Re: [DISCUSSION] svsm: attestation: if and how to authenticate the provided secret

[Nicolai Stange <nstange@suse.de>]

James Bottomley <James.Bottomley@HansenPartnership.com> writes:

> On Tue, 2025-10-14 at 10:45 +0200, Nicolai Stange wrote:
>>
>> as I don't want to hijack Tyler's recent attestation PR, I'd like to
>> continue a discussion started there and best summarized in the
>> comment at [1] here.
>> 
>> The question is whether or not to have the KBS authenticate the
>> secret returned to the SVSM upon a successful attestation.
>> 
>> The current state is that authenticated encryption is being used in
>> the protocol (AES-KW + AES-GCM), but that's only bound to an
>> ephemeral ECDH key, hence doesn't link to any root of trust.
>
> Could we wind back a bit?  This discussion seems to be starting in the
> middle.  Where does the encrypted state actually come from?

Sorry for being unclear -- this is one of the open questions, see below.


> The threat being that if an attacker can supply the TPM state to your
> confidential VM, they know all the TPM parameters, including the
> private keys, and can fake any attestation.   In the non-CVM world, the
> state is usually part of the VM image (encrypted), but this happens
> because the TPM is running outside the VM envelope and suspend or
> shutdown can pull the encrypted state as part of the device state of
> the VM image.  In the CVM world the state is stored inside CVM in the
> SVSM and has to be inaccessible to the guest.  It is possible for the
> SVSM to encrypt the TPM state and pass it to the guest which then saves
> it in the VM image.  In that case, proof of correctness can simply be
> supplying a key capable of decrypting the image.

The current plan is to not involve the guest at all. Instead
- a (small) block device will get attached to the SVSM, via virtio
  currently,
- there will be a filesystem on that block device, which is encrypted +
  authenticated with a (symmetric) "filesystem root key" known only to
  the SVSM and
- that filesystem root key will get revealed by the KBS to the SVSM upon
  successful attestation.

The TPM state will be stored in a file on that filesystem. UEFI data in
another and so on.

For more context, there's a SVSM-PR from myself pending to use the
"CocoonFs" format specifically designed for this purpose, c.f. [1], or
[2] on the format itself. More FS formats may get introduced to the SVSM
in the future in case there's a demand.

Where the filesystem gets formatted and the TPM (, UEFI, ...) state
stored thereon manufactured respectively is subject of the discussion
here, I think. That is, AFAICS it depends on whether and how the
filesystem root key obtained from the KBS can get authenticated.

FTR, I'm trying to make a point for formatting and manufacturing
everything from within the SVSM upon first use, and to bind the received
filesystem root key to an ECDSA key associated with the KBS, via:
- KBS signs its ephemeral ECDH public key with that ECDSA key,
- the shared key from ECDH is used for authenticated encryption of
  the secret, which includes the filesystem root key.

That on its own is quite useless of course (unless the expected KBS
ECDSA key would somehow get embedded into e.g. the IGVM), but the SVSM
could then subsequently present the KBS ECDSA key to relying parties, as
a confirmation that it's using a filesystem root key supplied by that
particular KBS.

Thanks!

Nicolai

[1] https://github.com/coconut-svsm/svsm/pull/806
[2] https://coconut-svsm.github.io/cocoon-tpm/cocoonfs/cocoonfs-format.html

>
> However, in a container (or immutable VM) world, there's no image
> update to save and the TPM state has to be saved somewhere separately
> (and at a location under the control of untrusted entities) so there
> has to be a strong binding between the encrypted TPM state and the CVM
> to prevent a state substitution attack (i.e. the CVM has to validate
> it's pulling the correct TPM state before using it).
>
> Regards,
>
> James
>

-- 
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)