kvm.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Alexander Graf <graf@amazon.com>
Cc: "Jörg Rödel" <jroedel@suse.de>,
	amd-sev-snp@lists.suse.com, linux-coco@lists.linux.dev,
	kvm@vger.kernel.org
Subject: Re: [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP
Date: Wed, 22 Mar 2023 10:34:01 +0000	[thread overview]
Message-ID: <ZBrZmbfWXVQLND/E@work-vm> (raw)
In-Reply-To: <444b0d8d-3a8c-8e6d-1df3-35f57046e58e@amazon.com>

* Alexander Graf (graf@amazon.com) wrote:
> Hi Jörg,
> 
> On 22.03.23 10:19, Jörg Rödel wrote:
> 
> > On Tue, Mar 21, 2023 at 07:53:58PM +0000, Dr. David Alan Gilbert wrote:
> > > OK; the other thing that needs to get nailed down for the vTPM's is the
> > > relationship between the vTPM attestation and the SEV attestation.
> > > i.e. how to prove that the vTPM you're dealing with is from an SNP host.
> > > (Azure have a hack of putting an SNP attestation report into the vTPM
> > > NVRAM; see
> > > https://github.com/Azure/confidential-computing-cvm-guest-attestation/blob/main/cvm-guest-attestation.md
> > > )
> > When using the SVSM TPM protocol it should be proven already that the
> > vTPM is part of the SNP trusted base, no? The TPM communication is
> > implicitly encrypted by the VMs memory key and the SEV attestation
> > report proves that the correct vTPM is executing.
> 
> 
> What you want to achieve eventually is to take a report from the vTPM and
> submit only that to an external authorization entity that looks at it and
> says "Yup, you ran in SEV-SNP, I trust your TCB, I trust your TPM
> implementation, I also trust your PCR values" and based on that provides
> access to whatever resource you want to access.
> 
> To do that, you need to link SEV-SNP and TPM measurements/reports together.
> And the easiest way to do that is by providing the SEV-SNP report as part of
> the TPM: You can then use the hash of the SEV-SNP report as signing key for
> example.

Yeh; I think the SVSM TPM protocol has some proof of that as well; the
SVSM spec lists 'SVSM_ATTEST_SINGLE_SERVICE Manifest Data' that contains
'TPMT_PUBLIC structure of the endorsement key'.
So I *think* that's saying that the SEV attestation report contains
something from the EK of the vTPM.

> I think the key here is that you need to propagate that link to an external
> party, not (only) to the VM.

Yeh.

Dave
> 
> 
> Alex
> 
> 
> 
> 
> 
> Amazon Development Center Germany GmbH
> Krausenstr. 38
> 10117 Berlin
> Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
> Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
> Sitz: Berlin
> Ust-ID: DE 289 237 879
> 
> 
-- 
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK


  reply	other threads:[~2023-03-22 10:34 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-21  9:29 [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP Jörg Rödel
2023-03-21 11:09 ` James Bottomley
2023-03-21 12:43   ` Jörg Rödel
2023-03-21 13:43     ` James Bottomley
2023-03-21 15:14       ` Jörg Rödel
2023-03-21 17:48         ` Dr. David Alan Gilbert
2023-03-21 18:50           ` Jörg Rödel
2023-03-21 20:05         ` James Bottomley
2023-03-22  1:29           ` Marc Orr
2023-03-22 17:57             ` Daniel P. Berrangé
2023-03-22  9:15           ` Jörg Rödel
2023-03-22 18:07             ` Daniel P. Berrangé
2023-03-22 18:24               ` Dionna Amalie Glaze
2023-03-21 15:06 ` Dr. David Alan Gilbert
2023-03-21 15:25   ` Jörg Rödel
2023-03-21 16:56     ` Dr. David Alan Gilbert
2023-03-21 19:03       ` Jörg Rödel
2023-03-21 19:53         ` Dr. David Alan Gilbert
2023-03-22  9:19           ` Jörg Rödel
2023-03-22  9:43             ` Alexander Graf
2023-03-22 10:34               ` Dr. David Alan Gilbert [this message]
2023-03-22 17:37                 ` Dionna Amalie Glaze
2023-03-22 17:47                   ` Dr. David Alan Gilbert
2023-03-22 21:53                     ` James Bottomley
2023-04-11 19:57 ` Tom Lendacky
2023-04-11 20:01   ` Dionna Amalie Glaze
2023-04-13 16:57   ` James Bottomley
2023-04-14  9:00     ` Jörg Rödel
2023-05-02 23:03 ` Tom Lendacky
2023-05-03 12:26   ` Jörg Rödel
2023-05-03 15:24     ` Dionna Amalie Glaze
2023-05-03 15:43       ` James Bottomley
2023-05-03 16:10       ` Daniel P. Berrangé
2023-05-03 16:51     ` Claudio Carvalho
2023-05-03 17:16       ` Alexander Graf
2023-05-05 15:34       ` Jörg Rödel
2023-05-05 15:47         ` Daniel P. Berrangé
2023-05-04 17:04     ` James Bottomley
2023-05-05 12:35       ` Christophe de Dinechin
2023-05-06 12:48         ` James Bottomley
2023-05-08  5:16           ` Alexander Graf
2023-05-05 15:02       ` Jörg Rödel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZBrZmbfWXVQLND/E@work-vm \
    --to=dgilbert@redhat.com \
    --cc=amd-sev-snp@lists.suse.com \
    --cc=graf@amazon.com \
    --cc=jroedel@suse.de \
    --cc=kvm@vger.kernel.org \
    --cc=linux-coco@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).