From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: "amd-sev-snp@lists.suse.com" <amd-sev-snp@lists.suse.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>
Subject: Re: SVSM vTPM specification
Date: Wed, 12 Oct 2022 18:33:36 +0100 [thread overview]
Message-ID: <Y0b6cDIMlKijT95S@work-vm> (raw)
In-Reply-To: <3e11fa26-b644-c214-c8e8-492113523f95@amd.com>
* Tom Lendacky (thomas.lendacky@amd.com) wrote:
> I'd like to approach this from the standpoint of an enlightened guest with a
> TPM driver that is SVSM aware. I'm by no means a TPM expert, but I'll pose a
> bunch of questions to see if we can start moving forward.
Thanks for starting the discussion off.
> What would an enlightened guest need from the SVSM for attestation of the
> SVSM/vTPM? What would a vTPM driver need to supply to an SVSM for TPM
> operations?
>
> For attestation, the SVSM could provide a VMPCK0 attestation report. What,
> if any, data should the guest supply to the SVSM to be part of the SNP
> attestation report data? Should this attestation request be part of the SVSM
> base protocol?
I'm not quite sure what a 'VMPCK0 attestation report' is?
It's important that the VMPL level in the attestation report reflects
the side asking for the attestation; in particular one TPM story goes
that the firmware (in VMPL0) would ask for an attestation and the
attestor would return the vTPM stored state. It's important that the
state could only be returned to the vTPM not the guest, so the attestor
would check that the VMPL level in the attestation was 0; any guest
attestation would have a VMPL>0 and so the attestor wouldn't hand it the
vTPM state.
Hmm or are you saying such a report would be triggered by the guest
rather than the firmware, but it would be protected by VMPCK0 so the
guest wouldn't be able to read it?
I think one of the vTPMs keys should be in the SNP attestation report
(the EK???) - I think that would allow you to attest that the vTPM
you're talking to is a vTPM running in an SNP protected firmware.
> For the TPM, is it enough to emulate the TPM device register space? Rather
> than using a PCI BAR or an ACPI memory resource address, could the vTPM
> driver replicate the TPM register space in ordinary memory for the SVSM to
> process? Should this memory come from the SVSM or from the guest?
>
> Or is there a better, more efficient method that can be used to perform TPM
> operations? What would that look like?
Can we make this look as close to the TPM CRB as possible; from
discussions with others it looks clear something extra is needed; but I
don't see the reason to be too inventive.
Dave
> Here's hoping this starts the discussion...
>
> Thanks,
> Tom
>
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2022-10-12 17:33 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-12 16:38 SVSM vTPM specification Tom Lendacky
2022-10-12 17:33 ` Dr. David Alan Gilbert [this message]
2022-10-12 18:44 ` James Bottomley
2022-10-13 15:14 ` Tom Lendacky
2022-10-13 15:29 ` Daniele Buono
2022-10-13 15:30 ` James Bottomley
2022-10-18 20:22 ` Dov Murik
2022-10-19 5:47 ` Christophe de Dinechin
2022-10-19 6:39 ` Dov Murik
2022-10-19 8:08 ` Daniel P. Berrangé
2022-10-19 12:09 ` Christophe de Dinechin
2022-10-19 12:38 ` James Bottomley
2022-10-19 13:05 ` Daniel P. Berrangé
2022-10-19 14:43 ` Tom Lendacky
2022-10-19 15:20 ` James Bottomley
2022-10-19 21:58 ` Tom Lendacky
2022-10-19 20:57 ` Dov Murik
2022-10-19 22:04 ` Tom Lendacky
2022-10-19 22:14 ` Dionna Amalie Glaze
2022-10-19 23:38 ` James Bottomley
2022-10-19 22:36 ` [EXTERNAL] " David Altobelli
[not found] ` <CABayD+cYCj=uOtC5h1d781jh_B6XqxmZNfR69taEex7yvkizRw@mail.gmail.com>
[not found] ` <SJ0PR21MB132378C080FFED1E283B4051E92A9@SJ0PR21MB1323.namprd21.prod.outlook.com>
2022-10-20 20:29 ` James Bottomley
2022-10-21 0:02 ` [EXTERNAL] " Jon Lange
2022-10-21 13:04 ` James Bottomley
2022-10-21 16:31 ` [EXTERNAL] " Jon Lange
2022-10-22 3:20 ` James Bottomley
2022-10-24 4:51 ` [EXTERNAL] " Jon Lange
2022-10-24 10:59 ` Dr. David Alan Gilbert
2022-10-24 11:45 ` Dov Murik
2022-10-24 19:02 ` Tom Lendacky
2022-10-24 19:18 ` Dionna Amalie Glaze
2022-10-25 8:51 ` Dov Murik
2022-10-25 9:43 ` Christophe de Dinechin
2022-10-25 14:08 ` Tom Lendacky
2022-10-25 14:13 ` James Bottomley
2022-10-29 0:25 ` Steve Rutherford
2022-10-29 13:27 ` James Bottomley
2022-10-19 11:21 ` Dr. David Alan Gilbert
2022-10-19 11:45 ` James Bottomley
2022-10-12 19:05 ` James Bottomley
2022-10-13 18:54 ` Tom Lendacky
2022-10-13 19:20 ` James Bottomley
2022-10-13 20:54 ` Daniel P. Smith
2022-10-13 21:06 ` James Bottomley
2022-10-13 21:14 ` Daniel P. Smith
2022-10-13 21:41 ` James Bottomley
2022-10-14 17:16 ` Stuart Yoder
2022-10-14 21:46 ` Tom Lendacky
2022-10-16 16:29 ` Daniel P. Smith
2022-10-16 16:44 ` James Bottomley
2022-10-21 11:54 ` Daniel P. Smith
2022-10-21 12:31 ` James Bottomley
2022-10-18 20:45 ` Dov Murik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y0b6cDIMlKijT95S@work-vm \
--to=dgilbert@redhat.com \
--cc=amd-sev-snp@lists.suse.com \
--cc=linux-coco@lists.linux.dev \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).