From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail04.groups.io (mail04.groups.io [45.79.224.9]) by spool.mail.gandi.net (Postfix) with ESMTPS id A1715AC0E26 for ; Mon, 15 Apr 2024 14:42:43 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=i+Tuo+6iJmd31Hl66wvXTe7bRv4Gpvg8YngbG4wvido=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20240206; t=1713192162; v=1; b=OfDehQyJrJa91X60CV4mn+JE1Eu84yUZHc44YBNiEQ+leKVDD899/SPjsUhFp5WMBVw0nAou 4kyP+wKgUhLjfI+hpIsZFm6HrEIvLkvzozA9SDtVicXUbWqCk/E2rwmEEkX64gXraGnAjtPTadB PO9Xuwllp2pYrr3p7sO5hEFpMK6b7wUgry76NYH/wh9tVR6bJKiVUPiybZ/p2yNPsMx5sVol3vx cGyQjWlSYXu047+5ZEzGAB0ol6SWbhNPbjbo/ZzMYfmHxfQzIWBcFYO1Oj9Qk/Vf7Yy4dQIyDse ayTGLqTWmJQumrn5idPKjDHb4XsabvSNDDv5p7S/cSekw== X-Received: by 127.0.0.2 with SMTP id q0AGYY7687511xGpJCFUOwvR; Mon, 15 Apr 2024 07:42:42 -0700 X-Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by mx.groups.io with SMTP id smtpd.web10.22837.1713192161187809437 for ; Mon, 15 Apr 2024 07:42:41 -0700 X-Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id C738BCE0D3E for ; Mon, 15 Apr 2024 14:42:37 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 12A8DC4AF07 for ; Mon, 15 Apr 2024 14:42:37 +0000 (UTC) X-Received: by mail-lj1-f181.google.com with SMTP id 38308e7fff4ca-2d872102372so25343701fa.0 for ; Mon, 15 Apr 2024 07:42:36 -0700 (PDT) X-Gm-Message-State: F55WA29Qtz7zFD909JxiMAaFx7686176AA= X-Google-Smtp-Source: AGHT+IF+/5AXxrZyIZ0w3+GlcRqRzaGxJ6MW6BTytHxiQXM3Qhl0B0tR5Bpsv76OONgPhjKSCQOitahz/pOf92VMC6w= X-Received: by 2002:a05:651c:2209:b0:2da:6ca:bddb with SMTP id y9-20020a05651c220900b002da06cabddbmr3506689ljq.19.1713192155412; Mon, 15 Apr 2024 07:42:35 -0700 (PDT) MIME-Version: 1.0 References: <94521f20aa2872c1b8f018b7db31eca4a2b8222d.1711039409.git.qinkun@google.com> In-Reply-To: From: "Ard Biesheuvel" Date: Mon, 15 Apr 2024 16:42:24 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [RFC PATCH] OvmfPkg/SecurityPkg: Add build option for coexistance of vTPM and RTMR. To: Qinkun Bao Cc: devel@edk2.groups.io, jiewen.yao@intel.com, Dionna Amalie Glaze , Mikko Ylinen , Gerd Hoffmann , James Bottomley , Tom Lendacky , Michael Roth , "linux-coco@lists.linux.dev" , "Aktas, Erdem" , Peter Gonda , "Johnson, Simon P" , "Xiang, Qinglan" , Cfir Cohen , "Madhanagopal, Ranga" Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Mon, 15 Apr 2024 07:42:41 -0700 Resent-From: ardb@kernel.org Reply-To: devel@edk2.groups.io,ardb@kernel.org List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=OfDehQyJ; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.9 as permitted sender) smtp.mailfrom=bounce@groups.io On Sat, 13 Apr 2024 at 11:37, Qinkun Bao wrote: > ... > > > > I think it is a bad idea to go and apply changes all across the boot > > software ecosystem to measure the same assets into different > > measurement protocols. I'mm afraid it creates technical debt that will > > come and bite us in the future. > > Could you shed some lights on why it creates technical debts? > If it is so vitally important that measurements are taken into both the TPM PCRs and the RTMRs if both are available, can we really trust all those boot components to do the right thing? And do we really want to have to reason about that? Given that the guest system firmware exposes both protocols anyway, wouldn't it make more sense to make it the guest firmware's job to duplicate measurements into the RTMRs and only expose the TCG protocol to the guest OS stack? The hybrid model of trusting the host (and using a vTPM) and not trusting the host (and therefore relying on TDX/RTMRs) at the same time seems a bit odd to me in any case: under which circumstances would a guest distrust the host but still rely on the vTPM? > > > > Given that RTMR is a proper subset of vTPM (modulo the PCR/RTMR index > > conversion), I feel that it should be the CoCo firmware's > > responsibility to either: > > - expose RTMR and not vTPM > > - expose vTPM, and duplicate each measurement into RTMR as they are taken > > > > However, I understand that this is only viable for execution under the > > UEFI boot services, and after that, the vTPM and RTMR are exposed in > > different ways to the OS. > > Yes, they are exposed in different ways. In Linux, the TPM driver uses > the mmio interface rather than the EFI service. Even if > EFI_TCG2_PROTOCOL is not installed, the TPM as a device is still > visible to the guest. The RTMR values are included in the TD report > and could be extended through a TDCALL. The security concern caused by > not measuring into every device that is available is a concern. That does not imply that each and every component should be responsible for taking both measurements. > Please > see CVE-2021-42299. > > > > > Could someone explain how that piece of the puzzle is supposed to > > work? Do we measure into RTMR after ExitBootServices()? > > Yes, we still measure into RTMR after ExitBootServices() [1]. One > example is measuring container images into RTMR2 during the loading > [2]. > Fair enough. So keeping RTMRs and PCRs in sync after EBS() is going to be problematic :-( -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117788): https://edk2.groups.io/g/devel/message/117788 Mute This Topic: https://groups.io/mt/105070442/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-