On 8/23/21 8:26 AM, Dr. David Alan Gilbert wrote:
* James Bottomley (jejb@xxxxxxxxxxxxx) wrote:
(is there an attest of the destination happening here?)
There will be in the final version. The attestations of the source and
target, being the hash of the OVMF (with the registers in the -ES
case), should be the same (modulo any firmware updates to the PSP,
whose firmware version is also hashed) to guarantee the OVMF is the
same on both sides. We'll definitely take an action to get QEMU to
verify this ... made a lot easier now we have signed attestations ...
Hmm; I'm not sure you're allowed to have QEMU verify that - we don't
trust it; you need to have either the firmware say it's OK to migrate
to the destination (using the existing PSP mechanism) or get the source
MH to verify a quote from the destination.
I think the check in QEMU would only be a convenience. The launch
measurement of the target (verified by the guest owner) is what
guarantees that the firmware, as well as the policy, of the target is
what is expected. In PSP-assisted migration the source verifies the
target, but our plan is to have the guest owner verify both the source
and the target. The target will only be provisioned with the transport
key if the measurement checks out. We will have some more details about
this key agreement scheme soon.
[Somewhere along the line, if you're not using the PSP, I think you also
need to check the guest policy to check it is allowed to migrate].
Sources that aren't allowed to migrate won't be provisioned with
transport key to encrypt pages. A non-migrateable guest could also be
booted with OvmfPkg firmware, which does not contain the migration handler.
-Tobin
Dave
James