[CentOS-virt] TPM

Wed Aug 29 17:19:22 UTC 2018
Alvin Starr <alvin at netvel.net>

On 08/29/2018 12:08 PM, Stephen John Smoogen wrote:

>
>
> On Wed, 29 Aug 2018 at 11:58, Dag Nygren <dag at newtech.fi 
> <mailto:dag at newtech.fi>> wrote:
>
>     On onsdag 29 augusti 2018 kl. 17:39:18 EEST Stephen John Smoogen
>     wrote:
>     > On Wed, 29 Aug 2018 at 10:25, Dag Nygren <dag at newtech.fi
>     <mailto:dag at newtech.fi>> wrote:
>
>     > > Anyone here with an experience in transitioning QEMU -> XEN ?
>
>     >
>     http://www.cse.psu.edu/~pdm12/cse544/slides/cse544-schiffman-vTPM.pdf
>     <http://www.cse.psu.edu/%7Epdm12/cse544/slides/cse544-schiffman-vTPM.pdf>
>     goes
>     > through some of the problems.
>
>     Yes, I had a look at that earlier and it seems XEN has solved most
>     of the problems
>
>
> Well it seemed that the people writing the talk had come up with a way 
> it could be done. That can be it being done in a way that isn't 3/4 
> bailing wire and duct tape or it could be that the have a viable set 
> of tools which can be done cleanly and meet various security uses 
> which require knowing what the hostility of the environment is. AKA it 
> may work if you expect no hostile VMs ever to be installed or it may 
> mean it works in a hostile environment where VM A and VM B are owned 
> by different actors and they are actively spying on each other. Each 
> of those has different requirements and outcomes. AKA in one you can 
> expect that secrets in the vTPM may remain secret while the other they 
> may not. And there may be the case where Dom0 could see any secret in 
> any vTPM so you have to factor in how much you trust that.
This brings up an interesting issue.

AWS and others have a problem in that they have security issues because 
they run VM's for anybody who is willing to pay.
This is not true of internal virtualized servers where the hosting and 
deployment environment are controlled.

I have a client that has about 20 VMs for various purposes and we have 
determined that installing the meltdown security patches would cause a 
decrease in performance for a security increase that is very close to 0.

So in this case do the VM's need to be protected from each other or are 
they all inside a safe controlled network.


>     > You need to be aware of the limitations of
>     > the specific TPM your hardware has, and what you are giving up
>     in the trust
>     > model with any vTPM [aka your virtual machine can't move from
>     its server,
>     > your TPM isn't real and can possibly looked at by other guests,
>     etc etc.]
>
>     Couldn't find anything on the issue of migration of the VM, but I
>     thought
>     that Xen has that one also taken care of? (Exporting and importing
>     keys)
>
>     Am I completely wrong here?
>
>
> I don't really know. From the articles.. it is not a 'simple' 
> operation and you can quite easily get it wrong. Depending on the 
> security arrangements needed further research than a PDF on the 
> Internet is needed with actual questions to the writers or talking 
> with a company that does this full time.

This comes back to the reason for using TPM.

Is this to secure one VM from another or is it being used for something 
like software licensing validation?

One has serious security implications the other is just making it 
possible for someone to run a stupid licensing model on a virtual machine.

-- 
Alvin Starr                   ||   land:  (905)513-7688
Netvel Inc.                   ||   Cell:  (416)806-0133
alvin at netvel.net              ||

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-virt/attachments/20180829/60e085df/attachment-0004.html>