Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

["Stefan Berger" <stefanb@us.ibm.com>]

Matthew Garrett <mjg59@coreos.com> wrote on 07/18/2016 05:26:03 PM:

> 
> On Fri, Jul 15, 2016 at 11:11 AM, Stefan Berger <stefanb@us.ibm.com> 
wrote:
> >
> >
> > Typically the TPM is there for the reason: it is a hardware root 
> of trust that signs the current state of the PCRs that were 
> accumulated by measurements starting early on during BIOS init. Now 
> with this device, apart from exposing this via HMP, how would one be
> sure that, if the current list of the PCRs is presented to an 
> attesting client, that the kernel or attestation server not just 
> completely fake the state of the PCRs? My assumption here is that 
> the state of this device's PCRs will be exposed to user level 
> application that can then use this in some form of attestation, right?
> 
> 
> Userspace will be able to grab it, but the idea is that the hypervisor
> API will allow a copy to be obtained - either a signed copy from the
> local API endpoint, or directly via a remote API endpoint. The guest
> won't be able to fake the former case, and isn't involved at all in
> the latter case.
> 

The TPM security's model related to logs, the state of the PCRs, and 
attestation involves the following pieces:

- PCRs
- measurement log
- EK + certificate
- platform certificate
- AIK + certificate
- quotes (signatures) on PCR state with keys that cannot leave the TPM 
(AIKs)
- infrastructure to issue the AIK certificates based on EK + certificate + 
platform certificate

How does the security model of this device and its presumed infrastructure 
look like? Does the hypervisor then also support IMA measurement lists or 
is this restricted to firmware?

    Stefan