Open dylangerdaly opened 5 years ago
It looks like this is a feature Xen already supports, it's called vTPM
https://wiki.xenproject.org/wiki/Virtual_Trusted_Platform_Module_(vTPM)
Any chance we can just enable this?
I don't have any of the vtpm-
commands in dom0, not sure if it needs to be compiled with Xen to be enabled, but this allows you to give appVMs (domU) vTPMs, then pass requests to the physical TPM.
I'd be concerned about doing that.
The TPM TSS is usually a rather large TCB, and I wouldn't want that multiplexing of a non-trivial binary protocol happening in dom0 and exposed to untrusted VMs.
If instead you wanted to avoid the emulation/multiplexing and pass the whole TPM through directly, you would:
Neither case seems like a very good idea to me, and seems to somewhat violate Qubes' general design principles.
Fair enough, I didn't think of it that way.
Cheers @jpouellet
So, turns out I was partially wrong.
It is possible to have a reasonably-isolated reasonably-simple per-vm standalone TPM emulator whose storage is backed by something persistent in dom0 (not passed through to the physical TPM directly, but transitively protected by it if dom0 is itself protected by it).
There are efforts being made to this effect in other projects in the Xen ecosystem, and it might be reasonable for Qubes to do so eventually as well.
IMO this could be re-opened and considered in the distant future.
Is it possible to do TPM over qrexec? The people maintaining tpm2-tss have done a really good job of abstracting the software stack, it should be possible to port TPM2.0 (/dev/tpm0) in dom0 as a qrexec service to other appVMs.
tpm2-tss means the TPM2 is useful to Linux users now, this includes TPM for SSH Authenticate, Remote Attestation, openssl.
Does anyone know where to look to get started? I think it's possible to 'remote' TPMs over IP, this might be a good starting point.
Qubes OS version:
R4.0
Affected component(s):
TPM / dom0
Steps to reproduce the behavior:
N/A
Expected behavior:
Ability to pass through the TPM to appVM's
Actual behavior:
N/A
General notes:
I'd like to be able to use my TPM for SSH, GPG, HMAC Operations etc, is it possible to pass /dev/tpm0 to an appVM?
Parameter Encryption should solve not trusting the appVM, even dom0?
Related issues: