This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] Re: [vTPM] Prevent domain with attached vTPM from doing

To: Ewan Mellor <ewan@xxxxxxxxxxxxx>
Subject: Re: [Xen-devel] Re: [vTPM] Prevent domain with attached vTPM from doing local migration
From: Stefan Berger <stefanb@xxxxxxxxxx>
Date: Tue, 5 Sep 2006 09:19:23 -0400
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 05 Sep 2006 06:19:51 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20060905125049.GF7810@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

xen-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 09/05/2006 08:50:49 AM:

> On Fri, Aug 25, 2006 at 05:33:08PM -0400, Stefan Berger wrote:
> > The attached patch prevents a domain with an attached vTPM from doing
> > local migration since this does not seem to work correctly (see tests in
> > xm test suite). If no vTPM has been attached, the local migration
> > proceeds as usual.
> >
> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
> I've applied this, thanks.  Do you know what it would take to get localhost
> migration working for domains with a vTPM?  Localhost migration is a useful
> test, and it seems a shame to break it in this case.

The vTPM needs to be able to handle the messages that are sent to it via the hotplug scripts either in-order or out-of-order, where in-order means that an equivalent of a 'close' message comes before the 'open' and out-of-order means that the 'open' comes before the 'close'. >From what I saw when I wrote and tested the vTPM hotplug scripts is that the messages sent from these scripts (kicked-off by the xenbus) can come in either one of these orders when doing local migration, probably due to timing. The vTPM also must not tear down its state when the 'close' comes since a) the 'open' might have come before it *and* b) one would have to re-initialize the vTPM. The reason for this is that a TPM keeps internal state, such as keys, that are created or loaded into it and that can normally be removed upon a 'close' *if* that 'close' always means power-off. Here (in Xen) it has to be treated differently, which boils down to ignoring the 'close' since this can also be sent during a suspend. So the trick that I found was to handle things late in the 'open' where I can determine whether a domain was 'created' or 'resumed' (after local migration or suspend/resume) and reset the device if necessary. Well, it's a bit tricky intergrating the vTPM.

> Ewan.
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
Xen-devel mailing list
<Prev in Thread] Current Thread [Next in Thread>