From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+117788+7686176+12367111@groups.io>
Received: from mail04.groups.io (mail04.groups.io [45.79.224.9])
	by spool.mail.gandi.net (Postfix) with ESMTPS id A1715AC0E26
	for <rebecca@openfw.io>; Mon, 15 Apr 2024 14:42:43 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=i+Tuo+6iJmd31Hl66wvXTe7bRv4Gpvg8YngbG4wvido=;
 c=relaxed/simple; d=groups.io;
 h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type;
 s=20240206; t=1713192162; v=1;
 b=OfDehQyJrJa91X60CV4mn+JE1Eu84yUZHc44YBNiEQ+leKVDD899/SPjsUhFp5WMBVw0nAou
 4kyP+wKgUhLjfI+hpIsZFm6HrEIvLkvzozA9SDtVicXUbWqCk/E2rwmEEkX64gXraGnAjtPTadB
 PO9Xuwllp2pYrr3p7sO5hEFpMK6b7wUgry76NYH/wh9tVR6bJKiVUPiybZ/p2yNPsMx5sVol3vx
 cGyQjWlSYXu047+5ZEzGAB0ol6SWbhNPbjbo/ZzMYfmHxfQzIWBcFYO1Oj9Qk/Vf7Yy4dQIyDse
 ayTGLqTWmJQumrn5idPKjDHb4XsabvSNDDv5p7S/cSekw==
X-Received: by 127.0.0.2 with SMTP id q0AGYY7687511xGpJCFUOwvR; Mon, 15 Apr 2024 07:42:42 -0700
X-Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55])
 by mx.groups.io with SMTP id smtpd.web10.22837.1713192161187809437
 for <devel@edk2.groups.io>;
 Mon, 15 Apr 2024 07:42:41 -0700
X-Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by sin.source.kernel.org (Postfix) with ESMTP id C738BCE0D3E
	for <devel@edk2.groups.io>; Mon, 15 Apr 2024 14:42:37 +0000 (UTC)
X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 12A8DC4AF07
	for <devel@edk2.groups.io>; Mon, 15 Apr 2024 14:42:37 +0000 (UTC)
X-Received: by mail-lj1-f181.google.com with SMTP id 38308e7fff4ca-2d872102372so25343701fa.0
        for <devel@edk2.groups.io>; Mon, 15 Apr 2024 07:42:36 -0700 (PDT)
X-Gm-Message-State: F55WA29Qtz7zFD909JxiMAaFx7686176AA=
X-Google-Smtp-Source: AGHT+IF+/5AXxrZyIZ0w3+GlcRqRzaGxJ6MW6BTytHxiQXM3Qhl0B0tR5Bpsv76OONgPhjKSCQOitahz/pOf92VMC6w=
X-Received: by 2002:a05:651c:2209:b0:2da:6ca:bddb with SMTP id
 y9-20020a05651c220900b002da06cabddbmr3506689ljq.19.1713192155412; Mon, 15 Apr
 2024 07:42:35 -0700 (PDT)
MIME-Version: 1.0
References: <94521f20aa2872c1b8f018b7db31eca4a2b8222d.1711039409.git.qinkun@google.com>
 <CAAH4kHbAi=Jn7Lw82idGGmQYnAhJnhoS9u8wBMOZsp7iLiOWxw@mail.gmail.com>
 <PH0PR11MB587959168F72B20E0AC836438C312@PH0PR11MB5879.namprd11.prod.outlook.com>
 <u76teout4bwpg5yoklah6xfkrpcn4lw5nosw5lmph7sfjipqnz@gagzyh3xrkie>
 <CAAH4kHbeGborxwDOzxeMbTjU4Xo79v-OVSHXYWQiJxg-yWQfWQ@mail.gmail.com>
 <ZgF3ACjFj8LtUWgv@himmelriiki> <CAAH4kHbqpaCgZJpF55x2NGWL22rz1ucRewYmR=K2chw2kP6sKA@mail.gmail.com>
 <MW4PR11MB5872BBA0D379C40E071300B98C052@MW4PR11MB5872.namprd11.prod.outlook.com>
 <CAMj1kXGm5RPNAzshaTAb7fnB80m8S+q0gbNxWSA3i9Dp-AL8uw@mail.gmail.com> <CAOjUGWckeov-K45R1Mf=MvEYG7vDetrUh-ifQwZDTLMEVEmhpA@mail.gmail.com>
In-Reply-To: <CAOjUGWckeov-K45R1Mf=MvEYG7vDetrUh-ifQwZDTLMEVEmhpA@mail.gmail.com>
From: "Ard Biesheuvel" <ardb@kernel.org>
Date: Mon, 15 Apr 2024 16:42:24 +0200
X-Gmail-Original-Message-ID: <CAMj1kXHoFyy2T0TxgPMOVxGujCwbCVXBw-z+AcCydProwMGOcw@mail.gmail.com>
Message-ID: <CAMj1kXHoFyy2T0TxgPMOVxGujCwbCVXBw-z+AcCydProwMGOcw@mail.gmail.com>
Subject: Re: [edk2-devel] [RFC PATCH] OvmfPkg/SecurityPkg: Add build option for coexistance of vTPM and RTMR.
To: Qinkun Bao <qinkun@google.com>
Cc: devel@edk2.groups.io, jiewen.yao@intel.com, 
	Dionna Amalie Glaze <dionnaglaze@google.com>, Mikko Ylinen <mikko.ylinen@linux.intel.com>, 
	Gerd Hoffmann <kraxel@redhat.com>, James Bottomley <jejb@linux.ibm.com>, 
	Tom Lendacky <thomas.lendacky@amd.com>, Michael Roth <michael.roth@amd.com>, 
	"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>, "Aktas, Erdem" <erdemaktas@google.com>, 
	Peter Gonda <pgonda@google.com>, "Johnson, Simon P" <simon.p.johnson@intel.com>, 
	"Xiang, Qinglan" <qinglan.xiang@intel.com>, Cfir Cohen <cfir@google.com>, 
	"Madhanagopal, Ranga" <ranga.madhanagopal@intel.com>
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Resent-Date: Mon, 15 Apr 2024 07:42:41 -0700
Resent-From: ardb@kernel.org
Reply-To: devel@edk2.groups.io,ardb@kernel.org
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
Content-Type: text/plain; charset="UTF-8"
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20240206 header.b=OfDehQyJ;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.9 as permitted sender) smtp.mailfrom=bounce@groups.io

On Sat, 13 Apr 2024 at 11:37, Qinkun Bao <qinkun@google.com> wrote:
>
...
> >
> > I think it is a bad idea to go and apply changes all across the boot
> > software ecosystem to measure the same assets into different
> > measurement protocols. I'mm afraid it creates technical debt that will
> > come and bite us in the future.
>
> Could you shed some lights on why it creates technical debts?
>

If it is so vitally important that measurements are taken into both
the TPM PCRs and the RTMRs if both are available, can we really trust
all those boot components to do the right thing? And do we really want
to have to reason about that?

Given that the guest system firmware exposes both protocols anyway,
wouldn't it make more sense to make it the guest firmware's job to
duplicate measurements into the RTMRs and only expose the TCG protocol
to the guest OS stack?

The hybrid model of trusting the host (and using a vTPM) and not
trusting the host (and therefore relying on TDX/RTMRs) at the same
time seems a bit odd to me in any case: under which circumstances
would a guest distrust the host but still rely on the vTPM?


> >
> > Given that RTMR is a proper subset of vTPM (modulo the PCR/RTMR index
> > conversion), I feel that it should be the CoCo firmware's
> > responsibility to either:
> > - expose RTMR and not vTPM
> > - expose vTPM, and duplicate each measurement into RTMR as they are taken
> >
> > However, I understand that this is only viable for execution under the
> > UEFI boot services, and after that, the vTPM and RTMR are exposed in
> > different ways to the OS.
>
> Yes, they are exposed in different ways. In Linux, the TPM driver uses
> the mmio interface rather than the EFI service. Even if
> EFI_TCG2_PROTOCOL is not installed, the TPM as a device is still
> visible to the guest. The RTMR values are included in the TD report
> and could be extended through a TDCALL. The security concern caused by
> not measuring into every device that is available is a concern.

That does not imply that each and every component should be
responsible for taking both measurements.

> Please
> see CVE-2021-42299.
>
> >
> > Could someone explain how that piece of the puzzle is supposed to
> > work? Do we measure into RTMR after ExitBootServices()?
>
> Yes, we still measure into RTMR after ExitBootServices() [1]. One
> example is measuring container images into RTMR2 during the loading
> [2].
>

Fair enough. So keeping RTMRs and PCRs in sync after EBS() is going to
be problematic :-(


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117788): https://edk2.groups.io/g/devel/message/117788
Mute This Topic: https://groups.io/mt/105070442/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-