* Dionna Amalie Glaze (dionnaglaze@xxxxxxxxxx) wrote: > On Wed, Mar 22, 2023 at 3:34 AM Dr. David Alan Gilbert > <dgilbert@xxxxxxxxxx> wrote: > > > > * Alexander Graf (graf@xxxxxxxxxx) wrote: > > > Hi Jörg, > > > > > > On 22.03.23 10:19, Jörg Rödel wrote: > > > > > > > On Tue, Mar 21, 2023 at 07:53:58PM +0000, Dr. David Alan Gilbert wrote: > > > > > OK; the other thing that needs to get nailed down for the vTPM's is the > > > > > relationship between the vTPM attestation and the SEV attestation. > > > > > i.e. how to prove that the vTPM you're dealing with is from an SNP host. > > > > > (Azure have a hack of putting an SNP attestation report into the vTPM > > > > > NVRAM; see > > > > > https://github.com/Azure/confidential-computing-cvm-guest-attestation/blob/main/cvm-guest-attestation.md > > > > > ) > > > > When using the SVSM TPM protocol it should be proven already that the > > > > vTPM is part of the SNP trusted base, no? The TPM communication is > > > > implicitly encrypted by the VMs memory key and the SEV attestation > > > > report proves that the correct vTPM is executing. > > > > > > > > > What you want to achieve eventually is to take a report from the vTPM and > > > submit only that to an external authorization entity that looks at it and > > > says "Yup, you ran in SEV-SNP, I trust your TCB, I trust your TPM > > > implementation, I also trust your PCR values" and based on that provides > > > access to whatever resource you want to access. > > > > > > To do that, you need to link SEV-SNP and TPM measurements/reports together. > > > And the easiest way to do that is by providing the SEV-SNP report as part of > > > the TPM: You can then use the hash of the SEV-SNP report as signing key for > > > example. > > > > Yeh; I think the SVSM TPM protocol has some proof of that as well; the > > SVSM spec lists 'SVSM_ATTEST_SINGLE_SERVICE Manifest Data' that contains > > 'TPMT_PUBLIC structure of the endorsement key'. > > So I *think* that's saying that the SEV attestation report contains > > something from the EK of the vTPM. > > > > > I think the key here is that you need to propagate that link to an external > > > party, not (only) to the VM. > > > > Yeh. > > > > Excuse my perhaps naivete, but would it not be in the TCG's wheelhouse > to specify how a TPM's firmware (SVSM) / bootloader (SEV-SNP) should > be attested? The EK as well? > > I think this might need to jump back to the vTPM protocol thread since > this is about COCONUT, but I'm worried we're talking about > AMD-specific long-term formats when perhaps the trusted computing > group should be widening its scope to how a TPM should be virtualized. > I appreciate that we're attempting to solve the problem in the short > term, and certainly the SVSM will need attestation capabilities, but > the linking to the TPM is dicey without that conversation with TCG, > IMHO. Some standardisation of the link between the vTPM and the underlying CoCo hardware would be great; there's at least 2 or 3 CoCo linked vTPMs already and I don't think they're sharing any idea of that. Whether it's TCG I'm not sure; It doesn't seem to me to make sense for them to specify the flow to bring the vTPM up or the details of the underlying CoCo's attestation; but standardising how the two processes are tied together might be possible. Dave > > Dave > > > > > > > > > Alex > > > > > > > > > > > > > > > > > > Amazon Development Center Germany GmbH > > > Krausenstr. 38 > > > 10117 Berlin > > > Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss > > > Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B > > > Sitz: Berlin > > > Ust-ID: DE 289 237 879 > > > > > > > > -- > > Dr. David Alan Gilbert / dgilbert@xxxxxxxxxx / Manchester, UK > > > > > > > -- > -Dionna Glaze, PhD (she/her) > -- Dr. David Alan Gilbert / dgilbert@xxxxxxxxxx / Manchester, UK
