Copyright (c) 2010-2012 United States Government, as represented by the Secretary of Defense. All rights reserved. November 12 2012 Authors: Matthew Fioravante (JHUAPL), This document describes the operation and command line interface of vtpmmgr-stubdom. See docs/misc/vtpm.txt for details on the vTPM subsystem as a whole. ------------------------------ OPERATION ------------------------------ The vtpmmgr-stubdom implements a vTPM manager who has two major functions: - Securely store encryption keys for each of the vTPMS - Regulate access to the hardware TPM for the entire system The manager accepts commands from the vtpm-stubdom domains via the mini-os TPM backend driver. The vTPM manager communicates directly with hardware TPM using the mini-os tpm_tis driver. When the manager starts for the first time it will check if the TPM has an owner. If the TPM is unowned, it will attempt to take ownership with the supplied owner_auth (see below) and then create a TPM storage key which will be used to secure vTPM key data. Currently the manager only binds vTPM keys to the disk. In the future support for sealing to PCRs should be added. ------------------------------ COMMAND LINE ARGUMENTS ------------------------------ Command line arguments are passed to the domain via the 'extra' parameter in the VM config file. Each parameter is separated by white space. For example: extra="foo=bar baz" List of Arguments: ------------------ owner_auth=: Set the owner auth of the TPM. The default is the well known owner auth of all ones. srk_auth=: Set the SRK auth for the TPM. The default is the well known srk auth of all zeroes. The possible values of are: well-known: Use the well known auth (default) random: Randomly generate an auth hash: : Use the given 40 character ASCII hex string text: : Use sha1 hash of . tpmdriver=: Which driver to use to talk to the hardware TPM. Don't change this unless you know what you're doing. The possible values of are: tpm_tis: Use the tpm_tis driver to talk directly to the TPM. The domain must have access to TPM IO memory. (default) tpmfront: Use tpmfront to talk to the TPM. The domain must have a tpmfront device setup to talk to another domain which provides access to the TPM. The following options only apply to the tpm_tis driver: tpmiomem=: The base address of the hardware memory pages of the TPM (default 0xfed40000). tpmirq=: The irq of the hardware TPM if using interrupts. A value of "probe" can be set to probe for the irq. A value of 0 disabled interrupts and uses polling (default 0). tpmlocality=: Attempt to use locality of the hardware TPM. (default 0)