From: Dan Williams <dan.j.williams@intel.com>
To: Peter Gonda <pgonda@google.com>, Dan Williams <dan.j.williams@intel.com>
Cc: Jeremi Piotrowski <jpiotrowski@linux.microsoft.com>,
<linux-coco@lists.linux.dev>,
Brijesh Singh <brijesh.singh@amd.com>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Tom Lendacky <thomas.lendacky@amd.com>,
Borislav Petkov <bp@alien8.de>,
"Dionna Amalie Glaze" <dionnaglaze@google.com>,
Samuel Ortiz <sameo@rivosinc.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
<x86@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 0/5] tsm: Attestation Report ABI
Date: Tue, 15 Aug 2023 11:13:13 -0700 [thread overview]
Message-ID: <64dbc039c08b0_28996294ce@dwillia2-mobl3.amr.corp.intel.com.notmuch> (raw)
In-Reply-To: <CAMkAt6q1ZedWBQ+ZLmD5QRKc0jcz2nrdwEAw6g8R2fZ5e2ed_A@mail.gmail.com>
Peter Gonda wrote:
> On Mon, Aug 14, 2023 at 11:12 AM Dan Williams <dan.j.williams@intel.com> wrote:
> >
> > Jeremi Piotrowski wrote:
> > > On 8/14/2023 9:43 AM, Dan Williams wrote:
> > > > Changes since v1:
> > > > - Switch from Keyring to sysfs (James)
> > > >
> > > > An attestation report is signed evidence of how a Trusted Virtual
> > > > Machine (TVM) was launched and its current state. A verifying party uses
> > > > the report to make judgements of the confidentiality and integrity of
> > > > that execution environment. Upon successful attestation the verifying
> > > > party may, for example, proceed to deploy secrets to the TVM to carry
> > > > out a workload. Multiple confidential computing platforms share this
> > > > similar flow.
> > > >
> > > > The approach of adding adding new char devs and new ioctls, for what
> > > > amounts to the same logical functionality with minor formatting
> > > > differences across vendors [1], is untenable. Common concepts and the
> > > > community benefit from common infrastructure.
> > > >
> > > > Use sysfs for this facility for maintainability compared to ioctl(). The
> > > > expectation is that this interface is a boot time, configure once, get
> > > > report, and done flow. I.e. not something that receives ongoing
> > > > transactions at runtime. However, runtime retrieval is not precluded and
> > > > a mechanism to detect potential configuration conflicts from
> > > > multiple-threads using this interface is included.
> > > >
> > >
> > > I wanted to speak up to say that this does not align with the needs we have
> > > in the Confidential Containers project. We want to be able to perform attestation
> > > not just once during boot but during the lifecycle of the confidential VM. We
> > > may need to fetch a fresh attestation report from a trusted agent but also from
> > > arbitrary applications running in containers.
> > >
> > > The trusted agent might need attestation when launching a new container from an
> > > encrypted container image or when a new secret is being added to the VM - both
> > > of these events may happen at any time (also when containerized applications
> > > are already executing).
> > >
> > > Container applications have their own uses for attestation, such as when they need
> > > to fetch keys required to decrypt payloads. We also have things like performing
> > > attestation when establishing a TLS or ssh connection to provide an attested e2e
> > > encrypted communication channel.
> >
> > ...and you expect that the boot time attestation becomes invalidated
> > later at run time such that ongoing round trips to the TSM are needed? I
> > am looking at "Table 21. ATTESTATION_REPORT Structure" for example and
> > not seeing data there that changes from one request to the next. Runtime
> > validation likely looks more like the vTPM use case with PCRs. That will
> > leverage the existing / common TPM ABI.
>
> I thought we were dropping the TSM acronym as requested by Jarkko?
I read that in the context of the key-type name. The key-type proposal
was dropped.
> Why do we need to be so prescriptive about "boot time" vs "runtime"
> attestations? A user may wish to attest to several requests as Jeremi
> notes. And why should users be forced into using a vTPM interface if
> their usecase doesn't require all the features and complexity of a
> vTPM?
When I said "like vTPM" I did not mean to infer "only vTPM". There are
three scenarios base attestation reports, attestation reports with
runtime measurement values, and vTPM. This patchset is only about the
first scenario.
RTMRs have similarities with PCRs, does that mean they need to be
intergrated behind the existing TPM ABI or deserve something new? That
is a question that the RTMR enabling effort will need to answer.
> Some users may prefer less overall code within their Trusted
> Computer Base (TCB) and a TPM emulate is a significant code base.
Yes.
> It seems like you are just reading the SNP spec,
Nope, fully aware of the TDX spec. This patchset is around wrapping the
existing sev-guest capability with a shared ABI for the TDX equivalen.
> if you read the TDX
> spec you'll see there are RTMRs which can be extended with new data.
> This leads to a different data in the attestation. Similar there are
> REMs in the ARM CCA spec.
Again, RTMRs are not part of this current proposal.
next prev parent reply other threads:[~2023-08-15 18:13 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-14 7:43 [PATCH v2 0/5] tsm: Attestation Report ABI Dan Williams
2023-08-14 7:43 ` [PATCH v2 1/5] virt: coco: Add a coco/Makefile and coco/Kconfig Dan Williams
2023-08-14 7:43 ` [PATCH v2 2/5] tsm: Introduce a shared ABI for attestation reports Dan Williams
2023-08-14 8:24 ` Jeremi Piotrowski
2023-08-14 16:21 ` Dan Williams
2023-08-14 15:38 ` Greg Kroah-Hartman
2023-08-14 16:43 ` Dan Williams
2023-08-14 18:43 ` Greg Kroah-Hartman
2023-08-15 19:51 ` Tom Lendacky
2023-08-16 14:44 ` Tom Lendacky
2023-08-16 15:12 ` Dan Williams
2023-08-22 7:29 ` Roy Hopkins
2023-08-23 13:49 ` Samuel Ortiz
2023-08-28 10:46 ` Dr. Greg
2023-08-14 7:43 ` [PATCH v2 3/5] virt: sevguest: Prep for kernel internal {get, get_ext}_report() Dan Williams
2023-08-14 16:58 ` Dionna Amalie Glaze
2023-08-14 23:24 ` Dan Williams
2023-08-15 20:11 ` Tom Lendacky
2023-08-15 21:03 ` Dan Williams
2023-08-16 19:38 ` Dionna Amalie Glaze
2023-08-15 20:20 ` Tom Lendacky
2023-08-15 21:37 ` Dan Williams
2023-08-14 7:43 ` [PATCH v2 4/5] mm/slab: Add __free() support for kvfree Dan Williams
2023-08-14 15:31 ` Greg Kroah-Hartman
2023-08-14 16:17 ` Peter Zijlstra
2023-08-14 18:44 ` Greg Kroah-Hartman
2023-08-14 18:45 ` Greg Kroah-Hartman
2024-01-04 6:57 ` Lukas Wunner
2024-01-04 18:29 ` Dan Williams
2023-08-14 7:43 ` [PATCH v2 5/5] virt: sevguest: Add TSM_REPORTS support for SNP_{GET, GET_EXT}_REPORT Dan Williams
2023-08-14 8:30 ` Jeremi Piotrowski
2023-08-14 16:22 ` Dan Williams
2023-08-14 11:21 ` Peter Zijlstra
2023-08-14 16:25 ` Dan Williams
2023-08-14 16:48 ` Peter Zijlstra
2023-08-14 22:15 ` Peter Zijlstra
2023-08-15 8:37 ` Peter Zijlstra
2023-08-15 20:50 ` Tom Lendacky
2023-08-15 21:40 ` Dan Williams
2023-08-14 9:04 ` [PATCH v2 0/5] tsm: Attestation Report ABI Jeremi Piotrowski
2023-08-14 17:12 ` Dan Williams
2023-08-15 14:27 ` Peter Gonda
2023-08-15 17:16 ` Dionna Amalie Glaze
2023-08-15 21:13 ` Dan Williams
2023-08-15 18:13 ` Dan Williams [this message]
2023-08-16 9:42 ` Jeremi Piotrowski
2023-08-23 11:21 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64dbc039c08b0_28996294ce@dwillia2-mobl3.amr.corp.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=dionnaglaze@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jpiotrowski@linux.microsoft.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=pgonda@google.com \
--cc=sameo@rivosinc.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).