Abstract
We introduce a technique that allows a hypervisor to safely share a TPM among its guest operating systems. The design allows guests full use of the TPM in legacy-compliant or functionally equivalent form. The design also allows guests to use the authenticated-operation facilities of the TPM (attestation, sealed storage) to authenticate themselves and their hosting environment. Finally, our design and implementation makes use of the hardware TPM wherever possible, which means that guests can enjoy the hardware key protection offered by a physical TPM. In addition to superior protection for cryptographic keys our technique is also much simpler than a full soft-TPM implementation.
An important contribution of this paper is to show that a current TCG TPM 1.2 compliant TPM can be multiplexed easily and safely between multiple guest operating systems. However, the peculiar characteristics of the TPM mean that certain features (in particular those that involve PCRs) cannot be exposed unmodified, but instead need to be exposed in a functionally equivalent para-virtualized form. In such cases we provide an analysis of our reasoning on the right balance between the accuracy of virtualization, and the complexity of the resulting implementation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
King, S.T., Chen, P.M., Wang, Y.M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing malware with virtual machines. In: IEEE Symposium on Security and Privacy, Oakland (May 2006)
Sadeghi, A.R., Christian Stüble, C.: Property-based Attestation for Computing Platforms: Caring about properties, not mechanisms. In: New Security Paradigms Workshop (September 2004)
Goldman, K.A., Berger, S.: TPM Main Part 3 – IBM Commands, http://domino.research.ibm.com/
Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: vTPM: Virtualizing the Trusted Platform Module. In: 15th USENIX Security Symposium, Vancouver, Canada (August 2006)
Trusted Computing Group: TCG Software Stack (TSS) Specification – Version 1.10 Golden (2003)
Balacheff, B., et al.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall (2002)
van Dijk, S., et al.: Virtual Monotonic Counters and Count-Limited Objects using a TPM without a Trusted OS (Extended Version). Technical Report MIT-CSAIL-TR-2006-064, MIT (September 2006)
Stamer, H., Strasser, M.: A Software-Based Trusted Platform Module Emulator. In: TRUST 2008, Villach, Austria (March 2008)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
England, P., Loeser, J. (2008). Para-Virtualized TPM Sharing. In: Lipp, P., Sadeghi, AR., Koch, KM. (eds) Trusted Computing - Challenges and Applications. Trust 2008. Lecture Notes in Computer Science, vol 4968. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-68979-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-68979-9_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-68978-2
Online ISBN: 978-3-540-68979-9
eBook Packages: Computer ScienceComputer Science (R0)