* vTPM Deep Quote validation @ 2015-03-08 11:41 Emil Condrea 2015-03-09 14:40 ` Daniel De Graaf 2015-03-09 14:51 ` Xu, Quan 0 siblings, 2 replies; 7+ messages in thread From: Emil Condrea @ 2015-03-08 11:41 UTC (permalink / raw) To: xen-devel@lists.xen.org; +Cc: Daniel De Graaf [-- Attachment #1.1: Type: text/plain, Size: 1079 bytes --] I am trying to validate a Deep Quote request made by domU but I feel that something is missing. Right now when a domU requests TPM_ORD_DeepQuote: 1. vTPM: - unpacks the params: nonce, vTPM PCR selection and physical PCR selection - packs PCR_INFO_SHORT structure into buf that contains the selected vTPM PCRs - computes nonce as a SHA1 of: dquot_hdr, nonce, and previous packed buf - packs: nonce, physical PCR selection - receives physical pcr data and signature from manager and returns them to DomU 2. vTPM Manager - unpacks the params: nonce, PCR selection - execute TPM_Quote with: externalData = nonce - returns pcr data and signature to vTPM If domU user wants to validate the signature it has to do the exact process that the vtpm and manager did but the virtual PCR values are not included in response, just physical ones. We can include the vTPM PCRS in response or the manager must perform TPM_Quote using the nonce received from domU in order to be able to have a successful validation on the client side. What do you think? Is there something that I am missing ? [-- Attachment #1.2: Type: text/html, Size: 1465 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: vTPM Deep Quote validation 2015-03-08 11:41 vTPM Deep Quote validation Emil Condrea @ 2015-03-09 14:40 ` Daniel De Graaf 2015-03-09 15:58 ` Emil Condrea 2015-03-09 14:51 ` Xu, Quan 1 sibling, 1 reply; 7+ messages in thread From: Daniel De Graaf @ 2015-03-09 14:40 UTC (permalink / raw) To: Emil Condrea, xen-devel@lists.xen.org On 03/08/2015 07:41 AM, Emil Condrea wrote: > I am trying to validate a Deep Quote request made by domU but I feel that > something is missing. Right now when a domU requests TPM_ORD_DeepQuote: > 1. vTPM: > - unpacks the params: nonce, vTPM PCR selection and physical PCR selection > - packs PCR_INFO_SHORT structure into buf that contains the selected vTPM > PCRs > - computes nonce as a SHA1 of: dquot_hdr, nonce, and previous packed buf > - packs: nonce, physical PCR selection > - receives physical pcr data and signature from manager and returns them to > DomU > 2. vTPM Manager > - unpacks the params: nonce, PCR selection > - execute TPM_Quote with: externalData = nonce > - returns pcr data and signature to vTPM > > If domU user wants to validate the signature it has to do the exact process > that the vtpm and manager did but the virtual PCR values are not included > in response, just physical ones. The virtual machine can use TPM_PCRRead to get the value of the vTPM PCRs. This is the same method that is used by the TPM_Quote2 command. > We can include the vTPM PCRS in response or the manager must perform > TPM_Quote using the nonce received from domU in order to be able to have a > successful validation on the client side. If you want a quote without any vTPM PCRs, you can specify an empty PCR mask to get something fairly close to this behavior - the nonce will be combined with an empty deep quote structure instead of passed directly. > What do you think? Is there something that I am missing ? It is useful to be able to ask for the current value of both physical and virtual PCRs in a single atomic operation. Including the value of all PCRs in the response could make the reply packet too large (which is part of the reason why TPM_Quote2 removed them). -- Daniel De Graaf National Security Agency ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: vTPM Deep Quote validation 2015-03-09 14:40 ` Daniel De Graaf @ 2015-03-09 15:58 ` Emil Condrea 2015-03-09 17:26 ` Daniel De Graaf 0 siblings, 1 reply; 7+ messages in thread From: Emil Condrea @ 2015-03-09 15:58 UTC (permalink / raw) To: Daniel De Graaf, xen-devel@lists.xen.org [-- Attachment #1.1: Type: text/plain, Size: 2591 bytes --] On Mon, Mar 9, 2015 at 4:40 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote: > On 03/08/2015 07:41 AM, Emil Condrea wrote: > >> I am trying to validate a Deep Quote request made by domU but I feel that >> something is missing. Right now when a domU requests TPM_ORD_DeepQuote: >> 1. vTPM: >> - unpacks the params: nonce, vTPM PCR selection and physical PCR selection >> - packs PCR_INFO_SHORT structure into buf that contains the selected vTPM >> PCRs >> - computes nonce as a SHA1 of: dquot_hdr, nonce, and previous packed buf >> - packs: nonce, physical PCR selection >> - receives physical pcr data and signature from manager and returns them >> to >> DomU >> 2. vTPM Manager >> - unpacks the params: nonce, PCR selection >> - execute TPM_Quote with: externalData = nonce >> - returns pcr data and signature to vTPM >> >> If domU user wants to validate the signature it has to do the exact >> process >> that the vtpm and manager did but the virtual PCR values are not included >> in response, just physical ones. >> > > The virtual machine can use TPM_PCRRead to get the value of the vTPM PCRs. > This is the same method that is used by the TPM_Quote2 command. I thought of using TPM_PCRRead from virtual machine but it was not clear for me if it is safe. Is it possible for the selected vTPM PCRs values to be different when performing composite hash on vTPM from the values read with TPM_PCRRead after executing DeepQuote? The TPM has context management for each application? (eg: when one application extends something into a PCR and another application extends other thing in the same PCR(at the same time moment), are they hashed together?) When I read the standard I understood that the PCRs can never be overwritten, just reset and extended. Thanks. > > > We can include the vTPM PCRS in response or the manager must perform >> TPM_Quote using the nonce received from domU in order to be able to have a >> successful validation on the client side. >> > > If you want a quote without any vTPM PCRs, you can specify an empty PCR > mask > to get something fairly close to this behavior - the nonce will be combined > with an empty deep quote structure instead of passed directly. > > What do you think? Is there something that I am missing ? >> > > It is useful to be able to ask for the current value of both physical and > virtual PCRs in a single atomic operation. Including the value of all PCRs > in the response could make the reply packet too large (which is part of the > reason why TPM_Quote2 removed them). > > -- > Daniel De Graaf > National Security Agency > [-- Attachment #1.2: Type: text/html, Size: 3708 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: vTPM Deep Quote validation 2015-03-09 15:58 ` Emil Condrea @ 2015-03-09 17:26 ` Daniel De Graaf 2015-03-10 13:21 ` Emil Condrea 0 siblings, 1 reply; 7+ messages in thread From: Daniel De Graaf @ 2015-03-09 17:26 UTC (permalink / raw) To: Emil Condrea, xen-devel@lists.xen.org On 03/09/2015 11:58 AM, Emil Condrea wrote: > On Mon, Mar 9, 2015 at 4:40 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov> > wrote: > >> On 03/08/2015 07:41 AM, Emil Condrea wrote: >> >>> I am trying to validate a Deep Quote request made by domU but I feel that >>> something is missing. Right now when a domU requests TPM_ORD_DeepQuote: >>> 1. vTPM: >>> - unpacks the params: nonce, vTPM PCR selection and physical PCR selection >>> - packs PCR_INFO_SHORT structure into buf that contains the selected vTPM >>> PCRs >>> - computes nonce as a SHA1 of: dquot_hdr, nonce, and previous packed buf >>> - packs: nonce, physical PCR selection >>> - receives physical pcr data and signature from manager and returns them >>> to >>> DomU >>> 2. vTPM Manager >>> - unpacks the params: nonce, PCR selection >>> - execute TPM_Quote with: externalData = nonce >>> - returns pcr data and signature to vTPM >>> >>> If domU user wants to validate the signature it has to do the exact >>> process >>> that the vtpm and manager did but the virtual PCR values are not included >>> in response, just physical ones. >>> >> >> The virtual machine can use TPM_PCRRead to get the value of the vTPM PCRs. >> This is the same method that is used by the TPM_Quote2 command. > > > I thought of using TPM_PCRRead from virtual machine but it was not clear > for me if it is safe. > Is it possible for the selected vTPM PCRs values to be different when > performing > composite hash on vTPM from the values read with TPM_PCRRead after > executing DeepQuote? One way to detect this is by reading the PCRs before and after asking for a quote. If the values match, then the quote used those values; if not, try the quote operation again. In either case, you should have a log or other information on what values have been extended into the PCRs so that a verifier can make sense of them: there is little reason to include the PCRs in a quote if you can't reconstruct them. As an alternative to retrying, you could try to reconstruct the PCRs used in the quote by hashing the various possibilities drawn from the logs. If the number of extend operations between the pre- and post-read operations is reasonable, this could end up being faster than asking for another quote from the (rather slow) hardware TPM. > The TPM has context management for each application? (eg: when one > application extends something > into a PCR and another application extends other thing in the same PCR(at > the same time moment), > are they hashed together?) This depends on the TPM multiplexing daemon (usually trousers in Linux). I believe it just processes the requests in the order it receives them, so without external synchronization they would be in an arbitrary order. I am unsure if this is implemented (and would guess it is currently not), but it would be possible for trousers to queue up several commands (such as PCR reads and quote requests) from a single source and guarantee that they are executed without intervening commands. In order to avoid interactions with IMA, this would need an extension to the Linux TPM character device interface to submit multiple commands for processing without unlocking the TPM device. > When I read the standard I understood that the PCRs can never be > overwritten, > just reset and extended. > > Thanks. > >> >> >> We can include the vTPM PCRS in response or the manager must perform >>> TPM_Quote using the nonce received from domU in order to be able to have a >>> successful validation on the client side. >>> >> >> If you want a quote without any vTPM PCRs, you can specify an empty PCR >> mask >> to get something fairly close to this behavior - the nonce will be combined >> with an empty deep quote structure instead of passed directly. >> >> What do you think? Is there something that I am missing ? >>> >> >> It is useful to be able to ask for the current value of both physical and >> virtual PCRs in a single atomic operation. Including the value of all PCRs >> in the response could make the reply packet too large (which is part of the >> reason why TPM_Quote2 removed them). >> >> -- >> Daniel De Graaf >> National Security Agency >> > -- Daniel De Graaf National Security Agency ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: vTPM Deep Quote validation 2015-03-09 17:26 ` Daniel De Graaf @ 2015-03-10 13:21 ` Emil Condrea 0 siblings, 0 replies; 7+ messages in thread From: Emil Condrea @ 2015-03-10 13:21 UTC (permalink / raw) To: Daniel De Graaf; +Cc: xen-devel@lists.xen.org [-- Attachment #1.1: Type: text/plain, Size: 4750 bytes --] I think it is fair to read the PCRs before performing Deep Quote and after and to retry if something changed. It is an interesting suggestion to extend the tpm character device driver in order to obtain atomicity. I will think about it. Thanks for clarifying. On Mon, Mar 9, 2015 at 7:26 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote: > On 03/09/2015 11:58 AM, Emil Condrea wrote: > >> On Mon, Mar 9, 2015 at 4:40 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov> >> wrote: >> >> On 03/08/2015 07:41 AM, Emil Condrea wrote: >>> >>> I am trying to validate a Deep Quote request made by domU but I feel >>>> that >>>> something is missing. Right now when a domU requests TPM_ORD_DeepQuote: >>>> 1. vTPM: >>>> - unpacks the params: nonce, vTPM PCR selection and physical PCR >>>> selection >>>> - packs PCR_INFO_SHORT structure into buf that contains the selected >>>> vTPM >>>> PCRs >>>> - computes nonce as a SHA1 of: dquot_hdr, nonce, and previous packed buf >>>> - packs: nonce, physical PCR selection >>>> - receives physical pcr data and signature from manager and returns them >>>> to >>>> DomU >>>> 2. vTPM Manager >>>> - unpacks the params: nonce, PCR selection >>>> - execute TPM_Quote with: externalData = nonce >>>> - returns pcr data and signature to vTPM >>>> >>>> If domU user wants to validate the signature it has to do the exact >>>> process >>>> that the vtpm and manager did but the virtual PCR values are not >>>> included >>>> in response, just physical ones. >>>> >>>> >>> The virtual machine can use TPM_PCRRead to get the value of the vTPM >>> PCRs. >>> This is the same method that is used by the TPM_Quote2 command. >>> >> >> >> I thought of using TPM_PCRRead from virtual machine but it was not clear >> for me if it is safe. >> Is it possible for the selected vTPM PCRs values to be different when >> performing >> composite hash on vTPM from the values read with TPM_PCRRead after >> executing DeepQuote? >> > > One way to detect this is by reading the PCRs before and after asking > for a quote. If the values match, then the quote used those values; if > not, try the quote operation again. In either case, you should have a > log or other information on what values have been extended into the PCRs > so that a verifier can make sense of them: there is little reason to > include the PCRs in a quote if you can't reconstruct them. > As an alternative to retrying, you could try to reconstruct the PCRs > used in the quote by hashing the various possibilities drawn from the > logs. If the number of extend operations between the pre- and post-read > operations is reasonable, this could end up being faster than asking for > another quote from the (rather slow) hardware TPM. > > The TPM has context management for each application? (eg: when one >> application extends something >> into a PCR and another application extends other thing in the same PCR(at >> the same time moment), >> are they hashed together?) >> > > This depends on the TPM multiplexing daemon (usually trousers in Linux). > I believe it just processes the requests in the order it receives them, > so without external synchronization they would be in an arbitrary order. > > I am unsure if this is implemented (and would guess it is currently > not), but it would be possible for trousers to queue up several commands > (such as PCR reads and quote requests) from a single source and > guarantee that they are executed without intervening commands. In order > to avoid interactions with IMA, this would need an extension to the > Linux TPM character device interface to submit multiple commands for > processing without unlocking the TPM device. > > > When I read the standard I understood that the PCRs can never be >> overwritten, >> just reset and extended. >> >> Thanks. >> >> >>> >>> We can include the vTPM PCRS in response or the manager must perform >>> >>>> TPM_Quote using the nonce received from domU in order to be able to >>>> have a >>>> successful validation on the client side. >>>> >>>> >>> If you want a quote without any vTPM PCRs, you can specify an empty PCR >>> mask >>> to get something fairly close to this behavior - the nonce will be >>> combined >>> with an empty deep quote structure instead of passed directly. >>> >>> What do you think? Is there something that I am missing ? >>> >>>> >>>> >>> It is useful to be able to ask for the current value of both physical and >>> virtual PCRs in a single atomic operation. Including the value of all >>> PCRs >>> in the response could make the reply packet too large (which is part of >>> the >>> reason why TPM_Quote2 removed them). >>> >>> -- >>> Daniel De Graaf >>> National Security Agency >>> >>> >> > > -- > Daniel De Graaf > National Security Agency > [-- Attachment #1.2: Type: text/html, Size: 6366 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: vTPM Deep Quote validation 2015-03-08 11:41 vTPM Deep Quote validation Emil Condrea 2015-03-09 14:40 ` Daniel De Graaf @ 2015-03-09 14:51 ` Xu, Quan 2015-03-09 14:54 ` Emil Condrea 1 sibling, 1 reply; 7+ messages in thread From: Xu, Quan @ 2015-03-09 14:51 UTC (permalink / raw) To: Emil Condrea, xen-devel@lists.xen.org; +Cc: Daniel De Graaf [-- Attachment #1.1: Type: text/plain, Size: 1601 bytes --] For ‘TPM_ORD_DeepQuote’cmd, it looks like a specific TPM 1.2 emulator command, instead of TPM physic cmd. I can’t find it in TPM 1.2 spec. (my TPM Main Part2 TPM Structures is Specification version 1.2/ Level 2 Revision 116 / 1 March 2011) -Quan From: xen-devel-bounces@lists.xen.org [mailto:xen-devel-bounces@lists.xen.org] On Behalf Of Emil Condrea Sent: Sunday, March 08, 2015 7:41 PM To: xen-devel@lists.xen.org Cc: Daniel De Graaf Subject: [Xen-devel] vTPM Deep Quote validation I am trying to validate a Deep Quote request made by domU but I feel that something is missing. Right now when a domU requests TPM_ORD_DeepQuote: 1. vTPM: - unpacks the params: nonce, vTPM PCR selection and physical PCR selection - packs PCR_INFO_SHORT structure into buf that contains the selected vTPM PCRs - computes nonce as a SHA1 of: dquot_hdr, nonce, and previous packed buf - packs: nonce, physical PCR selection - receives physical pcr data and signature from manager and returns them to DomU 2. vTPM Manager - unpacks the params: nonce, PCR selection - execute TPM_Quote with: externalData = nonce - returns pcr data and signature to vTPM If domU user wants to validate the signature it has to do the exact process that the vtpm and manager did but the virtual PCR values are not included in response, just physical ones. We can include the vTPM PCRS in response or the manager must perform TPM_Quote using the nonce received from domU in order to be able to have a successful validation on the client side. What do you think? Is there something that I am missing ? [-- Attachment #1.2: Type: text/html, Size: 6205 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: vTPM Deep Quote validation 2015-03-09 14:51 ` Xu, Quan @ 2015-03-09 14:54 ` Emil Condrea 0 siblings, 0 replies; 7+ messages in thread From: Emil Condrea @ 2015-03-09 14:54 UTC (permalink / raw) To: Xu, Quan; +Cc: Daniel De Graaf, xen-devel@lists.xen.org [-- Attachment #1.1: Type: text/plain, Size: 2013 bytes --] TPM_ORD_DeepQuote is a custom command used just with vTPMs so a domU user can get a quote signed with vTPM PCRs and also physical PCRs. It is not included in 1.2 specification. On Mon, Mar 9, 2015 at 4:51 PM, Xu, Quan <quan.xu@intel.com> wrote: > For ‘TPM_ORD_DeepQuote’cmd, it looks like a specific TPM 1.2 emulator > command, instead of TPM physic cmd. I can’t find it in TPM 1.2 spec. > > (my TPM Main Part2 TPM Structures is *Specification version 1.2/ Level 2 > Revision 116 / 1 March 2011*) > > > > > > -Quan > > > > *From:* xen-devel-bounces@lists.xen.org [mailto: > xen-devel-bounces@lists.xen.org] *On Behalf Of *Emil Condrea > *Sent:* Sunday, March 08, 2015 7:41 PM > *To:* xen-devel@lists.xen.org > *Cc:* Daniel De Graaf > *Subject:* [Xen-devel] vTPM Deep Quote validation > > > > I am trying to validate a Deep Quote request made by domU but I feel that > something is missing. Right now when a domU requests TPM_ORD_DeepQuote: > > 1. vTPM: > > - unpacks the params: nonce, vTPM PCR selection and physical PCR selection > > - packs PCR_INFO_SHORT structure into buf that contains the selected vTPM > PCRs > > - computes nonce as a SHA1 of: dquot_hdr, nonce, and previous packed buf > > - packs: nonce, physical PCR selection > > - receives physical pcr data and signature from manager and returns them > to DomU > > 2. vTPM Manager > > - unpacks the params: nonce, PCR selection > > - execute TPM_Quote with: externalData = nonce > > - returns pcr data and signature to vTPM > > > If domU user wants to validate the signature it has to do the exact > process that the vtpm and manager did but the virtual PCR values are not > included in response, just physical ones. > > We can include the vTPM PCRS in response or the manager must perform > TPM_Quote using the nonce received from domU in order to be able to have a > successful validation on the client side. > > What do you think? Is there something that I am missing ? > [-- Attachment #1.2: Type: text/html, Size: 5155 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-03-10 13:21 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-03-08 11:41 vTPM Deep Quote validation Emil Condrea 2015-03-09 14:40 ` Daniel De Graaf 2015-03-09 15:58 ` Emil Condrea 2015-03-09 17:26 ` Daniel De Graaf 2015-03-10 13:21 ` Emil Condrea 2015-03-09 14:51 ` Xu, Quan 2015-03-09 14:54 ` Emil Condrea
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.