On Tue, Jun 27, 2023 at 5:13 PM Dan Williams dan.j.williams@intel.com wrote:
[..]
The VMPL-based separation that will house the supervisor module known as SVSM can have protocols that implement a TPM command interface, or an RTMR-extension interface, and will also need to have an SVSM-specific protocol attestation report format to keep the secure chain of custody apparent. We'd have different formats and protocols in the kernel, at least, to speak to each technology.
That's where I hope the line can be drawn, i.e. that all of this vendor differentiation really only matters inside the kernel in the end.
I'm not sure it's worth the trouble of papering over all the... 3-4 technologies with similar but still weirdly different formats and ways of doing things with an abstracted attestation ABI, especially since the output all has to be interpreted in an architecture-specific way anyway.
This is where I need help. Can you identify where the following assertion falls over:
"The minimum viable key-server is one that can generically validate a blob with an ECDSA signature".
I.e. the fact that SEV and TDX send different length blobs is less important than validating that signature.
If it is always the case that specific fields in the blob need to be decoded then yes, that weakens the assertion. However, maybe that means that kernel code parses the blob and conveys that parsed info along with vendor attestation payload all signed by a Linux key. I.e. still allow for a unified output format + signed vendor blob and provide a path to keep all the vendor specific handling internal to the kernel.
All the specific fields of the blob have to be decoded and subjected to an acceptance policy. That policy will most always be different across different platforms and VM owners. I wrote all of github.com/google/go-sev-guest, including the verification and validation logic, and it's going to get more complicated, and the sources of the data that provide validators with notions of what values can be trusted will be varied. The formats are not standardized. The Confidential Computing Consortium should be working toward that, but it's a slow process. There's IETF RATS. There's in-toto.io attestations. There's Azure's JWT thing. There's a signed serialized protocol buffer that I've decided is what Google is going to produce while we figure out all the "right" formats to use. There will be factions and absolute gridlock for multiple years if we require solidifying an abstraction for the kernel to manage all this logic before passing a report on to user space.
Now, not only are the field contents important, the certificates of the keys that signed the report are important. Each platform has its own special x509v3 extensions and key hierarchy to express what parts of the report should be what value if signed by this key, and in TDX's case there are extra endpoints that you need to query to determine if there's an active CVE on the associated TCB version. This is how they avoid adding every cpu's key to the leaf certificate's CRL.
You really shouldn't be putting attestation validation logic in the kernel. It belongs outside of the VM entirely with the party that will only release access keys to the VM if it can prove it's running the software it claims, on the platform it claims. I think Windows puts a remote procedure call in their guest attestation driver to the Azure attestation service, and that is an anti-pattern in my mind.
ARM's Confidential Computing Realm Management Extensions (RME) seems to be going along the lines of a runtime measurement register model with their hardware enforced security. The number of registers isn't prescribed in the spec.
+Joey Gouly +linux-coco@lists.linux.dev as far as RME is concerned, do you know who would be best to weigh in on this discussion of a unified attestation model?