 Home |
Products |
Support |
Community |
News |
xense-devel
Re: [Xense-devel] [Q] about vTPM
| To: | Martin Hermanowski <lists@xxxxxxxxxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [Xense-devel] [Q] about vTPM |
| From: | Stefan Berger <stefanb@xxxxxxxxxx> |
| Date: | Mon, 3 Jul 2006 09:34:40 -0400 |
| Cc: | xense-devel@xxxxxxxxxxxxxxxxxxx |
| Delivery-date: | Mon, 03 Jul 2006 06:34:55 -0700 |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxx |
| In-reply-to: | <44A7CFF2.3010906@xxxxxxxxxxxxxxxxxxxxxxx> |
| List-help: | <mailto:xense-devel-request@lists.xensource.com?subject=help> |
| List-id: | "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com> |
| List-post: | <mailto:xense-devel@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe> |
| Sender: | xense-devel-bounces@xxxxxxxxxxxxxxxxxxx |
|
xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 07/02/2006 09:53:54 AM: > Scarlata, Vincent R wrote: > > > > > > > 3) When the guest comes up, PCRRead indicates that all the PCRs are > > empty. This has 2 causes. One is that standard linux does not have a TPM > > measurement facility. If you want your OS measured, you will need to > > install something like IBM's Integrity Measurement Agent (IMA). Second, > > we are currently not preloading any of the low PCRs with appropriate > > boot information. This is mostly because we haven't bottomed out on what > > they should be, and TCG hasn't declared the correct behavior in the form > > of a spec. There are legitimate arguments in several different > > directions, depending on a variety of factors. I would be happy to break > > out into a discussion about various was to represent a virtual > > environment in VTPM, but I would want to take it off the list as it is > > not a xen discussion. > > I understand that extending the PCR concept to support virtualization is > still in discussion, and thus problematic to implement. While I think > that the idea expressed in the RC23879 report (Measuring Dom0 to PCR 8 > and marking it read-only in DomU) looks very nice, it might run into > problems when HVM domains should be supported, which want to use PCR 8 > for their own measurements... > The mapping concept requires awareness of the OS trying to use a PCR. A possibility would be to react upon the error message returned from the extend operation and try to use the next available PCR. An OS implementing this would still be using the usual PCR if run directly on hardware. Another possibility would be to support the allocation of the usage of a PCR (shared, exclusive), though the TPM itself might be too low of a level to support this. Regards, Stefan > Is there a public list for this discussion? > > Thanks a lot for the clarifications! > Regards, > Martin > > -- > Martin Hermanowski > http://martin.hermanowski.name > > _______________________________________________ > Xense-devel mailing list > Xense-devel@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xense-devel _______________________________________________ Xense-devel mailing list Xense-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xense-devel |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [Xense-devel] [Q] about vTPM, Martin Hermanowski |
|---|---|
| Next by Date: | [Xense-devel] Re: Xen security break out at OLS, Steven Hand |
| Previous by Thread: | Re: [Xense-devel] [Q] about vTPM, Martin Hermanowski |
| Next by Thread: | [Xense-devel] Enforcing MAC policies across different machines, Daniele Sgandurra |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
