This document could be called "How to install Xen with virtual TPM support on Debian GNU/Linux?". In another blog posts I will write about TPM, Virtual TPM (vTPM) and the current vTPM implementation in Xen. But for now I need to set up a computer to play with vTPM, so I have written this document to be sure that I won't forget the steps I performed. I am sure this documentation will be useful to someone.
To properly understand what I am witting about in this document, make sure to have the minimal background in kernel compilation, and in Xen configuration and usage. I advise you to read the whole document before doing anything to be sure that you understand what you will do.
We will use the development versions of almost all the important pieces of software of this architecture, so we need some control version control tools: mercurial (used by the Xen project) and subversion (used by the TPM Emulator project).
To build the kernel and Xen, you need GCC (v3.4 or later), GNU Make and the GNU Binutils.
Xen depends on the following programs (with their development headers): zlib, Python (v2.3 or later), curses, openssl, X11, bridge-utils, iproute and udev.
To build the BIOS to support HVM in Xen you will need dev86 (or bin86 and bcc on Debian).
The TPM Emulator and the vTPM support in Xen depend on the GNU MP Library (GMP).
On Debian, to install everything we need, just type the following command:
# apt-get install gcc make binutils gawk mercurial subversion \ zlib1g-dev python-dev libncurses5-dev libssl-dev \ bridge-utils iproute python-xml python-pyopenssl \ xtightvncviewer libc6-xen libgmp3-dev bin86 bcc
Using vTPM on Xen require an hardware TPM on the host machine. If you have an hardware TPM, you must skip this section. If your computer doesn't include one, you can use a Software-based TPM Emulator which will act exactly like a real TPM (without the Trusted Computing Base, TCB). Because of its nature, a TPM emulator cannot be used for the same application than a real one. So used such software only for testing and debugging purpose.
Mario Strasser has written an almost complete Software-based TPM Emulator for Unix. This software package includes a daemon (tpmd) which is the actual TPM emulator and a kernel module to expose the device file /dev/tpm.
The kernel module need to be compiled for the Dom0 kernel, so you will probably perform the following steps after installing Xen and building the Dom0 kernel.
Get the sources:
# cd /usr/src # svn checkout http://svn.berlios.de/svnroot/repos/tpm-emulator/trunk tpm-emulator
Build and install it:
# cd /usr/src/tpm-emulator # make # make install
Load the tpm emulator module (now and at computer startup):
# modprobe tpmd_dev # echo tpmd_dev >> /etc/modules
On Debian, if you want to automatically start the TPM Emulator at computer startup, create the file /etc/init.d/tpmd with the following script in it:
#!/bin/bash
case "$1" in
start)
echo "Starting tpmd:"
/usr/sbin/tpmd save
echo "done"
;;
stop)
echo -n "Stopping tpmd: "
killall /usr/sbin/tpmd
echo "done"
;;
status)
;;
reload)
"${0}" restart
;;
restart|force-reload)
"${0}" stop
sleep 1
"${0}" start
;;
*)
# do not advertise unreasonable commands that there is no reason
# to use with this device
echo $"Usage: $0 {start|stop|status|restart|reload|force-reload}"
exit 1
esac
exit $?
And then you have to register this script in the rc.d architecture of Debian (it will start just before xend or TrouSerS, and stops just after them):
# chmod +x /etc/init.d/tpmd # update-rc.d tpmd defaults 19 22
Now you have to start the TPM emulator in "clear" mode to initialise it:
# /usr/sbin/tpmd clear
That's it for the TPM Emulator. When you will restart your computer, the TPM emulator will be started in "save" mode, so it will keep its non-volatile memory.
NOTE: Here is a little trick if you want to un-install the TPM Emulator, you have to type this command (to remove all its files):
# rm -rf /var/lib/tpm /var/run/tpm /usr/sbin/tpmd /usr/include/tddl.h \ /etc/udev/rules.d/80-tpmd_dev.rules /usr/lib/libtddl.so* \ /lib/modules/*/extra/tpmd_dev.ko
And then on Debian, to remove the rc.d script:
# update-rc.d -f tpmd remove && rm -f /etc/init.d/tpmd
To get the whole source tree of Xen, type the following commands:
# cd /usr/src # hg clone http://xenbits.xensource.com/xen-unstable.hg xen-unstable
There is not much things that you need to do to configure Xen before building it. Edit the file /usr/src/xen-unstable/Config.mk and make sure that you will build the vTPM tools (the vTPM manager and the vTPM instance daemon). So the corresponding line in Config.mk should look like that:
VTPM_TOOLS ?= y
You should also disable the Software-based TPM Emulator from the Xen source tree because we will build it later (see the above section "TPM Emulator"). So edit the file tools/vtpm/Rules.mk:
BUILD_EMULATOR = n
If you want to run a HVM with vTPM support, you will need to build ioemu (qemu) and the rombios (to a have a TCG-BIOS) with TPM support.
To build the rombios with TPM support you have to change the line 162 of the file tools/firmware/rombios/rombios.c to:
#define BX_TCGBIOS 1 /* main switch for TCG BIOS ext. */
The sources of ioemu are not directly included in the Xen source tree but will be downloaded by a script during the build process. So you configure Xen then do a make tools at the root directory of the Xen source tree, then enable TPM support in ioemu and make clean the ioemu sources, and finally re-do a make tools. To enable the TPM support in ioemu just add the following line on top of the file tools/ioemu-dir/xen-hooks.mak:
CFLAGS += -DHAS_TPM
Also vTPM migration doesn't work out-of-the-box. You have to modify the line 128 of the file tools/vtpm_manager/manager/dmictl.c from the vTPM manager so it will create migratable vTPM instances:
dmi_type = VTPM_TYPE_MIGRATABLE;
If you want the vTPM to store its data permenently (in the file /var/vtpm/vtpm_dm_X.data) after each executed commands, you have to define TPM_STRONG_PERSISTENCE in the header file tools/vtpm/vtpm/tpm/tpm_emulator.h (vTPM migration doesn't seems to work without this option defined):
#define TPM_STRONG_PERSTENCE
It is very easy. You just have to type the following command:
# cd /usr/src/xen-unstable # make world # make install
The whole source tree will be cleaned. Then everything will be built and installed. The source tree of Linux 2.6.18 will be automatically downloaded, built and installed too.
If you don't want to clean everything before building Xen (for example if you have done some changes in the source code), you can replace make world by make dist.
Now you can create an initrd image for the newly builded kernel (it is recommended on Debian... if you don't want a kernel panic):
# mkinitramfs -o /boot/initrd.img-2.6.18.8-xen 2.6.18.8-xen
On Debian, you can automatically run xend at computer startup by typing theses commands:
# update-rc.d xend defaults 20 21 # update-rc.d xendomains defaults 21 20
To boot on Xen, you need to add the following entry into your /boot/grub/menu.lst file:
title Xen unstable / Debian GNU/Linux, kernel 2.6.18.8-xen root <your disk, e.g. "(hd0,1)"> kernel /boot/xen.gz dom0_mem=512M module /boot/vmlinuz-2.6.18.8-xen root=/dev/<root-dev, e.g. "sda1"> ro console=tty0 module /boot/initrd.img-2.6.18.8
On Debian, there is a tool that will create this new entry in the /boot/grub/menu.lst file:
# update-grub
That's it, Xen is installed and (almost) ready to use.
NOTE: If you need to edit the kernel configuration using the menuconfig method, type:
# cd /usr/src/xen-unstable # make linux-2.6-xen-config CONFIGMODE=menuconfig
Then to rebuild and install the kernel:
# make linux-2.6-xen-build # make linux-2.6-xen-install
And eventually re-run mkinitramfs to generate a new initramfs:
# mkinitramfs -o /boot/initrd.img-2.6.18.8-xen 2.6.18.8-xen
First you need to build and install Xen. But we don't need everything in Xen, only the hypervisor and its tools (xend, BIOS, ioemu, vTPM stuff, ...). Then you will build the Dom0 kernel. Xen is very easy to build and install:
# cd /usr/src/xen-unstable # make xen tools # make install-xen install-tools
You can find an experimental mercurial repository with linux 2.6.27 and the Xen patch-set here: http://xenbits.xensource.com/ext/linux-2.6.27-xen.hg. But it doesn't boot on my computer. Remember that this source tree is temporary until full Dom0 support is ready in pv_ops. And it might not work.
Recently, the SuSE guys have written some patches to obtain a working 2.6.26 kernel as Dom0. The Debian developers have re-used these patches to package a Dom0 kernel in Debian Lenny (testing) and in Debian sid (unstable, but it is not really recommended because unstable is a moving target and the debian guys will probably switch to a new kernel that won't support Dom0 in the future), and is named: linux-image-2.6.26-1-xen-686.
This Debian kernel doesn't include paravirtualized vTPM support, so we have to enable it by rebuilding it with some patches. While I am here, we will also use the IBM IMA (Integrity Measurement Architecture) patch.
The Debian operating system has a specific way to build, create .deb packages, and install the kernel. We are only interested in getting the patched kernel sources to work on the kernel, so we won't use the full Debian chain to build a kernel but only the part to retrieve the sources and apply the Debian patches on them. When we have the sources, we will use the classical method to build and install the kernel.
So to get the source of the kernel and the dependencies to build it, use the following commands:
# cd /usr/src # apt-get source linux-2.6 # apt-get install build-essential fakeroot # apt-get build-dep linux-2.6
To extract and prepare the kernel, and apply patches, use these commands:
# cd /usr/src/linux-2.6-2.6.26 # fakeroot debian/rules debian/build debian/stamps # fakeroot make -f debian/rules.gen setup_i386_xen_686 # cd /usr/src/linux-2.6-2.6.26/debian/build/build_i386_xen_686
Now we have the kernel sources with the Xen patch-set (and the others Debian patches) in the directory /usr/src/linux-2.6-2.6.26/debian/build/build_i386_xen_686. So we can apply the IMA patch. To grab it, go to this web-site and download the patch for the 2.6.26.3 kernel. Then apply it (you will also need to build the TPM drivers as built-in not as module):
# patch -p1 -f < ibm_ima_8.4_2.6.26.3.patch
Before we start the compilation of the kernel, we need to configure it. To do this you can use menuconfig or simply use this patch. It will enable the vTPM front-end and back-end and the IMA. So copy the default configuration file and patch it:
# cp ../config.i386_xen_686 .config # patch < config-2.6.26-xen+ima+vtpm.patch
Now there is several methods to build and install the kernel. I will use the standard method that works on every Linux distributions. To use the Debian method - that will create packages - take a look at the NOTE 1 (see below), but this method didn't really work in my case.
# make # make install modules_install # mkinitramfs -o /boot/initrd.img-2.6.26-1-xen-686-xen+ima+vtpm 2.6.26-1-xen-686-xen+ima+vtpm
Now that you have installed the kernel, you need to create a new entry in the file boot/grub/menu.lst, so GRUB will be able to boot on it. Here is what you can insert into this file:
title Xen unstable / Debian GNU/Linux, kernel 2.6.26-1-xen-686-xen+ima+vtpm root <your disk, e.g. "(hd0,1)"> kernel /boot/xen.gz module /boot/vmlinuz-2.6.26-1-xen-686-xen+ima+vtpm root=/dev/<root-dev, e.g. "sda1"> ro console=tty0 ima=1 module /boot/initrd.img-2.6.26-1-xen-686-xen+ima+vtpm
Or on Debian, the tool update-grub will do it for you.
Reboot on your new kernel and you will be ready to use Xen.
NOTE 1: The real Debian way of building a kernel is to create packages. For more information about it, take a look at this document: http://kernel-handbook.alioth.debian.org/ch-common-tasks.html.
If you want to run Paravirtualized DomU, you need the Back-End of the TPM split-driver built for the Dom0 kernel. In the Linux kernel this driver is named tpmbk (the option CONFIG_XEN_TPMDEV_BACKEND in the kernel configuration file). To load the driver if it was built as a module, use the following command:
# modprobe tpmbk
And to autoload it:
# tpmbk >> /etc/modules
If you want to run a HVM, you don't need to do something particularly on the Dom0 kernel.
Now you have to start the vTPM manager daemon and eventually the vTPM migration daemon:
# vtpm_managerd & # vtpm_migratord &
The Dom0 is now ready to run the virtual machines which will use a vTPM.
NOTE: The real TPM will be used exclusively by vtpm_managerd, so if you have TrouSerS running on the Dom0, you have to disable it.
On a Paravirtualized DomU, you need the Front-End of the TPM split-driver. In the Linux kernel this driver is named tpm_xenu (the option CONFIG_TCG_XEN in the kernel configuration file, or "Device driver > Character device > TPM Devices > Xen TPM Interface" using menuconfig). To load (and autoload) the driver if it was built as a module, use the following command:
# modprobe tpm_xenu # echo tpm_xenu >> /etc/modules
On a HVM, you only need the kernel driver for the TPM device that use the TPM Interface Specification (TIS). In the Linux kernel this driver is named tpm_tis (the option CONFIG_TCG_TIS in the kernel configuration file). To load (and autoload) the driver if it was built as a module, use the following command:
# modprobe tpm_tis # echo tpm_tis >> /etc/modules
Now you just need to add the following line in the configuration file of your domain (virtual machine) to be ready to use the vTPM:
vtpm = [ 'instance=1,backend=0' ]
The parameter backend is used to set the domain id where the vTPM instance is running. Only '0' (for the Dom0) is supported for now. The optional parameter instance reflects the preferred vTPM instance to use. If the instance number is already in use by another domain, a new one will be selected. You can edit the file /var/vtpm/vtpm.db to maintain a list of domain to vTPM instance association.
The easiest way to communicate with your VMs is thought a virtual network. We will use the dummy network driver to create a bridge on the Dom0. Basicly the VMs will be connected to a local network that can be accessed by the interface xenbr0 in your Dom0.
On Debian, add the following to /etc/network/interfaces to create and configure the virtual network interface:
allow-hotplug xenbr0 iface xenbr0 inet static address 10.0.0.99 netmask 255.255.255.0 arp yes
Create a new file /etc/modprobe.d/if-dummy0:
alias dummy0 dummy options dummy numdummies=1
Edit /etc/xen/xend-config.sxp to use the virtual network interface:
(network-script 'network-bridge bridge=xenbr0 netdev=dummy0') (vif-script 'vif-bridge bridge=xenbr0')
Add the following to /etc/rc.local to enable the virtual network interface at startup and eventually to allow the VMs to get Internet access:
# Allow forwarding: the VMs get Internet access echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Now you just need to give to your DomU an IP address in the network 10.0.0.0/24 with the gateway address 10.0.0.99.
| 4. by Nuno |
| 5. by Nuno |
| 7. by AndiDog |
| 8. by piano |
I've updated the section "Build Xen using a recent Linux kernel as Dom0" after reading this good news: http://blog.xen.org/index.php/2008/12/09/finally-a-xen-kernel-in-debian-lenny/.