From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web11.10007.1650472165027446009 for ; Wed, 20 Apr 2022 09:29:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=HyievwwW; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1650472164; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=yboGtaU7kHImkzTRlEBbrxBq0AZ7bKMWst23smKmlso=; b=HyievwwWhHmuxkZ8XGhTz33L9TkNYzN2Bz/UMxPjpkn1ziXGdVORh1HbeoFT0qtq+6Nvnj z/uW2kY6MfdHplaTVA+7AgaH0XeMtfZO7Ura9JpDjoIeXZGSsRvUzG9RDMYJHjvHlw6Jfr Tfbt7HHxjavSi3OHQzz1Mgx/joix/rA= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-422-BBtVcPKpOqOfaZFrIxl6OA-1; Wed, 20 Apr 2022 12:29:20 -0400 X-MC-Unique: BBtVcPKpOqOfaZFrIxl6OA-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6599B833966; Wed, 20 Apr 2022 16:29:19 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.9]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0C96140CFD0A; Wed, 20 Apr 2022 16:29:18 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 8BB5B18003A7; Wed, 20 Apr 2022 18:29:15 +0200 (CEST) Date: Wed, 20 Apr 2022 18:29:15 +0200 From: "Gerd Hoffmann" To: James Bottomley Cc: "Yao, Jiewen" , "devel@edk2.groups.io" , "Xu, Min M" , Ard Biesheuvel , "Justen, Jordan L" , Brijesh Singh , "Aktas, Erdem" , Tom Lendacky Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Message-ID: <20220420162915.k234kumo33jgqsg6@sirius.home.kraxel.org> References: <1992c4538efeb3cd3d2e53bd02f2dd24663e9825.1650239544.git.min.m.xu@intel.com> <20220419065851.mwjpm6jaeu3zudjk@sirius.home.kraxel.org> <20220419124901.idh7zaff3os6532f@sirius.home.kraxel.org> <20220420081656.nl4sykhnwzugynm5@sirius.home.kraxel.org> <56d4a5fab3cda814d1d33a6e3f6987a0313129f5.camel@linux.ibm.com> MIME-Version: 1.0 In-Reply-To: <56d4a5fab3cda814d1d33a6e3f6987a0313129f5.camel@linux.ibm.com> X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, > > So, no matter what the order is, you'll figure the system got > > compromised after the fact, when checking the hashes later, and in > > turn take actions like refusing to hand out secrets to the > > compromised system. > > Not if the code falsifies the measurement both in the log and to the > TPM. That's why the requirement of measured boot is you start with a > small rom based root of trust, which can't be updated because it's in > rom. It measures the next stage (usually PEI) before executing it so > that the measurement in the TPM would change if the next stage (which > is often in flash) got compromised, so any tampering is certain to be > detected and if the compromised code tries to falsify the log, the log > now wouldn't match the TPM, so it can't evade detection. How do we establish the root of trust in case of TDX? We don't have a real rom in virtual machines ... Does the tdx firmware measure the firmware code before running it? Why handle CFV and BFV differently? Wouldn't it be easier to have the tdx firmware simply measure the complete OVMF.fd image, given that tdx doesn't support flash and thus we don't have the code/vars split in the first place? The TD HobList is prepared by the hypervisor and present at launch time, so possibly the tdx firmware could measure it too before handing over control to the guest? take care, Gerd