On 2/2/24 10:03 PM, James Bottomley wrote: > On Fri, 2024-02-02 at 17:07 -0600, Dan Middleton wrote: >> On 2/2/24 12:24 AM, James Bottomley wrote: >>> On Sun, 2024-01-28 at 22:25 +0100, Samuel Ortiz wrote: >>>> All architectures supporting RTMRs expose a similar interface to >>>> their TVMs: An extension command/call that takes a measurement >>>> value and an RTMR index to extend it with, and a readback command >>>> for reading an RTMR value back (taking an RTMR index as an >>>> argument as well). This patch series builds an architecture >>>> agnostic, configfs-based ABI for userspace to extend and read >>>> RTMR values back. It extends the current TSM ops structure and >>>> each confidential computing architecture can implement this >>>> extension to provide RTMR support. >>> What's the actual use case for this? At the moment the TPM PCRs >>> only provide a read interface to userspace (via >>> /sys/class/tpm/tpmX/pcr-shaY/Z) and don't have any extension >>> ability becuase nothing in userspace currently extends them. >>> >>> The only current runtime use for TPM PCRs is IMA, which is in- >>> kernel (and which this patch doesn't enable). >>> >>> Without the ability to log, this interface is unusable anyway, but >>> even with that it's not clear that you need the ability separately >>> to extend PCRs because the extension and log entry should be done >>> atomically to prevent the log going out of sync with the PCRs, so >>> it would seem a log first interface would be the correct way of >>> doing this rather than a PCR first one. >>> >>> James >>> >>> >> While we clearly need to cover PCR-like usages, I think Confidential >> Computing affords usages that go beyond TPM. > Well, don't get me wrong, I think the ability to create non repudiable > log entries from userspace is very useful. However, I think the > proposed ABI is wrong: it should take the log entry (which will contain > the PCR number and the hash) then do the extension and add it to the > log so we get the non-repudiable verifiability. This should work > equally with TPM and RTMR (and anything else). Maybe I misunderstood your comments, but I am not sure why the user ABI needs to change? I agree that logging after extension is the right approach. But, IMO, it should be owned by the back end TSM vendor drivers. The user ABI should just pass the digest and RTMR index. > > The issue, I suppose, is what log format? The TCG has one which is > extensible and IMA uses a similar but different binary log format. TDX uses EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 log format. I think SEV is the same. https://uefi.org/specs/UEFI/2.10/38_Confidential_Computing.html#virtual-platform-cc-event-log > >> For example, Attested Containers [1] (and similar explorations in >> CNCF Confidential Containers [2]) extends the measurement chain into >> the guest. There, a trusted agent measures container images, and >> extends an RTMR with those measurements. Particularly in the case of >> containers, the existing runtime infrastructure is user mode >> oriented. However the generalization here is in providing a mechanism >> to strongly identify an application or behavior provided by the TVM. > There's a similar proposal for Keylime which was demo'd at Plumbers > last year, except it uses IMA to measure the container so you only have > to trust the kernel: > > https://lpc.events/event/17/contributions/1571/ > >> Less concretely, I think this is an area for developer creativity. >> Attestation is one of the main APIs that CC gives application >> developers and >> these runtime extendable fields provide a further degree of >> creativity. >> >> [1] ACON https://github.com/intel/acon > Just on this, lest we repeat the errors of the past (and believe me > there was a time people thought that simply extending TPM PCRs without > log entries was the way to do measurements), if you're extending a PCR > like entity you also need a log entry to tell people who come after you > what you've done. Even in the one ephemeral VM per pod kata use case > (with RTMRs local to the VM), you'll still likely be starting several > sidecars and if you don't have a log to tell you the order you measured > the containers deriving the RTMR value is a combinatoric explosion. > > James > > -- Sathyanarayanan Kuppuswamy Linux Kernel Developer
