From: Dan Williams <dan.j.williams@intel.com>
To: Dionna Amalie Glaze <dionnaglaze@google.com>,
Peter Gonda <pgonda@google.com>
Cc: Dan Williams <dan.j.williams@intel.com>,
Jeremi Piotrowski <jpiotrowski@linux.microsoft.com>,
<linux-coco@lists.linux.dev>,
"Brijesh Singh" <brijesh.singh@amd.com>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Tom Lendacky <thomas.lendacky@amd.com>,
"Borislav Petkov" <bp@alien8.de>,
Samuel Ortiz <sameo@rivosinc.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
<x86@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 0/5] tsm: Attestation Report ABI
Date: Tue, 15 Aug 2023 14:13:34 -0700 [thread overview]
Message-ID: <64dbea7e18d6c_47b5729429@dwillia2-mobl3.amr.corp.intel.com.notmuch> (raw)
In-Reply-To: <CAAH4kHYCofTtdjpxKMLO8CMX6kZjQUG69mbbwerwuW0Pk6up9A@mail.gmail.com>
Dionna Amalie Glaze wrote:
> >
> > Why do we need to be so prescriptive about "boot time" vs "runtime"
> > attestations? A user may wish to attest to several requests as Jeremi
> > notes. And why should users be forced into using a vTPM interface if
> > their usecase doesn't require all the features and complexity of a
> > vTPM? Some users may prefer less overall code within their Trusted
> > Computer Base (TCB) and a TPM emulate is a significant code base.
> >
>
> I agree, and I was a bit too hasty to acquiesce to sysfs due to the
> TPM argument that really only applies for SEV-SNP without a whole lot
> of extra work for other backends (not to say SVSM isn't itself a whole
> lot of extra work).
>
> > It seems like you are just reading the SNP spec, if you read the TDX
> > spec you'll see there are RTMRs which can be extended with new data.
> > This leads to a different data in the attestation. Similar there are
> > REMs in the ARM CCA spec.
> >
>
> I'll add a note here that measurement registers are extensible at any
> point by ring0, and there should be an API for doing so, the way that
> there is for /dev/tpmX.
>
> It could be /dev/teemr or something to unify TDX, COVE, ARM CCA, and
> potentially a measurement register protocol extension to SEV-SNP's
> SVSM.
> I'm not sure how Intel is going to propose abstracting TCG Canonical
> Event Log measurements to reuse measurement-to-PCR<X> code points in
> the kernel as measurement-to-MR<f(X)>, or whatnot, but each technology
> should have that implementation option to extend their own measurement
> registers (and event log, potentially).
>
> I (and probably James) object with just saying the PCRs are going to
> xyz-measurement-register for simulating that integrity part of a TPM
> to get just the quote aspect and not the rest of TPM 2.0 to hide
> everything behind the TPM abstraction. It doesn't follow the Tcg spec.
>
> But I repeat myself. If we use any ioctl, we'll end up multiplexing
> the input per-technology, and at that point we essentially have
> manufacturer-specific devices much to Dan's dismay.
I think the ioctl() question is separate from the question of how to
scale an attestation ABI.
While I am not yet convinced that RTMR deserves an ABI separate from
vTPM (or at least a trusted-keys abstraction to reuse the kernel's
existing PCR ABI for TPM-like facilities) the selection of sysfs
precludes the "RTMR and repeated measurements by multiple containers"
use case. One way to buy time for that future conversation while moving
ahead on this base reporting ABI is to switch from sysfs to configfs.
That would allow for per container submission ABI.
It could be approximated with sysfs by having an instance creation
attribute, but it is more natural to just use mkdir to create more
interfaces that can be bind mounted by per-container if need be.
> Sysfs will certainly not be okay for measurement register-only
> technology, since there's no way to not use a hardware attestation to
> securely track measurement changes past "the static boot" (PCRs 0-7).
> I don't want to have to rely on enclave-like peer VMs that perform the
> TPM behavior.
Understood.
next prev parent reply other threads:[~2023-08-15 21:13 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-14 7:43 [PATCH v2 0/5] tsm: Attestation Report ABI Dan Williams
2023-08-14 7:43 ` [PATCH v2 1/5] virt: coco: Add a coco/Makefile and coco/Kconfig Dan Williams
2023-08-14 7:43 ` [PATCH v2 2/5] tsm: Introduce a shared ABI for attestation reports Dan Williams
2023-08-14 8:24 ` Jeremi Piotrowski
2023-08-14 16:21 ` Dan Williams
2023-08-14 15:38 ` Greg Kroah-Hartman
2023-08-14 16:43 ` Dan Williams
2023-08-14 18:43 ` Greg Kroah-Hartman
2023-08-15 19:51 ` Tom Lendacky
2023-08-16 14:44 ` Tom Lendacky
2023-08-16 15:12 ` Dan Williams
2023-08-22 7:29 ` Roy Hopkins
2023-08-23 13:49 ` Samuel Ortiz
2023-08-28 10:46 ` Dr. Greg
2023-08-14 7:43 ` [PATCH v2 3/5] virt: sevguest: Prep for kernel internal {get, get_ext}_report() Dan Williams
2023-08-14 16:58 ` Dionna Amalie Glaze
2023-08-14 23:24 ` Dan Williams
2023-08-15 20:11 ` Tom Lendacky
2023-08-15 21:03 ` Dan Williams
2023-08-16 19:38 ` Dionna Amalie Glaze
2023-08-15 20:20 ` Tom Lendacky
2023-08-15 21:37 ` Dan Williams
2023-08-14 7:43 ` [PATCH v2 4/5] mm/slab: Add __free() support for kvfree Dan Williams
2023-08-14 15:31 ` Greg Kroah-Hartman
2023-08-14 16:17 ` Peter Zijlstra
2023-08-14 18:44 ` Greg Kroah-Hartman
2023-08-14 18:45 ` Greg Kroah-Hartman
2024-01-04 6:57 ` Lukas Wunner
2024-01-04 18:29 ` Dan Williams
2023-08-14 7:43 ` [PATCH v2 5/5] virt: sevguest: Add TSM_REPORTS support for SNP_{GET, GET_EXT}_REPORT Dan Williams
2023-08-14 8:30 ` Jeremi Piotrowski
2023-08-14 16:22 ` Dan Williams
2023-08-14 11:21 ` Peter Zijlstra
2023-08-14 16:25 ` Dan Williams
2023-08-14 16:48 ` Peter Zijlstra
2023-08-14 22:15 ` Peter Zijlstra
2023-08-15 8:37 ` Peter Zijlstra
2023-08-15 20:50 ` Tom Lendacky
2023-08-15 21:40 ` Dan Williams
2023-08-14 9:04 ` [PATCH v2 0/5] tsm: Attestation Report ABI Jeremi Piotrowski
2023-08-14 17:12 ` Dan Williams
2023-08-15 14:27 ` Peter Gonda
2023-08-15 17:16 ` Dionna Amalie Glaze
2023-08-15 21:13 ` Dan Williams [this message]
2023-08-15 18:13 ` Dan Williams
2023-08-16 9:42 ` Jeremi Piotrowski
2023-08-23 11:21 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64dbea7e18d6c_47b5729429@dwillia2-mobl3.amr.corp.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=dionnaglaze@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jpiotrowski@linux.microsoft.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=pgonda@google.com \
--cc=sameo@rivosinc.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).