31=back 32 33When combined with a platform that provides a trusted method for creating 34domains, the TPM Manager provides assurance that the private keys in a vTPM are 35only available in specific trusted configurations. 36 37The manager accepts commands from the vtpm-stubdom domains via the mini-os TPM 38backend driver. The vTPM manager communicates directly with hardware TPM using 39the mini-os tpm_tis driver. 40 41=head1 Boot Configurations and TPM Groups 42 43The TPM Manager's data is secured by using the physical TPM's seal operation, 44which allows data to be bound to specific PCRs. These PCRs are populated in the 45physical TPM during the boot process, either by the firmware/BIOS or by a 46dynamic launch environment such as TBOOT. In order to provide assurance of the 47system's security, the PCRs used to seal the TPM manager's data must contain 48measurements for domains used to bootstrap the TPM Manager and vTPMs. 49 50Because these measurements are based on hashes, they will change any time that 51any component of the system is upgraded. Since it is not possible to construct a 52list of all possible future good measurements, the job of approving 53configurations is delegated to a third party, referred to here as the system 54approval agent (SAA). The SAA is identified by its public (RSA) signature key, 55which is used to sign lists of valid configurations. A single TPM manager can 56support multiple SAAs via the use of vTPM groups. Each group is associated with 57a single SAA; this allows the creation of a multi-tenant environment where 58tenants may not all choose to trust the same SAA. 59 60Each vTPM is bound to a vTPM group at the time of its creation. Each vTPM group 61has its own AIK in the physical TPM for quotes of the hardware TPM state; when 62used with a conforming Privacy CA, this allows each group on the system to form 63the basis of a distinct identity. 64 65=head1 Initial Provisioning 66 67When the TPM Manager first boots up, it will create a stub vTPM group along with 68entries for any vTPMs that communicate with it. This stub group must be 69provisioned with an SAA and a boot configuration in order to survive a reboot. 70 71When a vTPM is connected to the TPM Manager using a UUID that is not recognized, 72a slot will be created in group 0 for it. In the future, this auto-creation may 73be restricted to specific UUIDs (such as the all-zero UUID) to enforce the use 74of the TPM manager as the generator of the UUID. The first vTPM to be connected 75is given administrative privileges for the TPM Manager, and should be attached 76to dom0 or a control domain in order to send provisioning commands. 77 78Provisioning a vTPM group for the system requires the public key of the SAA and 79privacy CA data used to certify the AIK (see the TPM spec for details). Once the 80group is created, a signed list of boot measurements can be installed. The 81initial group controls the ability to boot the system as a whole, and cannot be 82deleted once provisioned. 83 84=head1 Command Line Arguments 85 86Command line arguments are passed to the domain via the 'extra' parameter in the 87VM config file. Each parameter is separated by white space. For example: 88 89 extra="foo=bar baz" 90 91Valid arguments: 92 93=over 4 94 95=item srk_handle=<HANDLE> 96 97Specify a srk_handle for TPM 2.0. TPM 2.0 uses a key hierarchy, and 98this allow specifying the parent handle for vtpmmgr to create its own 99key under. Using this option bypasses vtpmmgr trying to take ownership 100of the TPM. 101 102=item owner_auth=<AUTHSPEC> 103 104=item srk_auth=<AUTHSPEC> 105 106Set the owner and SRK authdata for the TPM. If not specified, the 107default is 160 zero bits (the well-known auth value). Valid values of 108<AUTHSPEC> are: 109 110=over 4 111 112=item well-known 113 114Use the well known auth (default) 115 116=item hash:<HASH> 117 118Use the given 40-character ASCII hex string 119 120=item text:<STR> 121 122Use sha1 hash of <STR>. 123 124=back 125 126=item tpmdriver=<DRIVER> 127 128Choose the driver used for communication with the hardware TPM. Values 129other than tpm_tis should only be used for testing. 130 131The possible values of <DRIVER> are: 132 133=over 4 134 135=item tpm_tis 136 137Direct communication with a hardware TPM 1.2. The 138domain must have access to TPM IO memory. (default) 139 140=item tpmfront 141 142Use the Xen tpmfront interface to talk to another 143domain which provides access to the TPM. 144 145=back 146 147=back 148 149The following options only apply to the tpm_tis driver: 150 151=over 4 152 153=item tpmiomem=<ADDR> 154 155The base address of the hardware memory pages of the TPM. 156The default is 0xfed40000, as defined by the TCG's PC Client spec. 157 158=item tpmirq=<IRQ> 159 160The irq of the hardware TPM if using interrupts. A value of 161"probe" can be set to probe for the irq. A value of 0 disables 162interrupts and uses polling (default 0). 163 164=item tpmlocality=<LOC> 165 166Attempt to use locality <LOC> of the hardware TPM. 167For full functionality of the TPM Manager, this should be set to "2". 168 169=back 170 171=head1 Platform Security Assumptions 172 173While the TPM Manager has the ability to check the hash of the vTPM requesting a 174key, there is currently no trusted method to inform the TPM Manager of the hash 175of each new domain. Because of this, the TPM Manager trusts the UUID key in 176Xenstore to identify a vTPM in a trusted manner. The XSM policy may be used to 177strengthen this assumption if the creation of vTPM-labeled domains is more 178constrained (for example, only permitted to a domain builder service): the only 179grants mapped by the TPM Manager should belong to vTPM domains, so restricting 180the ability to map other domain's granted pages will prevent other domains from 181directly requesting keys from the TPM Manager. The TPM Manager uses the hash of 182the XSM label of the attached vTPM as the kernel hash, so vTPMs with distinct 183labels may be further partitioned using vTPM groups. 184 185A domain with direct access to the hardware TPM will be able to decrypt the TPM 186Manager's disk image if the haredware TPM's PCR values are in a permitted 187configuration. To protect the TPM Manager's data, the list of permitted 188configurations should be chosen to include PCRs that measure the hypervisor, 189domain 0, the TPM Manager, and other critical configuration such as the XSM 190policy. If the TPM Manager is configured to use locality 2 as recommended, it 191is safe to permit the hardware domain to access locality 0 (the default in 192Linux), although concurrent use of the TPM should be avoided as it can result in 193unexpected busy errors from the TPM driver. The ability to access locality 2 of 194the TPM should be enforced using IO memory labeling in the XSM policy; the 195physical address 0xFED42xxx is always locality 2 for TPMs using the TIS driver. 196 197=head1 Appendix: unsecured migration process for vtpmmgr domain upgrade 198 199There is no direct upgrade supported from previous versions of the vtpmmgr 200domain due to changes in the on-disk format and the method used to seal data. 201If a vTPM domain supports migration, this feature should be used to migrate the 202vTPM's data; however, the vTPM packaged with Xen does not yet support migration. 203 204If adding migration support to the vTPM is not desired, a simpler migration 205domain usable only for local migration can be constructed. The migration process 206would look like the following: 207 208=over 4 209 210=item 1. Start the old vtpmmgr 211 212=item 2. Start the vTPM migration domain 213 214=item 3. Attach the vTPM migration domain's vtpm/0 device to the old vtpmmgr 215 216=item 4. Migration domain executes vtpmmgr_LoadHashKey on vtpm/0 217 218=item 5. Start the new vtpmmgr, possibly shutting down the old one first 219 220=item 6. Attach the vTPM migration domain's vtpm/1 device to the new vtpmmgr 221 222=item 7. Migration domain executes vtpmmgr_SaveHashKey on vtpm/1 223 224=back 225 226This requires the migration domain to be added to the list of valid vTPM kernel 227hashes. In the current version of the vtpmmgr domain, this is the hash of the 228XSM label, not the kernel. 229 230=head1 Appendix B: vtpmmgr on TPM 2.0 231 232=head2 WARNING: Incomplete - cannot persist data 233 234TPM 2.0 support for vTPM manager is incomplete. There is no support for 235persisting an encryption key, so vTPM manager regenerates primary and secondary 236key handles each boot. 237 238Also, the vTPM manger group command implementation hardcodes TPM 1.2 commands. 239This means running manage-vtpmmgr.pl fails when the TPM 2.0 hardware rejects 240the TPM 1.2 commands. vTPM manager with TPM 2.0 cannot create groups and 241therefore cannot persist vTPM contents. 242 243=head2 Manager disk image setup: 244 245The vTPM Manager requires a disk image to store its encrypted data. The image 246does not require a filesystem and can live anywhere on the host disk. The image 247is not large; the Xen 4.5 vtpmmgr is limited to using the first 2MB of the image 248but can support more than 20,000 vTPMs. 249 250 dd if=/dev/zero of=/home/vtpm2/vmgr bs=16M count=1 251 252=head2 Manager config file: 253 254The vTPM Manager domain (vtpmmgr-stubdom) must be started like any other Xen 255virtual machine and requires a config file. The manager requires a disk image 256for storage and permission to access the hardware memory pages for the TPM. The 257disk must be presented as "hda", and the TPM memory pages are passed using the 258iomem configuration parameter. The TPM TIS uses 5 pages of IO memory (one per 259locality) that start at physical address 0xfed40000. By default, the TPM manager 260uses locality 0 (so only the page at 0xfed40 is needed). 261 262Add: 263 264 extra="tpm2=1" 265 266extra option to launch vtpmmgr-stubdom domain on TPM 2.0, and ignore it on TPM 2671.x. for example: 268 269 kernel="/usr/lib/xen/boot/vtpmmgr-stubdom.gz" 270 memory=128 271 disk=["file:/home/vtpm2/vmgr,hda,w"] 272 name="vtpmmgr" 273 iomem=["fed40,5"] 274 extra="tpm2=1" 275 276 277=head2 Key Hierarchy 278 279 +------------------+ 280 | vTPM's secrets | ... 281 +------------------+ 282 | ^ 283 | |(Bind / Unbind) 284- - - - - -v |- - - - - - - - TPM 2.0 285 +------------------+ 286 | SK + 287 +------------------+ 288 | ^ 289 v | 290 +------------------+ 291 | SRK | 292 +------------------+ 293 | ^ 294 v | 295 +------------------+ 296 | TPM 2.0 Storage | 297 | Primary Seed | 298 +------------------+ 299 300Now the secrets for the vTPMs are only being bound to the presence of thephysical 301TPM 2.0. Since using PCRs to seal the data can be an important security feature 302that users of the vtpmmgr rely on. I will replace TPM2_Bind/TPM2_Unbind with 303TPM2_Seal/TPM2_Unseal to provide as much security as it did for TPM 1.2 in later 304series of patch. 305 306=head2 Design Overview 307 308The architecture of vTPM subsystem on TPM 2.0 is described below: 309 310 +------------------+ 311 | Linux DomU | ... 312 | | ^ | 313 | v | | 314 | xen-tpmfront | 315 +------------------+ 316 | ^ 317 v | 318 +------------------+ 319 | mini-os/tpmback | 320 | | ^ | 321 | v | | 322 | vtpm-stubdom | ... 323 | | ^ | 324 | v | | 325 | mini-os/tpmfront | 326 +------------------+ 327 | ^ 328 v | 329 +------------------+ 330 | mini-os/tpmback | 331 | | ^ | 332 | v | | 333 | vtpmmgr-stubdom | 334 | | ^ | 335 | v | | 336 | mini-os/tpm2_tis | 337 +------------------+ 338 | ^ 339 v | 340 +------------------+ 341 | Hardware TPM 2.0 | 342 +------------------+ 343 344=over 4 345 346=item Linux DomU 347 348The Linux based guest that wants to use a vTPM. There many be 349more than one of these. 350 351=item xen-tpmfront.ko 352 353Linux kernel virtual TPM frontend driver. This driver 354provides vTPM access to a para-virtualized Linux based DomU. 355 356=item mini-os/tpmback 357 358Mini-os TPM backend driver. The Linux frontend driver 359connects to this backend driver to facilitate 360communications between the Linux DomU and its vTPM. This 361driver is also used by vtpmmgr-stubdom to communicate with 362vtpm-stubdom. 363 364=item vtpm-stubdom 365 366A mini-os stub domain that implements a vTPM. There is a 367one to one mapping between running vtpm-stubdom instances and 368logical vtpms on the system. The vTPM Platform Configuration 369Registers (PCRs) are all initialized to zero. 370 371=item mini-os/tpmfront 372 373Mini-os TPM frontend driver. The vTPM mini-os domain 374vtpm-stubdom uses this driver to communicate with 375vtpmmgr-stubdom. This driver could also be used separately to 376implement a mini-os domain that wishes to use a vTPM of 377its own. 378 379=item vtpmmgr-stubdom 380 381A mini-os domain that implements the vTPM manager. 382There is only one vTPM manager and it should be running during 383the entire lifetime of the machine. This domain regulates 384access to the physical TPM on the system and secures the 385persistent state of each vTPM. 386 387=item mini-os/tpm2_tis 388 389Mini-os TPM version 2.0 TPM Interface Specification (TIS) 390driver. This driver used by vtpmmgr-stubdom to talk directly 391to the hardware TPM 2.0. Communication is facilitated by mapping 392hardware memory pages into vtpmmgr-stubdom. 393 394=item Hardware TPM 2.0 395 396The physical TPM 2.0 that is soldered onto the motherboard. 397 398=back 399 400Noted: 401 functionality for a virtual guest operating system (a DomU) is still TPM 1.2. 402