Re: SVSM Attestation and vTPM specification additions - v0.60

[Dov Murik <dovmurik@linux.ibm.com>]

Thanks Tom for these additions.

On 10/01/2023 20:54, Tom Lendacky wrote:
> Attached is an updated draft version of the SVSM specification with
> added support for an attestation protocol and a vTPM protocol as well as
> other miscellaneous changes (all identified by change bar). Please take
> a look and reply with any feedback you may have.
> 

Few comments/questions:

Page 25: 7.1 SVSM_ATTEST_SERVICES

1. Should we add two fields in Table 11 for certs_addr and certs_len? If
certs_len input is > 0, then SVSM will perform guest_ext_request and
retrieve the host/VMM certs into certs_addr.  Provided certs_len must be
4KB-aligned.  Not sure about certs_addr.

If the size of the certs exceeds the size of the supplied certs buffer,
R8 will be set to the size of the certs (in bytes) and the call will
return SVSM_ERR_INVALID_PARAMETER.

2. Table 11: The 'Attestation report buffer gPA': should have enough
space to hold the resulting SNP attestation report (0x500 bytes).

(I assume the implementation will ask the PSP to generate the report
into an SVSM-HV shared page, and then copy the result to the
caller-provided buffer in guest private memory.  So the caller doesn't
need to worry about page alignment/crossing?)

3. Consider stating that the SNP attestation report is always generated
with MSG_REPORT_REQ.VMPL=0.

4. Services Manifest (page 26): Can we require that the same SVSM source
code will produce the same (binary) manifest buffer (in different VMs)?
For example, at which order do the entries appear? I think James was
aiming at durable/repeatable attestations.



Page 28: vTPM Protocol

5. Will the SVSM update any PCRs on its own? For example, will it
measure the content of OVMF into PCR0?  Or are relying on the SNP
launch-update measurement (which currently includes both SVSM and OVMF)
to attest that part of the guest?


-Dov