Re: [PATCH v2 0/5] tsm: Attestation Report ABI

[Jeremi Piotrowski <jpiotrowski@linux.microsoft.com>]

On 8/14/2023 7:12 PM, Dan Williams wrote:
> Jeremi Piotrowski wrote:
>> On 8/14/2023 9:43 AM, Dan Williams wrote:
>>> Changes since v1:
>>> - Switch from Keyring to sysfs (James)
>>>
>>> An attestation report is signed evidence of how a Trusted Virtual
>>> Machine (TVM) was launched and its current state. A verifying party uses
>>> the report to make judgements of the confidentiality and integrity of
>>> that execution environment. Upon successful attestation the verifying
>>> party may, for example, proceed to deploy secrets to the TVM to carry
>>> out a workload. Multiple confidential computing platforms share this
>>> similar flow.
>>>
>>> The approach of adding adding new char devs and new ioctls, for what
>>> amounts to the same logical functionality with minor formatting
>>> differences across vendors [1], is untenable. Common concepts and the
>>> community benefit from common infrastructure.
>>>
>>> Use sysfs for this facility for maintainability compared to ioctl(). The
>>> expectation is that this interface is a boot time, configure once, get
>>> report, and done flow. I.e. not something that receives ongoing
>>> transactions at runtime. However, runtime retrieval is not precluded and
>>> a mechanism to detect potential configuration conflicts from
>>> multiple-threads using this interface is included.
>>>
>>
>> I wanted to speak up to say that this does not align with the needs we have
>> in the Confidential Containers project. We want to be able to perform attestation
>> not just once during boot but during the lifecycle of the confidential VM. We
>> may need to fetch a fresh attestation report from a trusted agent but also from
>> arbitrary applications running in containers.
>>
>> The trusted agent might need attestation when launching a new container from an
>> encrypted container image or when a new secret is being added to the VM - both
>> of these events may happen at any time (also when containerized applications
>> are already executing).
>>
>> Container applications have their own uses for attestation, such as when they need
>> to fetch keys required to decrypt payloads. We also have things like performing
>> attestation when establishing a TLS or ssh connection to provide an attested e2e
>> encrypted communication channel.
> 
> ...and you expect that the boot time attestation becomes invalidated
> later at run time such that ongoing round trips to the TSM are needed?

It's not that it would become invalidated - it's that it will have served its purpose.
Attestation is used to establish trust with a relying party, for every other relying
party you'll need to generate a fresh attestation report. So we can't lock ourselves
into a specific protocol in the kernel here that only assumes a single party.

The one shot "decrypt disk image during boot" attestation use case is relevant elsewhere,
but not so much for containers.

> I am looking at "Table 21. ATTESTATION_REPORT Structure" for example and
> not seeing data there that changes from one request to the next.

REPORT_DATA in SNP or REPORTDATA in TDX. You want to have a nonce/challenge or short
lived session keys covered by the report, so you hash some data structure that includes
them and request an attestation report with the hash in "report data".

Here's an example of the verifying side:
https://github.com/confidential-containers/attestation-service/blob/main/attestation-service/src/verifier/tdx/mod.rs#L40-L52


> Runtime validation likely looks more like the vTPM use case with PCRs. That will
> leverage the existing / common TPM ABI.> 

Not at all, these two things are orthogonal. PCRs can be extended at runtime but you'll
struggle to use them as described above. You'd have to designate a PCR for this purpose,
lock against concurrent users (across multiple TPM commands) and reset it before every
use. Highly impractical.

TPM2 has a similar concept to "REPORTDATA" called "qualifying data" which is passed
when requesting a quote. This highlights the need for an interface to regenerate evidence
(attestation report or quote) with user defined data mixed in.

>> I don't think sysfs is suitable for such concurrent transactions. Also if you think
>> about exposing the sysfs interface to an application in a container, this requires
>> bind mounting rw part of the sysfs tree into the mount namespace - not ideal.
> 
> sysfs is not suitable for concurrent transactions. The container would
> need to have an alternate path to request that the singleton owner of
> the interface generate new reports, or use the boot time attestation to
> derive per container communication sessions to the attestation agent.

It would be possible to use a userspace agent to coordinate access to generating reports,
but that takes us further away from standardization - applications would have to be
tailored to a specific environment instead of relying on the same kernel (hardware)
interface everywhere.

I don't follow this part:
"use the boot time attestation to derive per container communication sessions to the attestation agent".
In general we want the application attestation report to be linked directly to a hardware
root of trust, without chaining through some intermediate entity.