From: Alexander Graf <graf@amazon.com>
To: Dorjoy Chowdhury <dorjoychy111@gmail.com>
Cc: <qemu-devel@nongnu.org>, <agraf@csgraf.de>, <stefanha@redhat.com>,
<pbonzini@redhat.com>, <slp@redhat.com>,
<richard.henderson@linaro.org>, <eduardo@habkost.net>,
<mst@redhat.com>, <marcel.apfelbaum@gmail.com>,
<berrange@redhat.com>, <philmd@linaro.org>
Subject: Re: [PATCH v4 4/6] machine/nitro-enclave: Add built-in Nitro Secure Module device
Date: Mon, 19 Aug 2024 17:58:38 +0200 [thread overview]
Message-ID: <5a7cd886-0694-45ed-a0fc-6bf69c5ed97f@amazon.com> (raw)
In-Reply-To: <CAFfO_h6eSmizJuSwRSQ1+gzeVBfmsmrLiN0mCXYuQFXGaJ4_Vw@mail.gmail.com>
On 19.08.24 17:28, Dorjoy Chowdhury wrote:
> Hey Alex,
>
> On Mon, Aug 19, 2024 at 4:13 PM Alexander Graf <graf@amazon.com> wrote:
>> Hey Dorjoy,
>>
>> On 18.08.24 13:42, Dorjoy Chowdhury wrote:
>>> AWS Nitro Enclaves have built-in Nitro Secure Module (NSM) device which
>>> is used for stripped down TPM functionality like attestation. This commit
>>> adds the built-in NSM device in the nitro-enclave machine type.
>>>
>>> In Nitro Enclaves, all the PCRs start in a known zero state and the first
>>> 16 PCRs are locked from boot and reserved. The PCR0, PCR1, PCR2 and PCR8
>>> contain the SHA384 hashes related to the EIF file used to boot the
>>> VM for validation.
>>>
>>> Some optional nitro-enclave machine options have been added:
>>> - 'id': Enclave identifier, reflected in the module-id of the NSM
>>> device. If not provided, a default id will be set.
>>> - 'parent-role': Parent instance IAM role ARN, reflected in PCR3
>>> of the NSM device.
>>> - 'parent-id': Parent instance identifier, reflected in PCR4 of the
>>> NSM device.
>>>
>>> Signed-off-by: Dorjoy Chowdhury <dorjoychy111@gmail.com>
>>> ---
>>> crypto/meson.build | 2 +-
>>> crypto/x509-utils.c | 73 +++++++++++
>>
>> Can you please put this new API into its own patch file?
>>
>>
>>> hw/core/eif.c | 225 +++++++++++++++++++++++++++++---
>>> hw/core/eif.h | 5 +-
>>
>> These changes to eif.c should ideally already be part of the patch that
>> introduces eif.c (patch 1), no? In fact, do you think you can make the
>> whole eif logic its own patch file?
>>
> Good point. I guess it should be possible if I have the virtio-nsm
> device commit first and then add the machine/nitro-enclave commit with
> full support with the devices. That will of course make the
> machine/nitro-enclave commit larger. What do you think?
As long as nothing compiles the code, it can rely on not yet implemented
functions. So it's perfectly legit to add all your code in individual
commits and then at the end add the meson.build change that implements
the config option. How about the order below?
* Crypto patch for SHA384
* Crypto patch for x509 fingerprint
* NSM device emulation (including libcbor check, introduces
CONFIG_VIRTIO_NSM)
* EIF format parsing (not compiled yet)
* Nitro Enclaves machine (introduces CONFIG_NITRO_ENCLAVE)
* Nitro Enclaves docs
Alex
Amazon Web Services Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
next prev parent reply other threads:[~2024-08-19 15:59 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-18 11:42 [PATCH v4 0/6] AWS Nitro Enclave emulation support Dorjoy Chowdhury
2024-08-18 11:42 ` [PATCH v4 1/6] machine/nitro-enclave: New machine type for AWS Nitro Enclaves Dorjoy Chowdhury
2024-08-18 11:42 ` [PATCH v4 2/6] machine/nitro-enclave: Add vhost-user-vsock device Dorjoy Chowdhury
2024-08-18 11:42 ` [PATCH v4 3/6] device/virtio-nsm: Support for Nitro Secure Module device Dorjoy Chowdhury
2024-08-19 9:14 ` Alexander Graf
2024-08-19 10:48 ` Daniel P. Berrangé
2024-08-18 11:42 ` [PATCH v4 4/6] machine/nitro-enclave: Add built-in " Dorjoy Chowdhury
2024-08-19 10:13 ` Alexander Graf
2024-08-19 15:28 ` Dorjoy Chowdhury
2024-08-19 15:58 ` Alexander Graf [this message]
2024-08-19 16:12 ` Dorjoy Chowdhury
2024-08-19 15:32 ` Dorjoy Chowdhury
2024-08-19 15:53 ` Daniel P. Berrangé
2024-08-19 16:07 ` Dorjoy Chowdhury
2024-08-19 16:10 ` Daniel P. Berrangé
2024-08-19 16:14 ` Dorjoy Chowdhury
2024-08-21 13:39 ` Dorjoy Chowdhury
2024-08-19 10:37 ` Daniel P. Berrangé
2024-08-22 15:14 ` Dorjoy Chowdhury
2024-08-18 11:42 ` [PATCH v4 5/6] crypto: Support SHA384 hash when using glib Dorjoy Chowdhury
2024-08-19 10:16 ` Daniel P. Berrangé
2024-08-18 11:42 ` [PATCH v4 6/6] docs/nitro-enclave: Documentation for nitro-enclave machine type Dorjoy Chowdhury
2024-08-22 15:19 ` [PATCH v4 0/6] AWS Nitro Enclave emulation support Dorjoy Chowdhury
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5a7cd886-0694-45ed-a0fc-6bf69c5ed97f@amazon.com \
--to=graf@amazon.com \
--cc=agraf@csgraf.de \
--cc=berrange@redhat.com \
--cc=dorjoychy111@gmail.com \
--cc=eduardo@habkost.net \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=slp@redhat.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).