Re: RFC: new design of phosphor-time-manager on sdbusplus

[Patrick Williams <patrick@stwcx.xyz>]

[-- Attachment #1: Type: text/plain, Size: 2163 bytes --]

On Thu, Jan 19, 2017 at 05:48:23PM +0800, Mine wrote:
> Btw, is there any specific reason why the time mode/owner is only changed
> when host is off?

Yes, I think you're missing the point of having a split clock at all.

Typically you think of a machine as being "owned" by a single party.
They decide if they want to run NTP on the host or run NTP on the BMC
and they point at an NTP server they trust and all is fine.

There is another case of a machine being "owned" by one party and "used"
(leased) by another party.  Typically the owner maintains access to the
BMC and the lessee maintains access to the Host.  Neither side necessary
trusts the other side to keep the time correct, so we have the "split"
mode.

(There are potential security issues with having an incorrect timebase.
A clear example is that your OS will accept expired SSL certificates if
you tell it the wrong year.)

If the machine owner sets the clock to "NTP/SPLIT", they no longer care
what the time of the host is.  They point the NTP config at their own
NTP server and time, from a BMC perspective, is "correct".  At that
point the machine lessee can:

    1. Ask for 3rd party attestation records from the BMC to confirm what
       level of code the BMC is running.  (TPM support, not implemented
       now).
    2. Audit the code on Github to understand how the modes / models are
       implemented and what the system will do as a result.
    3. Query the BMC on boot to determine what mode it is currently
       operating in.

At this point the lessee:
 
    * Can trust that the machine is running a non-tampered version of
      code that behaves like our reference implementation.
    * Knows from our reference implementation that the 'host time' is
      maintained in a secure manner so that if the "owner's" NTP server
      were compromised, the 'host time' is still correct.

If the BMC were allowed to change the mode while the host is running (#3
is no longer accurate), then it is impossible for the host to trust the
time.  An attacker could simply change the mode after the host as
queried.

-- 
Patrick Williams

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]