From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Alexander Graf <graf@amazon.com>
Cc: "Jörg Rödel" <jroedel@suse.de>,
amd-sev-snp@lists.suse.com, linux-coco@lists.linux.dev,
kvm@vger.kernel.org
Subject: Re: [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP
Date: Wed, 22 Mar 2023 10:34:01 +0000 [thread overview]
Message-ID: <ZBrZmbfWXVQLND/E@work-vm> (raw)
In-Reply-To: <444b0d8d-3a8c-8e6d-1df3-35f57046e58e@amazon.com>
* Alexander Graf (graf@amazon.com) wrote:
> Hi Jörg,
>
> On 22.03.23 10:19, Jörg Rödel wrote:
>
> > On Tue, Mar 21, 2023 at 07:53:58PM +0000, Dr. David Alan Gilbert wrote:
> > > OK; the other thing that needs to get nailed down for the vTPM's is the
> > > relationship between the vTPM attestation and the SEV attestation.
> > > i.e. how to prove that the vTPM you're dealing with is from an SNP host.
> > > (Azure have a hack of putting an SNP attestation report into the vTPM
> > > NVRAM; see
> > > https://github.com/Azure/confidential-computing-cvm-guest-attestation/blob/main/cvm-guest-attestation.md
> > > )
> > When using the SVSM TPM protocol it should be proven already that the
> > vTPM is part of the SNP trusted base, no? The TPM communication is
> > implicitly encrypted by the VMs memory key and the SEV attestation
> > report proves that the correct vTPM is executing.
>
>
> What you want to achieve eventually is to take a report from the vTPM and
> submit only that to an external authorization entity that looks at it and
> says "Yup, you ran in SEV-SNP, I trust your TCB, I trust your TPM
> implementation, I also trust your PCR values" and based on that provides
> access to whatever resource you want to access.
>
> To do that, you need to link SEV-SNP and TPM measurements/reports together.
> And the easiest way to do that is by providing the SEV-SNP report as part of
> the TPM: You can then use the hash of the SEV-SNP report as signing key for
> example.
Yeh; I think the SVSM TPM protocol has some proof of that as well; the
SVSM spec lists 'SVSM_ATTEST_SINGLE_SERVICE Manifest Data' that contains
'TPMT_PUBLIC structure of the endorsement key'.
So I *think* that's saying that the SEV attestation report contains
something from the EK of the vTPM.
> I think the key here is that you need to propagate that link to an external
> party, not (only) to the VM.
Yeh.
Dave
>
>
> Alex
>
>
>
>
>
> Amazon Development Center Germany GmbH
> Krausenstr. 38
> 10117 Berlin
> Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
> Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
> Sitz: Berlin
> Ust-ID: DE 289 237 879
>
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2023-03-22 10:34 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-21 9:29 [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP Jörg Rödel
2023-03-21 11:09 ` James Bottomley
2023-03-21 12:43 ` Jörg Rödel
2023-03-21 13:43 ` James Bottomley
2023-03-21 15:14 ` Jörg Rödel
2023-03-21 17:48 ` Dr. David Alan Gilbert
2023-03-21 18:50 ` Jörg Rödel
2023-03-21 20:05 ` James Bottomley
2023-03-22 1:29 ` Marc Orr
2023-03-22 17:57 ` Daniel P. Berrangé
2023-03-22 9:15 ` Jörg Rödel
2023-03-22 18:07 ` Daniel P. Berrangé
2023-03-22 18:24 ` Dionna Amalie Glaze
2023-03-21 15:06 ` Dr. David Alan Gilbert
2023-03-21 15:25 ` Jörg Rödel
2023-03-21 16:56 ` Dr. David Alan Gilbert
2023-03-21 19:03 ` Jörg Rödel
2023-03-21 19:53 ` Dr. David Alan Gilbert
2023-03-22 9:19 ` Jörg Rödel
2023-03-22 9:43 ` Alexander Graf
2023-03-22 10:34 ` Dr. David Alan Gilbert [this message]
2023-03-22 17:37 ` Dionna Amalie Glaze
2023-03-22 17:47 ` Dr. David Alan Gilbert
2023-03-22 21:53 ` James Bottomley
2023-04-11 19:57 ` Tom Lendacky
2023-04-11 20:01 ` Dionna Amalie Glaze
2023-04-13 16:57 ` James Bottomley
2023-04-14 9:00 ` Jörg Rödel
2023-05-02 23:03 ` Tom Lendacky
2023-05-03 12:26 ` Jörg Rödel
2023-05-03 15:24 ` Dionna Amalie Glaze
2023-05-03 15:43 ` James Bottomley
2023-05-03 16:10 ` Daniel P. Berrangé
2023-05-03 16:51 ` Claudio Carvalho
2023-05-03 17:16 ` Alexander Graf
2023-05-05 15:34 ` Jörg Rödel
2023-05-05 15:47 ` Daniel P. Berrangé
2023-05-04 17:04 ` James Bottomley
2023-05-05 12:35 ` Christophe de Dinechin
2023-05-06 12:48 ` James Bottomley
2023-05-08 5:16 ` Alexander Graf
2023-05-05 15:02 ` Jörg Rödel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZBrZmbfWXVQLND/E@work-vm \
--to=dgilbert@redhat.com \
--cc=amd-sev-snp@lists.suse.com \
--cc=graf@amazon.com \
--cc=jroedel@suse.de \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).