U.S. patent application number 13/268159 was filed with the patent office on 2012-02-02 for methods and apparatus for creating an isolated partition for a virtual trusted platform module.
Invention is credited to Tasneem Brutch, Alok Kumar, Murari Kumar, Kalpana M. Roge, Vincent R. Scarlata, Faraz A. Siddioi, Ned M. Smith, Willard M.(Monty) Wiseman.
Application Number | 20120030676 13/268159 |
Document ID | / |
Family ID | 40347678 |
Filed Date | 2012-02-02 |
United States Patent
Application |
20120030676 |
Kind Code |
A1 |
Smith; Ned M. ; et
al. |
February 2, 2012 |
Methods And Apparatus For Creating An Isolated Partition For A
Virtual Trusted Platform Module
Abstract
A data processing system isolates a virtual trusted platform
module (vTPM) manager in the processing system from other
management software in the processing system. In one example
process, the processing system launches a virtual machine monitor
(VMM) that includes a memory-mapped input/output (MMIO) trap. The
processing system also launches a vTPM manager in a first virtual
machine (VM). In addition, the processing system launches a second
VM to contain virtual machine management programs other than the
vTPM manager and the MMIO trap. Other embodiments are described and
claimed.
Inventors: |
Smith; Ned M.; (Beaverton,
OR) ; Wiseman; Willard M.(Monty); (Tigard, OR)
; Siddioi; Faraz A.; (Portland, OR) ; Brutch;
Tasneem; (Cornelius, OR) ; Scarlata; Vincent R.;
(Beaverton, OR) ; Kumar; Alok; (Santa Clara,
CA) ; Roge; Kalpana M.; (Cumming, GA) ; Kumar;
Murari; (Santa Clara, CA) |
Family ID: |
40347678 |
Appl. No.: |
13/268159 |
Filed: |
October 7, 2011 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
11837378 |
Aug 10, 2007 |
8060876 |
|
|
13268159 |
|
|
|
|
Current U.S.
Class: |
718/1 |
Current CPC
Class: |
G06F 21/57 20130101;
G06F 21/53 20130101 |
Class at
Publication: |
718/1 |
International
Class: |
G06F 9/455 20060101
G06F009/455; G06F 9/46 20060101 G06F009/46 |
Claims
1. A method comprising: launching a service operating system (OS)
in a service virtual machine (VM) in a processing system; launching
a user OS in a guest VM in the processing system; instantiating a
first virtual trusted platform module (vTPM) for use by the service
OS of the service VM; and instantiating a second vTPM for use by
the user OS of the guest VM, wherein the first and second vTPMs are
instantiated by creation of software TPMs (sTPMs) in a partition of
the processing system.
2. The method of claim 1, wherein the partition comprises a VM
including a vTPM manager.
3. The method of claim 2, further comprising providing a TPM driver
and a TPM device model in the partition.
4. The method of claim 3, further comprising providing a second TPM
driver in the guest VM, and configuring the second TPM driver to
point to an address associated with a first one of the sTPMs.
5. The method of claim 4, further comprising configuring the TPM
driver to point to an address associated with a hardware TPM in the
processing system.
6. The method of claim 4, further comprising accessing the second
vTPM through the second TPM driver via a user application.
7. The method of claim 2, further comprising launching a virtual
machine monitor (VMM) in the processing system, the VMM to include
a memory-mapped input/output (MMIO) trap, launching the vTPM
manager in the VM, and launching a second VM to contain virtual
machine management programs other than the vTPM manager and the
MMIO trap.
8. The method of claim 7, further comprising: intercepting, at the
MMIO trap in the VMM, information from the second TPM driver for
the guest OS; and in response to intercepting the information from
the second TPM driver at the MMIO trap, communicating between the
VMM and the vTPM manager.
9. The method of claim 3, further comprising: using the TPM driver
to communicate with a hardware TPM in the processing system; and
using a para-virtualized TPM driver for the service OS to
communicate with the first vTPM.
10. The method of claim 9, further comprising intercepting an
operation of the service OS involving the first vTPM, and using the
vTPM manager to process the operation of the service OS involving
the first vTPM.
11. A processing system comprising: a processor to execute
instructions; a trusted platform module (TPM); and a non-transitory
storage including instructions which, when executed by the
processor, cause the processing system to performing operations
comprising: launching a service operating system (OS) in a service
virtual machine (VM); launching a user OS in a guest VM;
instantiating a first virtual trusted platform module (vTPM) for
use by the service OS of the service VM; and instantiating a second
vTPM for use by the user OS of the guest VM, wherein the first and
second vTPMs are instantiated by creation of software TPMs (sTPMs)
in a partition of the processing system.
12. The processing system of claim 11, wherein the partition
comprises a VM including a vTPM manager.
13. The processing system of claim 12, wherein the partition
comprises a TPM driver and a TPM device model.
14. The processing system of claim 13, further comprising a second
TPM driver in the guest VM, the second TPM driver to point to an
address associated with a first one of the sTPMs.
15. The processing system of claim 14, wherein the TPM driver is to
point to an address associated with the TPM.
16. An article comprising a machine-accessible storage medium
including instructions that when executed cause a system to: launch
a service operating system (OS) in a service virtual machine (VM);
launch a user OS in a guest VM; instantiate a first virtual trusted
platform module (vTPM) for use by the service OS of the service VM;
and instantiate a second vTPM for use by the user OS of the guest
VM, wherein the first and second vTPMs are instantiated by creation
of software TPMs (sTPMs) in a partition of the system.
17. The article of claim 16, wherein the partition comprises a VM
including a vTPM manager.
18. The article of claim 17, further comprising instructions that
when executed enable the system to provide a TPM driver and a TPM
device model in the partition.
19. The article of claim 18, further comprising instructions that
when executed enable the system to provide a second TPM driver in
the guest VM, and configure the second TPM driver to point to an
address associated with a first one of the sTPMs.
20. The article of claim 19, further comprising instructions that
when executed enable the system to configure the TPM driver to
point to an address associated with a hardware TPM in the system.
Description
[0001] This application is a continuation of U.S. patent
application Ser. No. 11/837,378, filed Aug. 10, 2007, the content
of which is hereby incorporated by reference.
FIELD OF THE INVENTION
[0002] The present disclosure relates generally to the field of
data processing, and more particularly to methods and related
apparatus for creating an isolated partition for a virtual trusted
platform module (vTPM).
BACKGROUND
[0003] A data processing system may include hardware resources,
such as a central processing unit (CPU), random access memory
(RAM), read-only memory (ROM), etc. The processing system may also
include software resources, such as a basic input/output system
(BIOS), a virtual machine monitor (VMM), and one or more operating
systems (OSs). When the computer system is started or reset, it may
load the BIOS, and then the VMM. The VMM may include a root OS, or
it may run on top of a root OS. A root OS may also be referred to
as a host OS. The VMM may create one or more virtual machines
(VMs), and the VMs may boot to different guest OSs or to different
instances of the same guest OS. The VMM may thus allow multiple OSs
and applications to run in independent partitions.
[0004] The CPU in such a data processing system may provide
hardware support (e.g., instructions and data structures) for
virtualization. Additional details about virtualization may be
found in reference manuals such as the following:
[0005] Intel.RTM. Virtualization Technology Specification for the
IA-32 Intel.RTM. Architecture, dated April 2005 (hereinafter "the
VT-x Specification"); and
[0006] IA-32 Intel.RTM. Architecture Software Developer's Manual,
Volume 2B: Instruction Set Reference, N-Z, dated June 2006.
[0007] Other manufacturers may produce processors with different
features for supporting virtualization. A processing system may
also include features referred to as LaGrande Technology (LT), as
developed by Intel Corporation. The LT features may provide for the
protected measurement and launching of a VMM. Additional details
concerning LT are provided in the publication entitled "The Intel
Safer Computing Initiative: Building Blocks for Trusted Computing,"
which is currently available at
http://www.intel.com/intelpress/validation100/secc/SECC.sub.--100Validati-
on.pdf. For purposes of this disclosure, LaGrande Technology may
also be referred to as Intel.RTM. Trusted Execution Technology
(TXT). Additional details concerning Intel.RTM. TXT are provided in
the publication entitled "Intel.RTM. Trusted Execution Technology:
Preliminary Architecture Specification" and dated November 2006
(the "Intel.RTM. TXT Specification"). The Intel.RTM. TXT
Specification is currently available from
http://www.intel.com/technology/security/downloads/315168.htm.
[0008] In addition to RAM and one or more CPUs, a processing system
may include a security coprocessor, such as a trusted platform
module (TPM). A TPM is a hardware component that resides within a
processing system and provides various facilities and services for
enhancing the security of the processing system. For example, a TPM
may be implemented as an integrated circuit (IC) or semiconductor
chip, and it may be used to protect data and to attest to the
runtime configuration of a platform. A TPM may be implemented in
accordance with specifications such as the Trusted Computing Group
(TCG) TPM Specification Version 1.2, dated Oct. 2, 2003
(hereinafter the "TPM specification"), which includes parts such as
Design Principles, Structures of the TPM, and TPM Commands. The TPM
specification is published by the TCG and is available from the
Internet at www.trustedcomputinggroup.org/home.
[0009] In general, a TCG-compliant TPM provides security services
such as attesting to the identity and/or integrity of the platform,
based on characteristics of the platform. For instance, trusted
computing technologies may provide facilities for measuring,
recording, and reporting the software configuration of a platform.
For instance, the measurements may include load-time measurements
of software.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] Features and advantages of the present invention will become
apparent from the appended claims, the following detailed
description of one or more example embodiments, and the
corresponding figures, in which:
[0011] FIG. 1 is a block diagram depicting a suitable data
processing environment in which certain aspects of an example
embodiment of the present invention may be implemented; and
[0012] FIG. 2 is a flowchart of a process for creating an isolated
partition for a virtual trusted platform module, according to an
example embodiment of the present invention.
DETAILED DESCRIPTION
[0013] As used herein, the terms "processing system" and "data
processing system" are intended to broadly encompass a single
machine, or a system of communicatively coupled machines or devices
operating together. Example processing systems include, without
limitation, distributed computing systems, supercomputers,
high-performance computing systems, computing clusters, mainframe
computers, mini-computers, client-server systems, personal
computers, workstations, servers, portable computers, laptop
computers, tablets, telephones, personal digital assistants (PDAs),
handheld devices, entertainment devices such as audio and/or video
devices, and other platforms or devices for processing or
transmitting information.
[0014] FIG. 1 is a block diagram depicting a suitable data
processing environment 12 in which certain aspects of an example
embodiment of the present invention may be implemented. Data
processing environment 12 includes a processing system 20 that has
various hardware components 82, such as a CPU 22 and various other
components, which may be communicatively coupled via one or more
system buses 24 or other communication pathways or mediums.
[0015] This disclosure uses the term "bus" to refer to shared
communication pathways, as well as point-to-point pathways. CPU 22
may include two or more processing units, such as processing unit
30 and processing unit 32. Alternatively, a processing system may
include a CPU with one processing unit, or multiple processors,
each having at least one processing unit. The processing units may
be implemented as processing cores, as Hyper-Threading (HT)
technology, or as any other suitable technology for executing
multiple threads simultaneously or substantially
simultaneously.
[0016] In the embodiment of FIG. 1, processor 22 is communicatively
coupled to one or more volatile or non-volatile data storage
devices, such as RAM 26, ROM 42, mass storage devices 36 such as
hard drives, and/or other devices or media, such as floppy disks,
optical storage, tapes, flash memory, memory sticks, digital video
disks, etc. For purposes of this disclosure, the terms "read-only
memory" and "ROM" may be used in general to refer to non- volatile
memory devices such as erasable programmable ROM (EPROM),
electrically erasable programmable ROM (EEPROM), flash ROM, flash
memory, etc. Processor 22 may also be communicatively coupled to
additional components, such as a video controller, integrated drive
electronics (IDE) controllers, small computer system interface
(SCSI) controllers, universal serial bus (USB) controllers,
input/output (I/O) ports 28, input devices, output devices such as
a display, etc. A chipset 34 in processing system 20 may serve to
interconnect various hardware components. Chipset 34 may include
one or more bridges and/or hubs, as well as other logic and storage
components. In the example embodiment, processor 22 is
communicatively coupled to a security processor such as TPM 44 via
chipset 34.
[0017] Processing system 20 may be controlled, at least in part, by
input from conventional input devices, such as a keyboard, a mouse,
etc., and/or by directives received from another machine, biometric
feedback, or other input sources or signals. Processing system 20
may utilize one or more connections to one or more remote data
processing systems 90, such as through a network interface
controller (NIC) 40, a modem, or other communication ports or
couplings. Processing systems may be interconnected by way of a
physical and/or logical network 92, such as a local area network
(LAN), a wide area network (WAN), an intranet, the Internet, etc.
Communications involving network 92 may utilize various wired
and/or wireless short range or long range carriers and protocols,
including radio frequency (RF), satellite, microwave, Institute of
Electrical and Electronics Engineers (IEEE) 802.11, 802.16, 802.20,
Bluetooth, optical, infrared, cable, laser, etc. Protocols for
802.11 may also be referred to as wireless fidelity (WiFi)
protocols. Protocols for 802.16 may also be referred to as WiMAX or
wireless metropolitan area network protocols, and information
concerning those protocols is currently available at
grouper.ieee.org/groups/802/16/published.html.
[0018] Some components may be implemented as adapter cards with
interfaces (e.g., a PCI connector) for communicating with a bus. In
some embodiments, one or more devices may be implemented as
embedded controllers, using components such as programmable or
non-programmable logic devices or arrays, application-specific
integrated circuits (ASICs), embedded processors, smart cards, and
the like.
[0019] The invention may be described herein with reference to data
such as instructions, functions, procedures, data structures,
application programs, configuration settings, etc. When the data is
accessed by a machine, the machine may respond by performing tasks,
defining abstract data types or low-level hardware contexts, and/or
performing other operations, as described in greater detail below.
The data may be stored in volatile and/or non-volatile data
storage. For purposes of this disclosure, the term "program" covers
a broad range of software components and constructs, including
applications, drivers, processes, routines, methods, modules, and
subprograms. The term "program" can be used to refer to a complete
compilation unit (i.e., a set of instructions that can be compiled
independently), a collection of compilation units, or a portion of
a compilation unit. Thus, the term "program" may be used to refer
to any collection of instructions which, when executed by a
processing system, perform a desired operation or operations.
[0020] The programs in processing system 20 may be considered
components of a software environment 84. The software environment
84 may include BIOS components, system management mode (SMM)
components, OS components, VMM components, user applications,
etc.
[0021] Processing systems may include embedded information
technology (EIT) that supports system management. For instance, an
EIT platform may support verified boot using Intel.RTM. TXT and
capabilities of a TPM. In addition, a virtual machine (VM) in the
platform may make use of core capabilities of a TPM. Such a VM may
run a user OS such as Microsoft.RTM. Windows Vista.TM., for
example. However, a conventional platform may be unable to share a
hardware TPM among multiple VMs while maintaining security
guarantees of the TPM.
[0022] By contrast, an EIT platform that provides VMs with
virtualized TPMs (vTPMs) may be able to maintain security
guarantees of the vTPMs and the underlying hardware TPM. One
architecture for providing VMs with vTPMs may use a distinct
software TPM (sTPM) to hold the context for the vTPM of each VM. In
the example embodiment, each partition has an sTPM context in which
both temporal and persistent state is managed.
[0023] For instance, in processing system 20, a guest VM or user VM
52 may run a user OS 54, and the platform may use an sTPM 56 to
maintain context for a vTPM for that VM. As used herein, the term
"vTPM" refers to an sTPM for a VM, in conjunction with some or all
of the associated control logic for providing TPM services for that
VM. User OS 54 may include a kernel 55 with a TPM driver 57. User
VM 52 may also include various guest applications 58.
[0024] In the example embodiment, processing system 20 also
includes a host VM or service VM 62 that runs a service OS 64, such
as Linux. Service OS 64 may include an attestation agent, a
certifiable migratable key (CMK) agent, an endorsement key (EK)
credential factory, and other service applications 68. Service OS
64 may include a kernel 65 with a para-virtualized TPM driver 67.
Processing system 20 may use another sTPM 66 to hold the context
for a vTPM for service VM 62. Service VM 62 may provide management
and security services to support remote management of processing
system 20.
[0025] Processing system 20 also includes a management VM 70 with
various management applications 78 to provide device
virtualization. For instance, management applications 78 may handle
security configuration, scheduling configuration, and hardware
configuration for the other VMs. Thus, the applications in
management VM 70 may control which VMs can use NIC 40, which VMs
can use various input/output devices, etc. In the example
embodiment, management VM 70 has special execution privileges, such
as direct access to devices and hardware.
[0026] Processing system 20 also has a separate partition, such as
vTPM VM 80, for providing vTPMs for other VMs, such as user VM 52
and service VM 62. The term "partition" may be used to refer to an
isolated execution environment, a VM, or any similar environment
for maintaining separation between operating environments. In the
example embodiment, vTPM VM 80 includes a vTPM manager 88 with EK
credential support. A TPM driver 87 and a TPM device model 89 may
also reside in vTPM VM 80. In addition, vTPM VM 80 may include the
sTPMs for other VMs, such as sTPM 56 and sTPM 66, as well as a
storage manager for providing storage services. For instance, the
storage manager may save persistent state into nonvolatile storage
(NVS) 35 in chipset 34. In addition, vTPM manager 88 may apply a
cryptographic wrapper to protect the persistent state from
tampering.
[0027] Processing system 20 also has a VMM 100 with a memory-mapped
input/output (MMIO) trap 102. The dashed lines in FIG. 1 illustrate
which components communicate with which other components to
implement vTPMs. For instance, FIG. 1 has dashed lines between TPM
driver 57, MMIO trap 102, TPM device model 89, vTPM manager 88, and
sTPM 56. Those dashed lines illustrate that MMIO trap 102
intercepts communications from the TPM drivers and directs them to
vTPM VM 80, via TPM device model 89, to be handled with the context
from the appropriate sTPM.
[0028] FIG. 2 is a flowchart of an example process for creating an
isolated partition for vTPMs, in the context of the processing
system of FIG. 1. The process may begin after processing system 20
has booted BIOS 43. As shown at blocks 210, 212, 214, 216, and 218,
processing system 20 may then launch VMM 100, management VM 70,
vTPM VM 80, service VM 62, and user VM 52. As depicted in FIG. 1,
processing system 20 loads vTPM manager 88 into vTPM VM 80, loads
other virtual machine management programs into management VM 70,
loads service OS 64 into service VM 62, and loads user OS 54 and
user applications 58 into user VM 52.
[0029] As shown at block 220, vTPM manager 88 may then create sTPM
56 and sTPM 66 for user VM 52 and service VM 62, respectively, to
instantiate vTPMs for user VM 52 and service VM 62. In one
embodiment, TPM driver 57 and TPM driver 87 are the same driver,
but they are configured to point to different devices or addresses.
For instance, TPM driver 57 may point to addresses associated with
sTPM 56, while TPM driver 87 may point to addresses associated with
hardware TPM 44. In alternative embodiments, the user VMs may use
different TPM drivers from the vTPM VM.
[0030] VMM 100 and vTPM VM 80 may then cooperate to provide vTPM
services for user VM 52 and service VM 62. For example, user
applications 58 may access the vTPM for user VM 52 through TPM
driver 57. As shown at blocks 240 and 242 (and as described above
with regard to the dashed lines in FIG. 1), MMIO trap 102 may
intercept communications from TPM driver 57 and direct them to vTPM
VM 80, via TPM device model 89. The requested vTPM operation may
then be handled by vTPM manager 88 with the context from sTPM 56.
If necessary, when processing the requested vTPM operation for user
OS 54, vTPM manager 88 may access hardware TPM 44, via TPM driver
87. When service OS 64 executes vTPM operations, processing system
20 may use these same kind of processing steps to process those
operations, but instead using sTPM 66.
[0031] Service OS applications 68 may also access a
fully-virtualized TPM through TPM driver 67. In one embodiment,
service OS 64 is not permitted to have complete control of hardware
TPM 44 under any circumstances, and neither is any other VM, except
for vTPM VM 80. However, to accommodate isolated cases where
service OS 64 may need access to hardware TPM capabilities (e.g.
for attestation), processing system 20 may allow partial access to
hardware TPM 44 from a trusted VM (e.g., service VM 62) by using
para-virtualized TPM driver 67. Thus, service OS 64 may use
para-virtualized TPM driver 67 to communicate with vTPM for service
VM 62, via vTPM manager 88.
[0032] Also, as shown at block 250, management applications 78 may
provide other types of virtualization services, such as providing
for virtualization of NICs, I/O devices, and other devices, other
than the TPM. In one embodiment, management VM 70 contains virtual
machine management programs other than vTPM manager 88 and MMIO
trap 102.
[0033] In addition, as shown at block 252, service OS 64 may
provide services such as authentication of remote entities,
enforcement of security policies, and other functions for
supporting remote management of processing system 20. The process
may then return to block 240, with processing system 20 continuing
to support the various VMs, as appropriate.
[0034] In the example embodiment, the entire vTPM subsystem is
partitioned in a separate vTPM partition (i.e., vTPM VM 80). This
increases the security of the solution, as it separates the control
logic and data for the vTPM implementation from several non-vTPM
related applications, which run in a separate VM (i.e., management
VM 70). In one embodiment, the vTPM partition is a virtual machine
with minimal OS or monolithic code. However, the vTPM partition is
isolated from management VM 70 and from any other VM (e.g., user VM
52 and service VM 62). The isolation of the vTPM implementation
also reduces the available surface of attack on the vTPM itself,
and therefore provides additional security.
[0035] In light of the principles and example embodiments described
and illustrated herein, it will be recognized that the illustrated
embodiments can be modified in arrangement and detail without
departing from such principles. Also, the foregoing discussion has
focused on particular embodiments, but other configurations are
contemplated. In particular, even though expressions such as "in
one embodiment," "in another embodiment," or the like are used
herein, these phrases are meant to generally reference embodiment
possibilities, and are not intended to limit the invention to
particular embodiment configurations. As used herein, these terms
may reference the same or different embodiments that are combinable
into other embodiments.
[0036] Similarly, although example processes have been described
with regard to particular operations performed in a particular
sequence, numerous modifications could be applied to those
processes to derive numerous alternative embodiments of the present
invention. For example, alternative embodiments may include
processes that use fewer than all of the disclosed operations,
processes that use additional operations, processes that use the
same operations in a different sequence, and processes in which the
individual operations disclosed herein are combined, subdivided, or
otherwise altered.
[0037] Alternative embodiments of the invention also include
machine accessible media encoding instructions for performing the
operations of the invention. Such embodiments may also be referred
to as program products. Such machine accessible media may include,
without limitation, storage media such as floppy disks, hard disks,
CD-ROMs, ROM, and RAM; and other detectable arrangements of
particles manufactured or formed by a machine or device.
Instructions may also be used in a distributed environment, and may
be stored locally and/or remotely for access by single or
multi-processor machines.
[0038] It should also be understood that the hardware and software
components depicted herein represent functional elements that are
reasonably self-contained so that each can be designed,
constructed, or updated substantially independently of the others.
In alternative embodiments, many of the components may be
implemented as hardware, software, or combinations of hardware and
software for providing the functionality described and illustrated
herein.
[0039] In view of the wide variety of useful permutations that may
be readily derived from the example embodiments described herein,
this detailed description is intended to be illustrative only, and
should not be taken as limiting the scope of the invention. What is
claimed as the invention, therefore, is all implementations that
come within the scope and spirit of the following claims and all
equivalents to such implementations.
* * * * *
References