On Wed, Dec 20, 2023 at 5:14 PM Ken Goldman <kgold@xxxxxxxxxxxxx> wrote: > > I'm still struggling with the "new root of trust" concept. > > Something - a user space agent, a third party, etc. - has to > retain the entire log from event 0, because a new verifier > needs all measurements. [NOTE: a gentle reminder to please refrain from top-posting on Linux kernel mailing lists, it is generally frowned upon and makes it difficult to manage long running threads] This is one of the reasons I have pushed to manage the snapshot, both the trigger and the handling of the trimmed data, outside of the kernel. Setting aside the obvious limitations of kernel I/O, handling the snapshot in userspace provides for a much richer set of options when it comes to managing the snapshot and the verification/attestation of the system. > Therefore, the snapshot aggregate seems redundant. It has to > be verified to match the snapshotted events. I can see a perspective where the snapshot_aggregate is theoretically redundant, but I can also see at least one practical perspective where a snapshot_aggregate could be used to simplify a remote attestation with a sufficiently stateful attestation service. > A redundancy is an attack surface. Now that is an overly broad generalization, if we are going that route, *everything* is an attack surface (and this arguably true regardless, although a bit of an extreme statement). > A badly written verifier > might not do that verification, and this permits snapshotted > events to be forged. No aggregate means the verifier can't > make a mistake. I would ask that you read your own comment again. A poorly written verifier is subject to any number of pitfalls and vulnerabilities, regardless of a snapshot aggregate. As a reminder, the snapshotting mechanism has always been proposed as an opt-in mechanism, if one has not implemented a proper snapshot-aware attestation mechanism then they can simply refrain from taking a snapshot and reject all attestation attempts using a snapshot. > On 11/22/2023 9:22 AM, Paul Moore wrote: > > I believe the intent is to only pause the measurements while the > > snapshot_aggregate is generated, not for the duration of the entire > > snapshot process. The purpose of the snapshot_aggregate is to > > establish a new root of trust, similar to the boot_aggregate, to help > > improve attestation performance. -- paul-moore.com
