From: Dionna Amalie Glaze <dionnaglaze@google.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: "Jörg Rödel" <jroedel@suse.de>,
linux-coco@lists.linux.dev, kvm@vger.kernel.org,
amd-sev-snp@lists.suse.com
Subject: Re: [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP
Date: Wed, 22 Mar 2023 11:24:11 -0700 [thread overview]
Message-ID: <CAAH4kHYykL2Qr8ZWT+dsbuRG+h_h3SpCB=7Nn66aQhhhV6Hixg@mail.gmail.com> (raw)
In-Reply-To: <ZBtD/y1En3FqDYxw@redhat.com>
On Wed, Mar 22, 2023 at 11:08 AM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> On Wed, Mar 22, 2023 at 10:15:33AM +0100, Jörg Rödel wrote:
> > There is of course work building on linux-svsm out there, too. It would
> > be interesting to get an overview of that. We are already looking into
> > porting over the attestation code IBM wrote for linux-svsm (although we
> > would prefer IBM submitting it :) ). The vTPM code out there can not be
> > ported over as-is, as COCONUT will not link a whole TPM library in its
> > code-base. But maybe it can be the base for a separate vTPM binary run
> > by COCONUT.
>
> For whichever SVSM impl becomes the dominant, the vTPM support with
> persistence, is something I see as a critical component. It lets the
> guest OS boot process at least be largely decoupled from the CVM
> attestation process, and instead rely on the pre-existing support for
> TPMs, SecureBoot & secret sealing which is common to bare metal and
> non-confidential VM deployments alike.
>
NVDATA in a confidential setting in my mind needs a whole an attested
sealing key escrow service to really remove the host from the trust
boundary.
Ideally the service never goes down and can have an unbroken chain of
custody back to the original ingestion into the service.
If the service ever has all machines go down, it would have to have
another trusted service of rollback-safe files. That depends on
trusted time.
The service nodes plays hot potato with key replication and has logged
and attested cluster management operations:
* sealing secrets forward to a new version that was signed by a
pre-registered trusted operator.
* adding more machines to a cluster that has access to the secrets by
a trusted operator.
* the sealing enclaves themselves need a secure source of time to
know when the enclave came up and whether it got its secrets from a
rollback-safe sealed-to-code file or will depend on gossip.
Trusted persistence really means there's some trusted workload that
never goes down that is able to take a sealing key bound to an
expected workload measurement and return a secret that will only be
unsealed when the vTPM gets to the bound measurement.
It's a fun problem, one I've been wanting to work on, but yeah there's
a bunch of other more pressing work to do first.
> With regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o- https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
>
--
-Dionna Glaze, PhD (she/her)
next prev parent reply other threads:[~2023-03-22 18:24 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-21 9:29 [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP Jörg Rödel
2023-03-21 11:09 ` James Bottomley
2023-03-21 12:43 ` Jörg Rödel
2023-03-21 13:43 ` James Bottomley
2023-03-21 15:14 ` Jörg Rödel
2023-03-21 17:48 ` Dr. David Alan Gilbert
2023-03-21 18:50 ` Jörg Rödel
2023-03-21 20:05 ` James Bottomley
2023-03-22 1:29 ` Marc Orr
2023-03-22 17:57 ` Daniel P. Berrangé
2023-03-22 9:15 ` Jörg Rödel
2023-03-22 18:07 ` Daniel P. Berrangé
2023-03-22 18:24 ` Dionna Amalie Glaze [this message]
2023-03-21 15:06 ` Dr. David Alan Gilbert
2023-03-21 15:25 ` Jörg Rödel
2023-03-21 16:56 ` Dr. David Alan Gilbert
2023-03-21 19:03 ` Jörg Rödel
2023-03-21 19:53 ` Dr. David Alan Gilbert
2023-03-22 9:19 ` Jörg Rödel
2023-03-22 9:43 ` Alexander Graf
2023-03-22 10:34 ` Dr. David Alan Gilbert
2023-03-22 17:37 ` Dionna Amalie Glaze
2023-03-22 17:47 ` Dr. David Alan Gilbert
2023-03-22 21:53 ` James Bottomley
2023-04-11 19:57 ` Tom Lendacky
2023-04-11 20:01 ` Dionna Amalie Glaze
2023-04-13 16:57 ` James Bottomley
2023-04-14 9:00 ` Jörg Rödel
2023-05-02 23:03 ` Tom Lendacky
2023-05-03 12:26 ` Jörg Rödel
2023-05-03 15:24 ` Dionna Amalie Glaze
2023-05-03 15:43 ` James Bottomley
2023-05-03 16:10 ` Daniel P. Berrangé
2023-05-03 16:51 ` Claudio Carvalho
2023-05-03 17:16 ` Alexander Graf
2023-05-05 15:34 ` Jörg Rödel
2023-05-05 15:47 ` Daniel P. Berrangé
2023-05-04 17:04 ` James Bottomley
2023-05-05 12:35 ` Christophe de Dinechin
2023-05-06 12:48 ` James Bottomley
2023-05-08 5:16 ` Alexander Graf
2023-05-05 15:02 ` Jörg Rödel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAAH4kHYykL2Qr8ZWT+dsbuRG+h_h3SpCB=7Nn66aQhhhV6Hixg@mail.gmail.com' \
--to=dionnaglaze@google.com \
--cc=amd-sev-snp@lists.suse.com \
--cc=berrange@redhat.com \
--cc=jroedel@suse.de \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.