From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Alexander Graf <graf@amazon.com>
Cc: "Jörg Rödel" <jroedel@suse.de>,
amd-sev-snp@lists.suse.com, linux-coco@lists.linux.dev,
kvm@vger.kernel.org
Subject: Re: [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP
Date: Wed, 22 Mar 2023 10:34:01 +0000 [thread overview]
Message-ID: <ZBrZmbfWXVQLND/E@work-vm> (raw)
In-Reply-To: <444b0d8d-3a8c-8e6d-1df3-35f57046e58e@amazon.com>
* Alexander Graf (graf@amazon.com) wrote:
> Hi Jörg,
>
> On 22.03.23 10:19, Jörg Rödel wrote:
>
> > On Tue, Mar 21, 2023 at 07:53:58PM +0000, Dr. David Alan Gilbert wrote:
> > > OK; the other thing that needs to get nailed down for the vTPM's is the
> > > relationship between the vTPM attestation and the SEV attestation.
> > > i.e. how to prove that the vTPM you're dealing with is from an SNP host.
> > > (Azure have a hack of putting an SNP attestation report into the vTPM
> > > NVRAM; see
> > > https://github.com/Azure/confidential-computing-cvm-guest-attestation/blob/main/cvm-guest-attestation.md
> > > )
> > When using the SVSM TPM protocol it should be proven already that the
> > vTPM is part of the SNP trusted base, no? The TPM communication is
> > implicitly encrypted by the VMs memory key and the SEV attestation
> > report proves that the correct vTPM is executing.
>
>
> What you want to achieve eventually is to take a report from the vTPM and
> submit only that to an external authorization entity that looks at it and
> says "Yup, you ran in SEV-SNP, I trust your TCB, I trust your TPM
> implementation, I also trust your PCR values" and based on that provides
> access to whatever resource you want to access.
>
> To do that, you need to link SEV-SNP and TPM measurements/reports together.
> And the easiest way to do that is by providing the SEV-SNP report as part of
> the TPM: You can then use the hash of the SEV-SNP report as signing key for
> example.
Yeh; I think the SVSM TPM protocol has some proof of that as well; the
SVSM spec lists 'SVSM_ATTEST_SINGLE_SERVICE Manifest Data' that contains
'TPMT_PUBLIC structure of the endorsement key'.
So I *think* that's saying that the SEV attestation report contains
something from the EK of the vTPM.
> I think the key here is that you need to propagate that link to an external
> party, not (only) to the VM.
Yeh.
Dave
>
>
> Alex
>
>
>
>
>
> Amazon Development Center Germany GmbH
> Krausenstr. 38
> 10117 Berlin
> Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
> Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
> Sitz: Berlin
> Ust-ID: DE 289 237 879
>
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2023-03-22 10:34 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-21 9:29 [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP Jörg Rödel
2023-03-21 11:09 ` James Bottomley
2023-03-21 12:43 ` Jörg Rödel
2023-03-21 13:43 ` James Bottomley
2023-03-21 15:14 ` Jörg Rödel
2023-03-21 17:48 ` Dr. David Alan Gilbert
2023-03-21 18:50 ` Jörg Rödel
2023-03-21 20:05 ` James Bottomley
2023-03-22 1:29 ` Marc Orr
2023-03-22 17:57 ` Daniel P. Berrangé
2023-03-22 9:15 ` Jörg Rödel
2023-03-22 18:07 ` Daniel P. Berrangé
2023-03-22 18:24 ` Dionna Amalie Glaze
2023-03-21 15:06 ` Dr. David Alan Gilbert
2023-03-21 15:25 ` Jörg Rödel
2023-03-21 16:56 ` Dr. David Alan Gilbert
2023-03-21 19:03 ` Jörg Rödel
2023-03-21 19:53 ` Dr. David Alan Gilbert
2023-03-22 9:19 ` Jörg Rödel
2023-03-22 9:43 ` Alexander Graf
2023-03-22 10:34 ` Dr. David Alan Gilbert [this message]
2023-03-22 17:37 ` Dionna Amalie Glaze
2023-03-22 17:47 ` Dr. David Alan Gilbert
2023-03-22 21:53 ` James Bottomley
2023-04-11 19:57 ` Tom Lendacky
2023-04-11 20:01 ` Dionna Amalie Glaze
2023-04-13 16:57 ` James Bottomley
2023-04-14 9:00 ` Jörg Rödel
2023-05-02 23:03 ` Tom Lendacky
2023-05-03 12:26 ` Jörg Rödel
2023-05-03 15:24 ` Dionna Amalie Glaze
2023-05-03 15:43 ` James Bottomley
2023-05-03 16:10 ` Daniel P. Berrangé
2023-05-03 16:51 ` Claudio Carvalho
2023-05-03 17:16 ` Alexander Graf
2023-05-05 15:34 ` Jörg Rödel
2023-05-05 15:47 ` Daniel P. Berrangé
2023-05-04 17:04 ` James Bottomley
2023-05-05 12:35 ` Christophe de Dinechin
2023-05-06 12:48 ` James Bottomley
2023-05-08 5:16 ` Alexander Graf
2023-05-05 15:02 ` Jörg Rödel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZBrZmbfWXVQLND/E@work-vm \
--to=dgilbert@redhat.com \
--cc=amd-sev-snp@lists.suse.com \
--cc=graf@amazon.com \
--cc=jroedel@suse.de \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.