Re: [DISCUSSION] svsm: attestation: if and how to authenticate the provided secret

[Nicolai Stange <nstange@suse.de>]

James Bottomley <James.Bottomley@HansenPartnership.com> writes:

> On Tue, 2025-10-14 at 22:56 +0200, Nicolai Stange wrote:
>> James Bottomley <James.Bottomley@HansenPartnership.com> writes:
>> 
>> > On Tue, 2025-10-14 at 10:45 +0200, Nicolai Stange wrote:
>> > > 
>> > > as I don't want to hijack Tyler's recent attestation PR, I'd like
>> > > to continue a discussion started there and best summarized in the
>> > > comment at [1] here.
>> > > 
>> > > The question is whether or not to have the KBS authenticate the
>> > > secret returned to the SVSM upon a successful attestation.
>> > > 
>> > > The current state is that authenticated encryption is being used
>> > > in the protocol (AES-KW + AES-GCM), but that's only bound to an
>> > > ephemeral ECDH key, hence doesn't link to any root of trust.
>> > 
>> > Could we wind back a bit?  This discussion seems to be starting in
>> > the middle.  Where does the encrypted state actually come from?
>> 
>> Sorry for being unclear -- this is one of the open questions, see
>> below.
>> 
>> 
>> > The threat being that if an attacker can supply the TPM state to
>> > your confidential VM, they know all the TPM parameters, including
>> > the private keys, and can fake any attestation.   In the non-CVM
>> > world, the state is usually part of the VM image (encrypted), but
>> > this happens because the TPM is running outside the VM envelope and
>> > suspend or shutdown can pull the encrypted state as part of the
>> > device state of the VM image.  In the CVM world the state is stored
>> > inside CVM in the SVSM and has to be inaccessible to the guest.  It
>> > is possible for the SVSM to encrypt the TPM state and pass it to
>> > the guest which then saves it in the VM image.  In that case, proof
>> > of correctness can simply be supplying a key capable of decrypting
>> > the image.
>> 
>> The current plan is to not involve the guest at all. Instead
>> - a (small) block device will get attached to the SVSM, via virtio
>>   currently,
>> - there will be a filesystem on that block device, which is encrypted
>> + authenticated with a (symmetric) "filesystem root key" known only
>> to the SVSM and
>> - that filesystem root key will get revealed by the KBS to the SVSM
>> upon
>>   successful attestation.
>> 
>> The TPM state will be stored in a file on that filesystem. UEFI data
>> in another and so on.
>
> On this, how does the guest know it's pulled in the correct image?  If
> I were a malicious host, I could encrypt my own TPM image, accept your
> attestation to a KBS I control and release a key that decrypts my
> malicious image.  I think you give the answer below:

Yes, the goal of all this is to render such scenarios impossible.


> [...]
>> FTR, I'm trying to make a point for formatting and manufacturing
>> everything from within the SVSM upon first use, and to bind the
>> received filesystem root key to an ECDSA key associated with the KBS,
>> via:
>> - KBS signs its ephemeral ECDH public key with that ECDSA key,
>> - the shared key from ECDH is used for authenticated encryption of
>>   the secret, which includes the filesystem root key.
>
> So on first boot the CVM binds via public key to the KBS it's given and
> checks this key on subsequent boot time interactions with the KBS?

With the approach I currently have in mind there would be no
differentiation between first and subsequent boots: the SVSM receives a
new KBS ECDSA key for every boot/attestation cycle, memorizes the
current one in RAM only and would leave it to external parties to
implement policy based on that. For example, as outlined in my reply to
Tyler's mail ([1]), one could implement an IAK/IDevId or EK CA that
would issue certificates based on whether the SVSM presents a recognized
and trusted KBS' ECDSA pubkey.


> In which case it's Trust on First Use but it works, provided the KBS
> key can be stored reliably within the image and,

When you're saying "image", do you mean the SVSM persistence/CocoonFs
image containing the TPM state, or the guest's rootfs image? From the
context I suppose you're referring to the latter?

I think in this case Tyler is right when saying that if the LUKS rootfs
image is sealed by the TPM, then a successful unsealing operation would
be proof already that the correct SVSM persistence/CocoonFs image key is
being used. The problem would be how to prove in a generic way that the
expected LUKS rootfs was unlocked successfully.


> I assume, for immutable images the key will be provisioned inside the
> initial image?

For clarity, the SVSM persistence/CocoonFs image is currently assumed to
always be mutable, which is why I'm supposing you're referring to the
guest rootfs image here.

[If nothing else, there are plans to explore the feasability of
 implementing rollback protection on top of CooconFs, simply by sending
 the Merkle tree root HMAC off to a trusted party upon each
 update. Writing something at FS opening time would then guarantee a
 linear TPM state history, i.e. no forks/clones etc, but that requires
 mutability.]

Either way, AFAICS, the only way to enable the SVSM to verify on its own
that it's using the expected persistence/CocoonFs image would be to
embed the expected KBS ECDSA key into the IGVM, but I haven't really
thought this through yet.

Thanks!

Nicolai

[1] https://lore.kernel.org/r/877bwtzrvl.fsf@

-- 
SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany
GF: Ivo Totev, Andrew McDonald, Werner Knoblich
(HRB 36809, AG Nürnberg)