Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

["Stefan Berger" <stefanb@us.ibm.com>]

Matthew Garrett <mjg59@coreos.com> wrote on 07/18/2016 07:52:22 PM:


> Subject: Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement 
hardware
> 
> On Mon, Jul 18, 2016 at 4:40 PM, Stefan Berger <stefanb@us.ibm.com> 
wrote:
> > The TPM security's model related to logs, the state of the PCRs, and
> > attestation involves the following pieces:
> >
> > - PCRs
> > - measurement log
> > - EK + certificate
> > - platform certificate
> > - AIK + certificate
> > - quotes (signatures) on PCR state with keys that cannot leave the TPM
> > (AIKs)
> > - infrastructure to issue the AIK certificates based on EK + 
certificate +
> > platform certificate
> >
> > How does the security model of this device and its presumed 
infrastructure
> > look like? Does the hypervisor then also support IMA measurement lists 
or is
> > this restricted to firmware?
> 
> The model here is:
> - PCRs
> - measurement log
> - quote on PCR state with key held by hypervisor
> 
> There's no fundamental reason why additional layers of key can't be
> introduced, but since all that complexity is on the hypervisor side
> it's out of scope for the qemu implementation. A mechanism for
> establishing trust between the hypervisor and the customer is
> obviously necessary, but there are already examples such as Amazon's
> Instance Identity Documents (
> http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-
> identity-documents.html
> ). The OS is free to continue to extend the PCRs after boot, so IMA
> could certainly be integrated with this.
> 

The point of the TPM is that the device that holds the state of the PCRs 
provides the signatures over their state rather than some other 'entity' 
whose trustworthiness wouldn't be clear. Admittedly the device comes with 
its own set of challenges.