From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [96.44.175.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EF57914A0A0 for ; Fri, 2 Aug 2024 12:27:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.44.175.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722601668; cv=none; b=sObSs+o45buVoGCYD5kdSZhj2ADNM4zrfD5bDVD91Pp68QSm0C3mT49NENmUMaNWzyBRWqmoSsSad3XEStVEX0T6FF7nm8vBUjCF/qXMQivbyLLE0SvRm/30I8b2EvOrq5xApRvGVRJvYtUwoABCQ0SK3PDAFaPzZ8tCsXvF2EE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722601668; c=relaxed/simple; bh=ehJmNXeRI5h5/9cGjpEpWbixRarVBVri6cqhMKc5DpM=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=XpGVkeZJQVc29pGTef8hrkiNIYIjwNdgNCopAVxaNlBKjmKJsQLMevZQUwM5EontR9T2n5cBZqbRCPJM26vOUdroV3X/JhP1hLWhrxOapo31ngNpPVV7SylHNzQlVG0FHAaScx7kdssVnL5+4CIBVevN6oBdnmMN9xKta0uuksI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com; spf=pass smtp.mailfrom=HansenPartnership.com; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=N+rgOqFz; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b=N+rgOqFz; arc=none smtp.client-ip=96.44.175.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=HansenPartnership.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=HansenPartnership.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="N+rgOqFz"; dkim=pass (1024-bit key) header.d=hansenpartnership.com header.i=@hansenpartnership.com header.b="N+rgOqFz" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1722601664; bh=ehJmNXeRI5h5/9cGjpEpWbixRarVBVri6cqhMKc5DpM=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=N+rgOqFz6LUfn5G1yoisnnDLMvklXGeDpgYXzeB6ZJQ8wLZg/t1K//F+f4aTBsRUc 4vBQtTJts0sJtgKXII8b1sAM7vaIr2vLa/PUYBpuDq/+T1J8IKd6RXfu5ck3VLKtq3 qrUxkmwlpa6UmtSPkIB+tgFIvRLCTqt85rGRJ4Ug= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 923A11286B4D; Fri, 02 Aug 2024 08:27:44 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id PcU_PQArTxXu; Fri, 2 Aug 2024 08:27:44 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1722601664; bh=ehJmNXeRI5h5/9cGjpEpWbixRarVBVri6cqhMKc5DpM=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=N+rgOqFz6LUfn5G1yoisnnDLMvklXGeDpgYXzeB6ZJQ8wLZg/t1K//F+f4aTBsRUc 4vBQtTJts0sJtgKXII8b1sAM7vaIr2vLa/PUYBpuDq/+T1J8IKd6RXfu5ck3VLKtq3 qrUxkmwlpa6UmtSPkIB+tgFIvRLCTqt85rGRJ4Ug= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::db7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 648A21286A72; Fri, 02 Aug 2024 08:27:43 -0400 (EDT) Message-ID: <13ea31e26a9891722748c5d6e823f77b6c8b7809.camel@HansenPartnership.com> Subject: Re: Coconut-SVSM - vTPM support for Intel TD Partitioning From: James Bottomley To: "Yao, Jiewen" , "jejb@linux.ibm.com" , Jeremi Piotrowski , Claudio Siqueira de Carvalho , =?ISO-8859-1?Q?R=F6del=2C_J=F6rg?= Cc: "Lange, Jon" , "Dong, Eddie" , "Johnson, Simon P" , "Reshetova, Elena" , "Nakajima, Jun" , "Perez, Ronald" , "linux-coco@lists.linux.dev" Date: Fri, 02 Aug 2024 08:27:41 -0400 In-Reply-To: References: <8c389411-c547-488f-93d2-ac953e212eaf@linux.microsoft.com> <900e624ab5ff2ad8c1a69662450b42a442baa828.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 Precedence: bulk X-Mailing-List: linux-coco@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit On Thu, 2024-08-01 at 22:38 +0000, Yao, Jiewen wrote: > Hi > As follow up, we have drafted the vTPM document and put to > https://github.com/intel-staging/td-partitioning-svsm/blob/svsm-tdp-vtpm/Documentation/TD%20Partitioning%20based%20virtual%20TPM%20Design%20Guide%20Rev%200.5.1.pdf > . > It describes the current TD Partitioning based vTPM design. So this design follows what was in the ephemeral vTPM paper https://dl.acm.org/doi/abs/10.1145/3627106.3627112 and is what IBM demoed at LPC. However, the weakness in this design is that there's no challenge for the platform attestation used in place of the EK certificate. We tried to argue around that because the ephemeral EK changes on every boot and should thus mitigate any replay concerns, but that can't extend to a stateful vTPM and we needed to support both (and letting the attesting party provide the nonce even in terms of the EK hash is still not good security practice). That's why the SVSM API includes a vTPM attestation protocol that allows the external verifier to provide a nonce and dispenses with the EK cert emulation protocol. Regards, James