From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48009)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <matthew.garrett@coreos.com>) id 1bPIKq-0008NQ-2j
	for qemu-devel@nongnu.org; Mon, 18 Jul 2016 19:52:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <matthew.garrett@coreos.com>) id 1bPIKn-00023X-Ku
	for qemu-devel@nongnu.org; Mon, 18 Jul 2016 19:52:26 -0400
Received: from mail-yw0-x230.google.com ([2607:f8b0:4002:c05::230]:33385)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <matthew.garrett@coreos.com>) id 1bPIKm-00022X-DX
	for qemu-devel@nongnu.org; Mon, 18 Jul 2016 19:52:25 -0400
Received: by mail-yw0-x230.google.com with SMTP id r9so2187132ywg.0
	for <qemu-devel@nongnu.org>; Mon, 18 Jul 2016 16:52:23 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <OF4F03FC00.F020A4A5-ON00257FF4.008155CC-85257FF4.00821669@notes.na.collabserv.com>
References: <1466716148-10655-1-git-send-email-mjg59@coreos.com>
	<20160715112923.GC2133@work-vm>
	<OFC5C1D601.9857D2E4-ON00257FF1.006271F0-85257FF1.0063EE0C@notes.na.collabserv.com>
	<CAPeXnHu+pKB=SdfvJmJr87kCRZf0i-Ljs7iZZbBpd4aMxiq2Bw@mail.gmail.com>
	<OF4F03FC00.F020A4A5-ON00257FF4.008155CC-85257FF4.00821669@notes.na.collabserv.com>
From: Matthew Garrett <mjg59@coreos.com>
Date: Mon, 18 Jul 2016 16:52:22 -0700
Message-ID: <CAPeXnHu2Es1-FSZLiuaTS0UkDfbTe9jAF0iz=BGc3_-=AnHb8A@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Berger <stefanb@us.ibm.com>
Cc: "Daniel P. Berrange" <berrange@redhat.com>, "Dr. David Alan Gilbert" <dgilbert@redhat.com>, pbonzini@redhat.com, qemu-devel@nongnu.org, stefanb@linux.vnet.ibm.com

On Mon, Jul 18, 2016 at 4:40 PM, Stefan Berger <stefanb@us.ibm.com> wrote:
> The TPM security's model related to logs, the state of the PCRs, and
> attestation involves the following pieces:
>
> - PCRs
> - measurement log
> - EK + certificate
> - platform certificate
> - AIK + certificate
> - quotes (signatures) on PCR state with keys that cannot leave the TPM
> (AIKs)
> - infrastructure to issue the AIK certificates based on EK + certificate +
> platform certificate
>
> How does the security model of this device and its presumed infrastructure
> look like? Does the hypervisor then also support IMA measurement lists or is
> this restricted to firmware?

The model here is:
- PCRs
- measurement log
- quote on PCR state with key held by hypervisor

There's no fundamental reason why additional layers of key can't be
introduced, but since all that complexity is on the hypervisor side
it's out of scope for the qemu implementation. A mechanism for
establishing trust between the hypervisor and the customer is
obviously necessary, but there are already examples such as Amazon's
Instance Identity Documents (
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
). The OS is free to continue to extend the PCRs after boot, so IMA
could certainly be integrated with this.