From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Alexander Graf <graf@amazon.com>
Cc: Dorjoy Chowdhury <dorjoychy111@gmail.com>,
qemu-devel@nongnu.org, agraf@csgraf.de, stefanha@redhat.com,
pbonzini@redhat.com, slp@redhat.com,
richard.henderson@linaro.org, eduardo@habkost.net,
mst@redhat.com, marcel.apfelbaum@gmail.com, philmd@linaro.org
Subject: Re: [PATCH v3 4/5] machine/nitro-enclave: Add built-in Nitro Secure Module device
Date: Mon, 12 Aug 2024 15:00:03 +0100 [thread overview]
Message-ID: <ZroVYxNyZjroUEIT@redhat.com> (raw)
In-Reply-To: <974b7b36-bfd9-40e6-bbe1-d3feb3d46797@amazon.com>
On Mon, Aug 12, 2024 at 03:51:22PM +0200, Alexander Graf wrote:
>
> On 10.08.24 18:45, Dorjoy Chowdhury wrote:
> > AWS Nitro Enclaves have built-in Nitro Secure Module (NSM) device which
> > is used for stripped down TPM functionality like attestation. This commit
> > adds the built-in NSM device in the nitro-enclave machine type.
> >
> > In Nitro Enclaves, all the PCRs start in a known zero state and the first
> > 16 PCRs are locked from boot and reserved. The PCR0, PCR1, PCR2 and PCR8
> > contain the SHA384 hashes related to the EIF file used to boot the
> > VM for validation.
> >
> > A new optional nitro-enclave machine option 'id' has been added which will
> > be the enclave identifier reflected in the module-id of the NSM device.
> > Otherwise, the device will have a default id set.
> >
> > Signed-off-by: Dorjoy Chowdhury <dorjoychy111@gmail.com>
> > ---
> > hw/core/eif.c | 205 +++++++++++++++++++++++++++++++-
> > hw/core/eif.h | 5 +-
> > hw/core/meson.build | 4 +-
> > hw/i386/Kconfig | 1 +
> > hw/i386/nitro_enclave.c | 85 ++++++++++++-
> > include/hw/i386/nitro_enclave.h | 19 +++
> > 6 files changed, 310 insertions(+), 9 deletions(-)
> >
>
> [...]
>
>
> > diff --git a/hw/core/meson.build b/hw/core/meson.build
> > index f32d1ad943..7e7a14ee00 100644
> > --- a/hw/core/meson.build
> > +++ b/hw/core/meson.build
> > @@ -12,6 +12,8 @@ hwcore_ss.add(files(
> > 'qdev-clock.c',
> > ))
> >
> > +libcbor = dependency('libcbor', version: '>=0.8.0')
> > +
> > common_ss.add(files('cpu-common.c'))
> > common_ss.add(files('machine-smp.c'))
> > system_ss.add(when: 'CONFIG_FITLOADER', if_true: files('loader-fit.c'))
> > @@ -24,7 +26,7 @@ system_ss.add(when: 'CONFIG_REGISTER', if_true: files('register.c'))
> > system_ss.add(when: 'CONFIG_SPLIT_IRQ', if_true: files('split-irq.c'))
> > system_ss.add(when: 'CONFIG_XILINX_AXI', if_true: files('stream.c'))
> > system_ss.add(when: 'CONFIG_PLATFORM_BUS', if_true: files('sysbus-fdt.c'))
> > -system_ss.add(when: 'CONFIG_NITRO_ENCLAVE', if_true: [files('eif.c'), zlib])
> > +system_ss.add(when: 'CONFIG_NITRO_ENCLAVE', if_true: [files('eif.c'), zlib, libcbor, gnutls])
>
>
> I think this is missing a dependency check somewhere:
>
> ../hw/core/eif.c:16:10: fatal error: gnutls/gnutls.h: No such file or
> directory
> 16 | #include <gnutls/gnutls.h>
> | ^~~~~~~~~~~~~~~~~
>
> It's also the first time anything accesses gnutls directly instead of
> through the QEMU crypto framework. Is there a particular reason you can not
> use qcrypto?
None of the existing qcrypto APIs provide the functionality needed in
this patch. The right answer though is to introduce a new API in
qcrypto to avoid directly coupling this Nitro code to GNUTLS.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2024-08-12 14:00 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-10 16:44 [PATCH v3 0/5] AWS Nitro Enclave emulation support Dorjoy Chowdhury
2024-08-10 16:44 ` [PATCH v3 1/5] machine/nitro-enclave: New machine type for AWS Nitro Enclaves Dorjoy Chowdhury
2024-08-12 13:56 ` Alexander Graf
2024-08-10 16:44 ` [PATCH v3 2/5] machine/nitro-enclave: Add vhost-user-vsock device Dorjoy Chowdhury
2024-08-12 14:24 ` Daniel P. Berrangé
2024-08-13 18:02 ` Dorjoy Chowdhury
2024-08-14 8:17 ` Alexander Graf
2024-08-10 16:45 ` [PATCH v3 3/5] device/virtio-nsm: Support for Nitro Secure Module device Dorjoy Chowdhury
2024-08-12 14:15 ` Daniel P. Berrangé
2024-08-13 12:54 ` Alexander Graf
2024-08-10 16:45 ` [PATCH v3 4/5] machine/nitro-enclave: Add built-in " Dorjoy Chowdhury
2024-08-12 13:51 ` Alexander Graf
2024-08-12 14:00 ` Daniel P. Berrangé [this message]
2024-08-12 13:55 ` Alexander Graf
2024-08-12 14:07 ` Daniel P. Berrangé
2024-08-16 12:50 ` Dorjoy Chowdhury
2024-08-16 12:57 ` Daniel P. Berrangé
2024-08-16 13:34 ` Dorjoy Chowdhury
2024-08-13 12:57 ` Alexander Graf
2024-08-10 16:45 ` [PATCH v3 5/5] docs/nitro-enclave: Documentation for nitro-enclave machine type Dorjoy Chowdhury
2024-08-18 11:51 ` [PATCH v3 0/5] AWS Nitro Enclave emulation support Dorjoy Chowdhury
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZroVYxNyZjroUEIT@redhat.com \
--to=berrange@redhat.com \
--cc=agraf@csgraf.de \
--cc=dorjoychy111@gmail.com \
--cc=eduardo@habkost.net \
--cc=graf@amazon.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=slp@redhat.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.