Re: [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP

["Dr. David Alan Gilbert" <dgilbert@redhat.com>]

* Dionna Amalie Glaze (dionnaglaze@google.com) wrote:
> On Wed, Mar 22, 2023 at 3:34 AM Dr. David Alan Gilbert
> <dgilbert@redhat.com> wrote:
> >
> > * Alexander Graf (graf@amazon.com) wrote:
> > > Hi Jörg,
> > >
> > > On 22.03.23 10:19, Jörg Rödel wrote:
> > >
> > > > On Tue, Mar 21, 2023 at 07:53:58PM +0000, Dr. David Alan Gilbert wrote:
> > > > > OK; the other thing that needs to get nailed down for the vTPM's is the
> > > > > relationship between the vTPM attestation and the SEV attestation.
> > > > > i.e. how to prove that the vTPM you're dealing with is from an SNP host.
> > > > > (Azure have a hack of putting an SNP attestation report into the vTPM
> > > > > NVRAM; see
> > > > > https://github.com/Azure/confidential-computing-cvm-guest-attestation/blob/main/cvm-guest-attestation.md
> > > > > )
> > > > When using the SVSM TPM protocol it should be proven already that the
> > > > vTPM is part of the SNP trusted base, no? The TPM communication is
> > > > implicitly encrypted by the VMs memory key and the SEV attestation
> > > > report proves that the correct vTPM is executing.
> > >
> > >
> > > What you want to achieve eventually is to take a report from the vTPM and
> > > submit only that to an external authorization entity that looks at it and
> > > says "Yup, you ran in SEV-SNP, I trust your TCB, I trust your TPM
> > > implementation, I also trust your PCR values" and based on that provides
> > > access to whatever resource you want to access.
> > >
> > > To do that, you need to link SEV-SNP and TPM measurements/reports together.
> > > And the easiest way to do that is by providing the SEV-SNP report as part of
> > > the TPM: You can then use the hash of the SEV-SNP report as signing key for
> > > example.
> >
> > Yeh; I think the SVSM TPM protocol has some proof of that as well; the
> > SVSM spec lists 'SVSM_ATTEST_SINGLE_SERVICE Manifest Data' that contains
> > 'TPMT_PUBLIC structure of the endorsement key'.
> > So I *think* that's saying that the SEV attestation report contains
> > something from the EK of the vTPM.
> >
> > > I think the key here is that you need to propagate that link to an external
> > > party, not (only) to the VM.
> >
> > Yeh.
> >
> 
> Excuse my perhaps naivete, but would it not be in the TCG's wheelhouse
> to specify how a TPM's firmware (SVSM) / bootloader (SEV-SNP) should
> be attested? The EK as well?
> 
> I think this might need to jump back to the vTPM protocol thread since
> this is about COCONUT, but I'm worried we're talking about
> AMD-specific long-term formats when perhaps the trusted computing
> group should be widening its scope to how a TPM should be virtualized.
> I appreciate that we're attempting to solve the problem in the short
> term, and certainly the SVSM will need attestation capabilities, but
> the linking to the TPM is dicey without that conversation with TCG,
> IMHO.

Some standardisation of the link between the vTPM and the underlying
CoCo hardware would be great; there's at least 2 or 3 CoCo linked vTPMs
already and I don't think they're sharing any idea of that.

Whether it's TCG I'm not sure; It doesn't seem to me to make sense for
them to specify the flow to bring the vTPM up or the details of the
underlying CoCo's attestation; but standardising how the two processes
are tied together might be possible.

Dave

> > Dave
> > >
> > >
> > > Alex
> > >
> > >
> > >
> > >
> > >
> > > Amazon Development Center Germany GmbH
> > > Krausenstr. 38
> > > 10117 Berlin
> > > Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
> > > Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
> > > Sitz: Berlin
> > > Ust-ID: DE 289 237 879
> > >
> > >
> > --
> > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
> >
> >
> 
> 
> -- 
> -Dionna Glaze, PhD (she/her)
> 
-- 
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK