Copyright: IBM Corporation (C), Intel Corporation 29 June 2006 Authors: Stefan Berger (IBM), Employees of Intel Corp This document gives a short introduction to the virtual TPM support in XEN and goes as far as connecting a user domain to a virtual TPM instance and doing a short test to verify success. It is assumed that the user is fairly familiar with compiling and installing XEN and Linux on a machine. Production Prerequisites: An x86-based machine machine with a Linux-supported TPM on the motherboard (NSC, Atmel, Infineon, TPM V1.2). Development Prerequisites: An emulator for TESTING ONLY is provided Compiling the XEN tree: ----------------------- Compile the XEN tree as usual after the following lines set in the linux-2.6.??-xen/.config file: CONFIG_XEN_TPMDEV_BACKEND=m CONFIG_TCG_TPM=m CONFIG_TCG_TIS=m (supported after 2.6.17-rc4) CONFIG_TCG_NSC=m CONFIG_TCG_ATMEL=m CONFIG_TCG_INFINEON=m CONFIG_TCG_XEN=m If the frontend driver needs to be compiled into the user domain kernel, then the following two lines should be changed. CONFIG_TCG_TPM=y CONFIG_TCG_XEN=y You must also enable the virtual TPM to be built: In Config.mk in the Xen root directory set the line VTPM_TOOLS ?= y and in tools/vtpm/Rules.mk set the line BUILD_EMULATOR = y Now build the Xen sources from Xen's root directory: make install Also build the initial RAM disk if necessary. Reboot the machine with the created Xen kernel. Note: If you do not want any TPM-related code compiled into your kernel or built as module then comment all the above lines like this example: # CONFIG_TCG_TPM is not set Modifying VM Configuration files: --------------------------------- VM configuration files need to be adapted to make a TPM instance available to a user domain. The following VM configuration file is an example of how a user domain can be configured to have a TPM available. It works similar to making a network interface available to a domain. kernel = "/boot/vmlinuz-2.6.x" ramdisk = "/xen/initrd_domU/U1_ramdisk.img" memory = 32 name = "TPMUserDomain0" vtpm = ['instance=1,backend=0'] root = "/dev/ram0 console=tty ro" vif = ['backend=0'] In the above configuration file the line 'vtpm = ...' provides information about the domain where the virtual TPM is running and where the TPM backend has been compiled into - this has to be domain 0 at the moment - and which TPM instance the user domain is supposed to talk to. Note that each running VM must use a different instance and that using instance 0 is NOT allowed. The instance parameter is taken as the desired instance number, but the actual instance number that is assigned to the virtual machine can be different. This is the case if for example that particular instance is already used by another virtual machine. The association of which TPM instance number is used by which virtual machine is kept in the file /var/vtpm/vtpm.db. Associations are maintained by a xend-internal vTPM UUID and vTPM instance number. Note: If you do not want TPM functionality for your user domain simply leave out the 'vtpm' line in the configuration file. Running the TPM: ---------------- To run the vTPM, the device /dev/vtpm must be available. Verify that 'ls -l /dev/vtpm' shows the following output: crw------- 1 root root 10, 225 Aug 11 06:58 /dev/vtpm If it is not available, run the following command as 'root'. mknod /dev/vtpm c 10 225 Make sure that the vTPM is running in domain 0. To do this run the following: modprobe tpmbk /usr/bin/vtpm_managerd Start a user domain using the 'xm create' command. Once you are in the shell of the user domain, you should be able to do the following as user 'root': Insert the TPM frontend into the kernel if it has been compiled as a kernel module. > modprobe tpm_xenu Check the status of the TPM > cd /sys/devices/xen/vtpm-0 > ls [...] cancel caps pcrs pubek [...] > cat pcrs PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [...] At this point the user domain has been successfully connected to its virtual TPM instance. For further information please read the documentation in tools/vtpm_manager/README and tools/vtpm/README Stefan Berger and Employees of the Intel Corp