From: Dionna Amalie Glaze <dionnaglaze@google.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: "Jörg Rödel" <jroedel@suse.de>,
linux-coco@lists.linux.dev, amd-sev-snp@lists.suse.com
Subject: Re: SVSM initiated early attestation / guest secrets injection
Date: Fri, 13 Jan 2023 10:52:57 -0800 [thread overview]
Message-ID: <CAAH4kHb=3nrAMR3GvpvyG0y__-USmZgV=FBSqtecw+ECXXoqpQ@mail.gmail.com> (raw)
In-Reply-To: <Y8Gi0KLj5JbhCqBE@redhat.com>
>
> Aside from what James' says, one option is to lockdown the OVMF and
> secureboot chain. eg OVMF built with SecureBoot=on, and instead of
> having the generic Microsoft keys enrolled, have a distro specific
> key enrolled. That distro key would have to be one that is only
> used for signing UKIs (Unified Kernel Images), and the initrd embedded
> in the UKI would need to be designed abort if it finds the disk is
> not encrypted.
>
IIUC, the disk doesn't need to be encrypted, it needs integrity. We
can't treat booting to an encrypted disk as booting to the expected
encrypted disk.
Everything still depends on rooting your core secrets to your
workload's identity. This relies on an integrity-protected initrd that
has its root hash measured as part of the kernel_cmdline.
The secret-holding server should only ever release secrets encrypted
by an attested vTPM binary (SVSM-generated public key) that has sealed
the secret to the workload PCRs.
This kicks the problem to the server and VM having pre-agreed on
what's the expected combination of OVMF and SVSM. So yes the vTPM gets
its core secret transferred to it before the PCRs get set to the
expected values, but that's part of the attestation dance with the
initial registration with the secret-holding server.
> The main challenge here is that you don't have a single OVMF anymore.
> You have many OVMFs, one for each distinct set of distro SecureBoot
> keys, and the attestation server has to decide which one it wants
> based on the distro the VM is expected to use.
>
> If we don't do any of this, then the early attestation and secret
> fetch would have to be limited to /only/ the secret for unlocking
> the vTPM state, and not injected into the guest OS. The OS would
> have to do everything else with the vTPM and PCR sealed data to
> achieve the same end results of only getting access to secrets if
> the vTPM sees the set of PCR values corresponding to the desired
> UKI secureboot keys.
>
> Ultimately the latter is probably the more common case and more
> flexible.
>
I don't think there can ever be a one-size-fits all base measurement
to seal secrets to, since there's always the final variable of the
workload.
--
-Dionna Glaze, PhD (she/her)
next prev parent reply other threads:[~2023-01-13 18:53 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-12 14:39 SVSM initiated early attestation / guest secrets injection Daniel P. Berrangé
2023-01-13 17:22 ` Jörg Rödel
2023-01-13 18:02 ` James Bottomley
2023-01-14 16:57 ` Jörg Rödel
2023-01-19 14:05 ` Christophe de Dinechin Dupont de Dinechin
2023-01-19 14:10 ` James Bottomley
2023-01-19 21:18 ` Jörg Rödel
2023-01-19 21:29 ` James Bottomley
2023-01-20 8:37 ` Jörg Rödel
2023-01-20 8:57 ` Daniel P. Berrangé
2023-01-20 12:39 ` James Bottomley
2023-01-20 12:51 ` Daniel P. Berrangé
2023-01-20 17:10 ` James Bottomley
2023-01-20 12:32 ` James Bottomley
2023-01-13 18:28 ` Daniel P. Berrangé
2023-01-13 18:52 ` Dionna Amalie Glaze [this message]
2023-01-16 9:36 ` Daniel P. Berrangé
2023-01-14 17:08 ` Jörg Rödel
2023-01-14 18:22 ` James Bottomley
2023-01-16 16:55 ` Jörg Rödel
2023-01-16 16:59 ` James Bottomley
2023-01-17 16:47 ` Jörg Rödel
2023-01-16 17:13 ` Daniel P. Berrangé
2023-01-17 16:53 ` Jörg Rödel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAAH4kHb=3nrAMR3GvpvyG0y__-USmZgV=FBSqtecw+ECXXoqpQ@mail.gmail.com' \
--to=dionnaglaze@google.com \
--cc=amd-sev-snp@lists.suse.com \
--cc=berrange@redhat.com \
--cc=jroedel@suse.de \
--cc=linux-coco@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).