Hi Jörg,
On 22.03.23 10:19, Jörg Rödel wrote:
On Tue, Mar 21, 2023 at 07:53:58PM +0000, Dr. David Alan Gilbert wrote:
OK; the other thing that needs to get nailed down for the vTPM's is the
relationship between the vTPM attestation and the SEV attestation.
i.e. how to prove that the vTPM you're dealing with is from an SNP host.
(Azure have a hack of putting an SNP attestation report into the vTPM
NVRAM; see
https://github.com/Azure/confidential-computing-cvm-guest-attestation/blob/main/cvm-guest-attestation.md
)
When using the SVSM TPM protocol it should be proven already that the
vTPM is part of the SNP trusted base, no? The TPM communication is
implicitly encrypted by the VMs memory key and the SEV attestation
report proves that the correct vTPM is executing.
What you want to achieve eventually is to take a report from the vTPM
and submit only that to an external authorization entity that looks at
it and says "Yup, you ran in SEV-SNP, I trust your TCB, I trust your TPM
implementation, I also trust your PCR values" and based on that provides
access to whatever resource you want to access.
To do that, you need to link SEV-SNP and TPM measurements/reports
together. And the easiest way to do that is by providing the SEV-SNP
report as part of the TPM: You can then use the hash of the SEV-SNP
report as signing key for example.
I think the key here is that you need to propagate that link to an
external party, not (only) to the VM.
Alex
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879
