From: "Michael S. Tsirkin" <mst@redhat.com>
To: Kenneth Goldman <kgoldman@us.ibm.com>
Cc: Stefan Berger <stefanb@linux.vnet.ibm.com>,
Stefan Hajnoczi <stefanha@gmail.com>,
Kent E Yoder <yoder1@us.ibm.com>,
Corey Bryant <coreyb@linux.vnet.ibm.com>,
Michael Roth <mdroth@linux.vnet.ibm.com>,
qemu-devel <qemu-devel@nongnu.org>,
Joel Schopp <jschopp@linux.vnet.ibm.com>,
Anthony Liguori <anthony@codemonkey.ws>
Subject: Re: [Qemu-devel] vNVRAM / blobstore design
Date: Sun, 31 Mar 2013 11:17:28 +0300 [thread overview]
Message-ID: <20130331081728.GH23484@redhat.com> (raw)
In-Reply-To: <OF20F2D319.6E2B84C9-ON85257B3D.005EB3A1-85257B3D.00606810@us.ibm.com>
On Fri, Mar 29, 2013 at 01:33:01PM -0400, Kenneth Goldman wrote:
> > One thing I'd like to get clarity about is the following corner-case. A
> > user supplies some VM image as persistent storage for the TPM. It
> > contains garbage. How do we handle this case? Does the TPM then just
> > start writing its state into this image or do we want to have some layer
> > in place that forces a user to go through the step of formatting after
> > that layer indicates that the data are unreadable. Besides that a
> > completely empty image also contains garbage from the perspective of TPM
> > persistent state and for that layer.
>
> A garbage persistent storage should be handled the same way a physical TPM
> would handle an NV failure - failure mode. It's a broken part that must be
> replaced with a factory fresh part. That's done by some admin tool nulling
> the storage.
>
> Empty (length zero or non-existent) is different from corrupt. The TPM should
> detect that and initialize itself to factory defaults. Those defaults are
> specified in the TPM specification.
>
> > My intention would (again) be to put a header in front of every blob.
> > That header would contain a crc32 covering that header (minus the crc32
> > field itself of course) plus the blob to determine whether the blob is
> > garbage or not. It is similar in those terms as the 1st implementation
> > where we also had a directory that contained that crc32 for the
> > directory itself and for each blob. This is not a filesystem, I know that.
>
> I agree that an integrity value should be included. This is a security
> device, and layers of protection are good.
>
> I wonder about the choice of algorithm. The TPM doesn't have crc32 code
> but it does have SHA-1. Why not reuse code rather than add a new function?
You want to protect against someone who is able to
manipulate some bits in the file (content) but not others (hash)?
What's the attack you are trying to protect against here?
I'm guessing the only result of extra checksums would be
unbootable guests when qemu manages to corrupt the checksum
without any help from attackers ...
--
MST
next prev parent reply other threads:[~2013-03-31 8:16 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-25 21:39 [Qemu-devel] vNVRAM / blobstore design Stefan Berger
2013-03-25 22:05 ` Anthony Liguori
2013-03-25 22:20 ` Stefan Berger
2013-03-27 15:17 ` Corey Bryant
2013-03-27 15:20 ` Corey Bryant
2013-03-27 15:30 ` Michael S. Tsirkin
2013-03-27 16:07 ` mdroth
2013-03-27 15:43 ` Kenneth Goldman
2013-03-27 15:53 ` Michael S. Tsirkin
2013-03-27 16:12 ` Joel Schopp
2013-03-27 16:46 ` Stefan Berger
2013-03-27 17:14 ` Anthony Liguori
2013-03-27 17:27 ` Stefan Berger
2013-03-27 18:27 ` Anthony Liguori
2013-03-27 19:12 ` Stefan Berger
2013-03-28 16:11 ` Stefan Berger
2013-03-28 16:31 ` Michael S. Tsirkin
2013-03-28 17:02 ` Stefan Berger
2013-03-28 17:27 ` Anthony Liguori
2013-03-28 17:36 ` Stefan Berger
2013-03-28 17:39 ` Michael S. Tsirkin
2013-03-29 13:55 ` Stefan Berger
2013-03-29 15:12 ` Anthony Liguori
2013-03-29 17:33 ` Kenneth Goldman
2013-03-31 8:17 ` Michael S. Tsirkin [this message]
2013-03-31 20:48 ` Kenneth Goldman
2013-04-02 12:06 ` Michael S. Tsirkin
2013-04-02 13:24 ` Kenneth Goldman
2013-04-02 13:37 ` Michael S. Tsirkin
2013-03-27 18:04 ` Michael S. Tsirkin
2013-03-27 16:20 ` Kenneth Goldman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130331081728.GH23484@redhat.com \
--to=mst@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=coreyb@linux.vnet.ibm.com \
--cc=jschopp@linux.vnet.ibm.com \
--cc=kgoldman@us.ibm.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanb@linux.vnet.ibm.com \
--cc=stefanha@gmail.com \
--cc=yoder1@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).