Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp165854rwb; Fri, 4 Aug 2023 10:40:02 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGXvQpEVLEhkUHVF1aGJpqSUnkzr7YyRb9S86qzTexmjQmwc7XyeTrK3aVDYLmqwRvP1M7G X-Received: by 2002:a17:90a:788d:b0:262:fc8a:ecf with SMTP id x13-20020a17090a788d00b00262fc8a0ecfmr2216445pjk.27.1691170801406; Fri, 04 Aug 2023 10:40:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691170801; cv=none; d=google.com; s=arc-20160816; b=X4qkhE5TlULOdcPweQUZtKKMg6asiJeFGXFUqO51r+dMLuemzZs9PtzAu09FS3W7ad fToN70ju3mTfvDFU1/mu9krg/6xLS18ebMzoK+D5a9SaIbAyeGjhr5rtPDnMSsievyaj U27A0sHHScDyNkaHQlNVTO3sHwRYe/O1TSwcI0akAtSQ36tjQ6dVNjp+WdncbDpDY7lK l64uhCt3Pn1JUelSH6TepUG1Qv80zuYK4psUZnV+l2Kg7cpQaQrRXn5R5phRFIXGB10l DPobIJYbz+N+lxCjweZAFoLhi+Jpv1o8OqNqE6pdrPVnXoRa8zhxg3audPLpAZQVg4P2 5irg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature:dkim-signature; bh=erROsRJMuQelSPwCSOLhSIMO1zisqHBRMZ1X9FiklVE=; fh=om60Gh63OggqodkTqeF+54rSrKv8rkQxwk4AgBT6tC0=; b=nHNIPB4/DzGIdIqi9tC9MChNzGcytM/R/ORXKQfD1pS9JO5OoeMooweISCIn0+gWoW 4wKqfNC3P753gInSiEiwcXuWqlQdTsoORa/RzyEK32JAvgQGOwrYbYVSa58BrGSaxbBO lXNZo1YE4mnbJDF8EudenEDrjmd99z2ABb34nq8P5RwrFCM5YVm0uUOAmfD2O0rcN5Wb 9U8JADIhaBtGRdqIjZDDM//IrjIjCkb0M/YJCSXlGshjCJLwbwhEiNs9g7B+4YhMu2xH YDhqYwBqoobyQbxbINfIl9OcNqc+OSNibL5++3DCApFk1s9AimT3yMb12q+LncAHqeRz wFuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=f9JvpJ3s; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=f9JvpJ3s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o9-20020a17090ac08900b0026815fe629esi5351699pjs.70.2023.08.04.10.39.48; Fri, 04 Aug 2023 10:40:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=f9JvpJ3s; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=f9JvpJ3s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230231AbjHDRMQ (ORCPT + 99 others); Fri, 4 Aug 2023 13:12:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229754AbjHDRMO (ORCPT ); Fri, 4 Aug 2023 13:12:14 -0400 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [IPv6:2607:fcd0:100:8a00::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 328BE3C25; Fri, 4 Aug 2023 10:12:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1691169130; bh=k/zttB4T2CScg/JHkOSPHBwHh+YE9cWs+BwYyqLser4=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=f9JvpJ3sVW4hPdpdMkW4G4H1qY0MpkDXtZ0kkXJLBYf0bDQlpQXP2PrpRVwO/wyeR V3KDEaKYOk+4l4rD7s26qs/AH6aCmJxFWUQduLByK+kWstN0O052ISCkVqiIaCIbnG 3ue1706uRljJyiQxRS7volAr5dsgXsw7w75kz5ak= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 7BF151280EA0; Fri, 4 Aug 2023 13:12:10 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id fzGcu-YakGz3; Fri, 4 Aug 2023 13:12:10 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1691169130; bh=k/zttB4T2CScg/JHkOSPHBwHh+YE9cWs+BwYyqLser4=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=f9JvpJ3sVW4hPdpdMkW4G4H1qY0MpkDXtZ0kkXJLBYf0bDQlpQXP2PrpRVwO/wyeR V3KDEaKYOk+4l4rD7s26qs/AH6aCmJxFWUQduLByK+kWstN0O052ISCkVqiIaCIbnG 3ue1706uRljJyiQxRS7volAr5dsgXsw7w75kz5ak= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::c14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits)) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 387A512804B6; Fri, 4 Aug 2023 13:12:09 -0400 (EDT) Message-ID: <35071cffb4acb117f1b4be2807c40792734bff89.camel@HansenPartnership.com> Subject: Re: [PATCH 1/4] keys: Introduce tsm keys From: James Bottomley To: Dionna Amalie Glaze Cc: Dan Williams , Jarkko Sakkinen , Peter Gonda , dhowells@redhat.com, Kuppuswamy Sathyanarayanan , Greg Kroah-Hartman , Samuel Ortiz , peterz@infradead.org, linux-coco@lists.linux.dev, keyrings@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org Date: Fri, 04 Aug 2023 13:12:07 -0400 In-Reply-To: References: <169057265210.180586.7950140104251236598.stgit@dwillia2-xfh.jf.intel.com> <169057265801.180586.10867293237672839356.stgit@dwillia2-xfh.jf.intel.com> <64cc650233ef9_782a329489@dwillia2-xfh.jf.intel.com.notmuch> <66161ce56ec783d1ec452a50b80b120bec8b56e8.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2023-08-04 at 10:07 -0700, Dionna Amalie Glaze wrote: > > > > Just on this one, it's already specified in the latest SVSM doc: > > > > https://lore.kernel.org/linux-coco/a2f31400-9e1c-c12a-ad7f-ea0265a12068@amd.com/ > > > > The Service Attestation Data on page 36-37.  It says TPMT_PUBLIC of > > the > > EK.  However, what it doesn't say is *which* EK.  I already sent in > > a > > comment saying it should be the TCG template for the P-256 curve > > EK. > > > > So asking the SVSM to give you the attestation report for the VTPM > > service binds the EK of the vTPM. > > > > Yes, thanks. It sounds like you have to ask the SVSM to certify the > EK separately from asking the TPM for a quote. That's right. > We can't rely entirely on the TPM API and avoid a sev-guest device > for talking to the SVSM. Yes, you have to make a SVSM service attestation call initially to validate the vTPM. > Or are you saying the SVSM attestation report will get encoded in > the x.509 EK certificate that the TPM API returns, such as the report > is in a cert extension? I'm less clear on how TPM software would > interpret the Issuer of that cert. There is no certificate. It's more like the Google Cloud: the SVSM vTPM has no EK cert, so you have to ask something else for validation of the EK, in this case a service attestation quote from the SVSM which confirms the binding of the current SVSM to the EK and then you use that EK pub to verify the vTPM. There's already experimental work to get this supported in Keylime, but doing it properly involves making the registrar EK validation mechanism pluggable. James