From: "Ard Biesheuvel" <ardb@kernel.org>
To: Qinkun Bao <qinkun@google.com>
Cc: devel@edk2.groups.io, jiewen.yao@intel.com,
Dionna Amalie Glaze <dionnaglaze@google.com>,
Mikko Ylinen <mikko.ylinen@linux.intel.com>,
Gerd Hoffmann <kraxel@redhat.com>,
James Bottomley <jejb@linux.ibm.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Michael Roth <michael.roth@amd.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
"Aktas, Erdem" <erdemaktas@google.com>,
Peter Gonda <pgonda@google.com>,
"Johnson, Simon P" <simon.p.johnson@intel.com>,
"Xiang, Qinglan" <qinglan.xiang@intel.com>,
Cfir Cohen <cfir@google.com>,
"Madhanagopal, Ranga" <ranga.madhanagopal@intel.com>
Subject: Re: [edk2-devel] [RFC PATCH] OvmfPkg/SecurityPkg: Add build option for coexistance of vTPM and RTMR.
Date: Mon, 15 Apr 2024 16:42:24 +0200 [thread overview]
Message-ID: <CAMj1kXHoFyy2T0TxgPMOVxGujCwbCVXBw-z+AcCydProwMGOcw@mail.gmail.com> (raw)
In-Reply-To: <CAOjUGWckeov-K45R1Mf=MvEYG7vDetrUh-ifQwZDTLMEVEmhpA@mail.gmail.com>
On Sat, 13 Apr 2024 at 11:37, Qinkun Bao <qinkun@google.com> wrote:
>
...
> >
> > I think it is a bad idea to go and apply changes all across the boot
> > software ecosystem to measure the same assets into different
> > measurement protocols. I'mm afraid it creates technical debt that will
> > come and bite us in the future.
>
> Could you shed some lights on why it creates technical debts?
>
If it is so vitally important that measurements are taken into both
the TPM PCRs and the RTMRs if both are available, can we really trust
all those boot components to do the right thing? And do we really want
to have to reason about that?
Given that the guest system firmware exposes both protocols anyway,
wouldn't it make more sense to make it the guest firmware's job to
duplicate measurements into the RTMRs and only expose the TCG protocol
to the guest OS stack?
The hybrid model of trusting the host (and using a vTPM) and not
trusting the host (and therefore relying on TDX/RTMRs) at the same
time seems a bit odd to me in any case: under which circumstances
would a guest distrust the host but still rely on the vTPM?
> >
> > Given that RTMR is a proper subset of vTPM (modulo the PCR/RTMR index
> > conversion), I feel that it should be the CoCo firmware's
> > responsibility to either:
> > - expose RTMR and not vTPM
> > - expose vTPM, and duplicate each measurement into RTMR as they are taken
> >
> > However, I understand that this is only viable for execution under the
> > UEFI boot services, and after that, the vTPM and RTMR are exposed in
> > different ways to the OS.
>
> Yes, they are exposed in different ways. In Linux, the TPM driver uses
> the mmio interface rather than the EFI service. Even if
> EFI_TCG2_PROTOCOL is not installed, the TPM as a device is still
> visible to the guest. The RTMR values are included in the TD report
> and could be extended through a TDCALL. The security concern caused by
> not measuring into every device that is available is a concern.
That does not imply that each and every component should be
responsible for taking both measurements.
> Please
> see CVE-2021-42299.
>
> >
> > Could someone explain how that piece of the puzzle is supposed to
> > work? Do we measure into RTMR after ExitBootServices()?
>
> Yes, we still measure into RTMR after ExitBootServices() [1]. One
> example is measuring container images into RTMR2 during the loading
> [2].
>
Fair enough. So keeping RTMRs and PCRs in sync after EBS() is going to
be problematic :-(
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117788): https://edk2.groups.io/g/devel/message/117788
Mute This Topic: https://groups.io/mt/105070442/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2024-04-15 14:42 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-21 16:59 [edk2-devel] [RFC PATCH] OvmfPkg/SecurityPkg: Add build option for coexistance of vTPM and RTMR qinkun Bao via groups.io
2024-03-21 17:46 ` Dionna Glaze via groups.io
2024-03-22 2:39 ` Yao, Jiewen
2024-03-22 8:52 ` Gerd Hoffmann
2024-03-22 14:56 ` Dionna Glaze via groups.io
2024-03-22 17:28 ` qinkun Bao via groups.io
2024-03-25 13:07 ` Mikko Ylinen
2024-03-25 15:28 ` Dionna Glaze via groups.io
2024-04-11 1:20 ` Yao, Jiewen
2024-04-11 6:23 ` qinkun Bao via groups.io
2024-04-11 6:52 ` Ard Biesheuvel
2024-04-11 8:07 ` Gerd Hoffmann
2024-04-11 9:56 ` Yao, Jiewen
2024-04-11 10:29 ` Gerd Hoffmann
2024-04-11 10:33 ` Ard Biesheuvel
2024-04-11 14:07 ` Lendacky, Thomas via groups.io
2024-04-11 17:10 ` Xiang, Qinglan
2024-04-13 9:36 ` qinkun Bao via groups.io
2024-04-15 14:42 ` Ard Biesheuvel [this message]
[not found] ` <17C329C4A6D0CD18.8175@lists.confidentialcomputing.io>
[not found] ` <CAOjUGWcNedJ7iNjGCKL6qZeZo3aSt_8U5BN=9JUN2f2vjD+O4w@mail.gmail.com>
[not found] ` <CA+2DEOoc1Ckn2S-=57HiRsAd0W4YGRWVQQG-gOBR3Fc8nfX+Nw@mail.gmail.com>
2024-04-09 19:16 ` [edk2-devel] [linux-collab] [CCC][tac] " qinkun Bao via groups.io
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMj1kXHoFyy2T0TxgPMOVxGujCwbCVXBw-z+AcCydProwMGOcw@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox