kvm.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: James Bottomley <jejb@linux.ibm.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Dionna Amalie Glaze <dionnaglaze@google.com>
Cc: linux-coco@lists.linux.dev, kvm@vger.kernel.org,
	amd-sev-snp@lists.suse.com
Subject: Re: [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP
Date: Wed, 22 Mar 2023 17:53:08 -0400	[thread overview]
Message-ID: <4f07f72da5c73d317bb00e6b3c41f47090c5240b.camel@linux.ibm.com> (raw)
In-Reply-To: <ZBs/TX4eDuj5zc3+@work-vm>

On Wed, 2023-03-22 at 17:47 +0000, Dr. David Alan Gilbert wrote:
[...]
> > I think this might need to jump back to the vTPM protocol thread
> > since this is about COCONUT, but I'm worried we're talking about
> > AMD-specific long-term formats when perhaps the trusted computing
> > group should be widening its scope to how a TPM should be
> > virtualized. I appreciate that we're attempting to solve the
> > problem in the short term, and certainly the SVSM will need
> > attestation capabilities, but the linking to the TPM is dicey
> > without that conversation with TCG, IMHO.
> 
> Some standardisation of the link between the vTPM and the underlying
> CoCo hardware would be great; there's at least 2 or 3 CoCo linked
> vTPMs already and I don't think they're sharing any idea of that.

Well, for SNP, it's easy: the VMPL0 labelled attestation report proves
the SVSM and other components including OVMF and vTPM code
implementation.  We insert a hash of the manufactured EK into the
report and that gives proof from the trusted SVSM of the EK belonging
to the vTPM (essentially binding the vTPM to the VM).  The same thing
would work for other CoCo VM environments.

If we do ephemeral vTPMs, the binding is one time and there's no
persistent state security issue, so the SVSM-vTPM attestation is all
you need to begin trusting the vTPM measurements.

> Whether it's TCG I'm not sure; It doesn't seem to me to make sense
> for them to specify the flow to bring the vTPM up or the details of
> the underlying CoCo's attestation; but standardising how the two
> processes are tied together might be possible.

I think the TCG is probably not going to touch that because how you
attest the code that will run as the SVSM and vTPM is very specific to
each CoCo implementation.  However, they all provide a user data like
field which allows you to add information from the to be verified as
trusted SVSM, so you can use it for the EK, which is pretty identical
to the above proposal.

James


  reply	other threads:[~2023-03-22 21:53 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-21  9:29 [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP Jörg Rödel
2023-03-21 11:09 ` James Bottomley
2023-03-21 12:43   ` Jörg Rödel
2023-03-21 13:43     ` James Bottomley
2023-03-21 15:14       ` Jörg Rödel
2023-03-21 17:48         ` Dr. David Alan Gilbert
2023-03-21 18:50           ` Jörg Rödel
2023-03-21 20:05         ` James Bottomley
2023-03-22  1:29           ` Marc Orr
2023-03-22 17:57             ` Daniel P. Berrangé
2023-03-22  9:15           ` Jörg Rödel
2023-03-22 18:07             ` Daniel P. Berrangé
2023-03-22 18:24               ` Dionna Amalie Glaze
2023-03-21 15:06 ` Dr. David Alan Gilbert
2023-03-21 15:25   ` Jörg Rödel
2023-03-21 16:56     ` Dr. David Alan Gilbert
2023-03-21 19:03       ` Jörg Rödel
2023-03-21 19:53         ` Dr. David Alan Gilbert
2023-03-22  9:19           ` Jörg Rödel
2023-03-22  9:43             ` Alexander Graf
2023-03-22 10:34               ` Dr. David Alan Gilbert
2023-03-22 17:37                 ` Dionna Amalie Glaze
2023-03-22 17:47                   ` Dr. David Alan Gilbert
2023-03-22 21:53                     ` James Bottomley [this message]
2023-04-11 19:57 ` Tom Lendacky
2023-04-11 20:01   ` Dionna Amalie Glaze
2023-04-13 16:57   ` James Bottomley
2023-04-14  9:00     ` Jörg Rödel
2023-05-02 23:03 ` Tom Lendacky
2023-05-03 12:26   ` Jörg Rödel
2023-05-03 15:24     ` Dionna Amalie Glaze
2023-05-03 15:43       ` James Bottomley
2023-05-03 16:10       ` Daniel P. Berrangé
2023-05-03 16:51     ` Claudio Carvalho
2023-05-03 17:16       ` Alexander Graf
2023-05-05 15:34       ` Jörg Rödel
2023-05-05 15:47         ` Daniel P. Berrangé
2023-05-04 17:04     ` James Bottomley
2023-05-05 12:35       ` Christophe de Dinechin
2023-05-06 12:48         ` James Bottomley
2023-05-08  5:16           ` Alexander Graf
2023-05-05 15:02       ` Jörg Rödel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4f07f72da5c73d317bb00e6b3c41f47090c5240b.camel@linux.ibm.com \
    --to=jejb@linux.ibm.com \
    --cc=amd-sev-snp@lists.suse.com \
    --cc=dgilbert@redhat.com \
    --cc=dionnaglaze@google.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-coco@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).