On Wed, Mar 22, 2023 at 3:34 AM Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx> wrote: > > * Alexander Graf (graf@xxxxxxxxxx) wrote: > > Hi Jörg, > > > > On 22.03.23 10:19, Jörg Rödel wrote: > > > > > On Tue, Mar 21, 2023 at 07:53:58PM +0000, Dr. David Alan Gilbert wrote: > > > > OK; the other thing that needs to get nailed down for the vTPM's is the > > > > relationship between the vTPM attestation and the SEV attestation. > > > > i.e. how to prove that the vTPM you're dealing with is from an SNP host. > > > > (Azure have a hack of putting an SNP attestation report into the vTPM > > > > NVRAM; see > > > > https://github.com/Azure/confidential-computing-cvm-guest-attestation/blob/main/cvm-guest-attestation.md > > > > ) > > > When using the SVSM TPM protocol it should be proven already that the > > > vTPM is part of the SNP trusted base, no? The TPM communication is > > > implicitly encrypted by the VMs memory key and the SEV attestation > > > report proves that the correct vTPM is executing. > > > > > > What you want to achieve eventually is to take a report from the vTPM and > > submit only that to an external authorization entity that looks at it and > > says "Yup, you ran in SEV-SNP, I trust your TCB, I trust your TPM > > implementation, I also trust your PCR values" and based on that provides > > access to whatever resource you want to access. > > > > To do that, you need to link SEV-SNP and TPM measurements/reports together. > > And the easiest way to do that is by providing the SEV-SNP report as part of > > the TPM: You can then use the hash of the SEV-SNP report as signing key for > > example. > > Yeh; I think the SVSM TPM protocol has some proof of that as well; the > SVSM spec lists 'SVSM_ATTEST_SINGLE_SERVICE Manifest Data' that contains > 'TPMT_PUBLIC structure of the endorsement key'. > So I *think* that's saying that the SEV attestation report contains > something from the EK of the vTPM. > > > I think the key here is that you need to propagate that link to an external > > party, not (only) to the VM. > > Yeh. > Excuse my perhaps naivete, but would it not be in the TCG's wheelhouse to specify how a TPM's firmware (SVSM) / bootloader (SEV-SNP) should be attested? The EK as well? I think this might need to jump back to the vTPM protocol thread since this is about COCONUT, but I'm worried we're talking about AMD-specific long-term formats when perhaps the trusted computing group should be widening its scope to how a TPM should be virtualized. I appreciate that we're attempting to solve the problem in the short term, and certainly the SVSM will need attestation capabilities, but the linking to the TPM is dicey without that conversation with TCG, IMHO. > Dave > > > > > > Alex > > > > > > > > > > > > Amazon Development Center Germany GmbH > > Krausenstr. 38 > > 10117 Berlin > > Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss > > Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B > > Sitz: Berlin > > Ust-ID: DE 289 237 879 > > > > > -- > Dr. David Alan Gilbert / dgilbert@xxxxxxxxxx / Manchester, UK > > -- -Dionna Glaze, PhD (she/her)
