From: "Jörg Rödel" <jroedel@suse.de>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: linux-coco@lists.linux.dev, amd-sev-snp@lists.suse.com
Subject: Re: SVSM initiated early attestation / guest secrets injection
Date: Sat, 14 Jan 2023 18:08:07 +0100 [thread overview]
Message-ID: <Y8Lhd/H4yGTsOM/+@suse.de> (raw)
In-Reply-To: <Y8Gi0KLj5JbhCqBE@redhat.com>
On Fri, Jan 13, 2023 at 06:28:32PM +0000, Daniel P. Berrangé wrote:
> Aside from what James' says, one option is to lockdown the OVMF and
> secureboot chain. eg OVMF built with SecureBoot=on, and instead of
> having the generic Microsoft keys enrolled, have a distro specific
> key enrolled. That distro key would have to be one that is only
> used for signing UKIs (Unified Kernel Images), and the initrd embedded
> in the UKI would need to be designed abort if it finds the disk is
> not encrypted.
>
> The main challenge here is that you don't have a single OVMF anymore.
> You have many OVMFs, one for each distinct set of distro SecureBoot
> keys, and the attestation server has to decide which one it wants
> based on the distro the VM is expected to use.
Yeah, as you said, this requires OS-vendor specific firmware in the VM,
I doubt the CSPs will implement offerings this way. More likely is
that a CSP will deploy its forked OVMF BIOS with a set of secure boot
keys, which will likely also include keys from the CSP (especially if
the CSP also provides its own distro). So you still need to trust the
CSP that it will not fake one of your VMs to steal secrets.
As James also said, the measurement to unlock secrets need to include
all software/data components up to the point where the encrypted disk
gets mounted.
Regards,
--
Jörg Rödel
jroedel@suse.de
SUSE Software Solutions Germany GmbH
Frankenstraße 146
90461 Nürnberg
Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
next prev parent reply other threads:[~2023-01-14 17:08 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-12 14:39 SVSM initiated early attestation / guest secrets injection Daniel P. Berrangé
2023-01-13 17:22 ` Jörg Rödel
2023-01-13 18:02 ` James Bottomley
2023-01-14 16:57 ` Jörg Rödel
2023-01-19 14:05 ` Christophe de Dinechin Dupont de Dinechin
2023-01-19 14:10 ` James Bottomley
2023-01-19 21:18 ` Jörg Rödel
2023-01-19 21:29 ` James Bottomley
2023-01-20 8:37 ` Jörg Rödel
2023-01-20 8:57 ` Daniel P. Berrangé
2023-01-20 12:39 ` James Bottomley
2023-01-20 12:51 ` Daniel P. Berrangé
2023-01-20 17:10 ` James Bottomley
2023-01-20 12:32 ` James Bottomley
2023-01-13 18:28 ` Daniel P. Berrangé
2023-01-13 18:52 ` Dionna Amalie Glaze
2023-01-16 9:36 ` Daniel P. Berrangé
2023-01-14 17:08 ` Jörg Rödel [this message]
2023-01-14 18:22 ` James Bottomley
2023-01-16 16:55 ` Jörg Rödel
2023-01-16 16:59 ` James Bottomley
2023-01-17 16:47 ` Jörg Rödel
2023-01-16 17:13 ` Daniel P. Berrangé
2023-01-17 16:53 ` Jörg Rödel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y8Lhd/H4yGTsOM/+@suse.de \
--to=jroedel@suse.de \
--cc=amd-sev-snp@lists.suse.com \
--cc=berrange@redhat.com \
--cc=linux-coco@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).