This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] RE: Xen talk to TPM

To: <passrete@xxxxxxxxx>
Subject: [Xen-devel] RE: Xen talk to TPM
From: "Fischer, Anna" <anna.fischer@xxxxxx>
Date: Sun, 24 Sep 2006 15:42:27 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sun, 24 Sep 2006 07:43:07 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acbf56e+i5CSh8dNSHKwlXALC8XX1g==
Thread-topic: [Xen-devel] RE: Xen talk to TPM
Hi Brian,

As Stefan already explained there's no TPM device driver in the
hypervisor because it is designed to be as thin as possible for various
(security) reasons. That's why there's no way right now for the
hypervisor itself to talk to a TPM. Right now the TPM driver resides in
Dom0, but there're approaches to move it to another (lightweight,
secure) domain, so that even Dom0 just has a vTPM. However, this is not
implemented yet. I don't see the point of placing a TPM driver into the
hypervisor. What exactly do you want to achieve with that?


From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Security
Initiative Team
        Sent: 21 September 2006 22:35
        To: xen-devel@xxxxxxxxxxxxxxxxxxx
        Subject: [Xen-devel] Xen talk to TPM
        As I understand, there are no device drivers in the Xen
        layer (they are in Dom0).
        Is it then possible for Xen to talk to a Trusted Platform Module

I think it works like this at the moment: Dom0 has the ability to use
TPM, and there is a vTPM interface that allows other domains to access
the "virtual TPM". Xen (as in the actual hypervisor) isn't able to
access the TPM itself, nor should it. 
I also think the future holds a "split up" Dom0 so that some of the
functions currently carried out by Dom0 are moved to another "more
secure" domain (Dom-1, DomS0 or whatever you'd like to call it). But
that's not the current situation, and it's probably going to be some
time before this happens. 
If I've got this wrong, I'm sure someone will tell us... ;-)

Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] RE: Xen talk to TPM, Fischer, Anna <=