Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp4913659rwb; Tue, 8 Aug 2023 16:32:29 -0700 (PDT) X-Google-Smtp-Source: AGHT+IENZiEkV89ddET8RexL/zp6+MXGpdHeMiXE5vDieMqcQ9rEv3DZ1ViIKioJZRtCL5Jcsin5 X-Received: by 2002:a05:6402:150c:b0:51e:d4b:3c9d with SMTP id f12-20020a056402150c00b0051e0d4b3c9dmr981886edw.23.1691537549499; Tue, 08 Aug 2023 16:32:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691537549; cv=none; d=google.com; s=arc-20160816; b=zqRirqT8YG6R9YJu/Ktb0nfp8v0nRO70YgAqTzkB7duNqCGiJdXbtrhP7eelMO7iHw dOgNhUn8M8948IYPFSiYzpQ6nH4bHHWNk5RSQaty4jhwkGZbIDilM6eD82Kt4RL/YeOT CDPMUMz5xIE10oWufri8Emp/PRXMIhi51k6KEEKMZetgFKnPpBmbmDJ1fcC5lgpo/ia+ k9wBNud2UpeUjmZPgXd2OVWg/tdq7QJGwCfXzt9OemFtfp1UQdoxPst9De50Jk8Sxr7i oYwvA3G0G5n2ksZ6QRfUSuahu7GcFHyeSfFbIBgBRGBvn68o6B5SZEjbqXL0frs36ARv EyuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=/tES5rAsQhPvTCs9h8UWgD+l8tw6HXSBo83JhiuAeKM=; fh=V3DSKRRqqVh1vkP7KYzFJ77Dyhibr7D2rNC0G7dvqOY=; b=WPf7DtQ9v9bx325Deh4SpXCgR1tkq+LvSdBl74XXD+95s1BJN84UvhTdmqj6O8LWfT kOw+MjviDR2OXMuo7poPL5I6XDgAmsYBTBcKjfTCyAWtYDhK6LzDZqmM+YH5vb8lM5ZX PDZnJxxfBQFOvBE5jWwEb2XwTynJrdSfFmFLOUix/K0s7r3DvvyNyl3rPGLDkCgg5YxB YNWbOE+a1315Lm6eSXUMeTokDhbLhzU2isywHXbxhflRcO+n9WPT5yhVPTvdYaL+dJN1 A5GxN4H85uROvc1kjllYCJ4CKfxcH2NWcfS1cbRvgLSOD9nfwgAWuFyD0TUNjmR31vMS oCVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=182OnsU2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c6-20020aa7df06000000b0052328790230si6303357edy.171.2023.08.08.16.32.05; Tue, 08 Aug 2023 16:32:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=182OnsU2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229780AbjHHWd5 (ORCPT + 99 others); Tue, 8 Aug 2023 18:33:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47996 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229690AbjHHWd4 (ORCPT ); Tue, 8 Aug 2023 18:33:56 -0400 Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1E01FE for ; Tue, 8 Aug 2023 15:33:55 -0700 (PDT) Received: by mail-qt1-x833.google.com with SMTP id d75a77b69052e-40c72caec5cso62951cf.0 for ; Tue, 08 Aug 2023 15:33:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1691534035; x=1692138835; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/tES5rAsQhPvTCs9h8UWgD+l8tw6HXSBo83JhiuAeKM=; b=182OnsU2RltnldUtbZ/AOU5d9Y8aCkgpvTMT9ZFaWfnPkHr4K+p4gY+ZFhNMOoRwit 0B/hSaJu13DG5y0JvLhTEs4+wAI8Ugihb4ScVmpT9wfXiQivzvlE4cPqIq1wfMNnKeyE PCe/tc4BVC8JTO6L0JbWfqvuCYd9TCi2PgFsQh1t0C/w93cuNd0WYpCTWTHFvWvR7kMV lyEXuJLzP5cMqxoWIv9OyOw5qAO5DdGND/cagx+wgJrvpsjO0XJPWUKQHW4zfj8kOoFA 2E2F0pW4BN1pzHXr66+VUrK1m8OOE5tX7CTluoFYVkBo75cNg1kcxIIGvapqDSL8Nlbb MdMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691534035; x=1692138835; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/tES5rAsQhPvTCs9h8UWgD+l8tw6HXSBo83JhiuAeKM=; b=PvTa8XRywrhVi264nEb1gbR4S31zUd0HcN5TwOhpa9XYUTJxmbZfxL5F54actvkMJm QsdYafdIBE7SnRn1x8w2D+XhmnPrdluLO+PuZGudhGQL7vWEcZJhuqDXKG4/hhTUVaxn pdzZ7FpjwOcxBcaJ9zN4Vu0P1+H4JzzKb1Tb+XzADPvNw23mHeUJbj8D785Q/3uCNRsp E8s19cYXgK9nUVN6XCzAXdYkM5SDYresRLdjpjt/y1xZmlHtgPsjfnIN0R5V1Wau5d0O XaAtZA/LhPIycbFCqW5ny8Gq3lRavQDaQH9RNGI2B8NgkwgEnHTBfFtUUZd55eZBgZNU Qb7A== X-Gm-Message-State: AOJu0Yzj8r+pLIAZKkvwRPXlnppxuigVZhY+7TSToGwcI+ubmB130/N2 6+fMTkdbojh2o+OjjE7+hkVK+N5hIxJGwzcrfFdmGQ== X-Received: by 2002:ac8:7d88:0:b0:403:58e8:2d96 with SMTP id c8-20020ac87d88000000b0040358e82d96mr46734qtd.7.1691534034915; Tue, 08 Aug 2023 15:33:54 -0700 (PDT) MIME-Version: 1.0 References: <169057265210.180586.7950140104251236598.stgit@dwillia2-xfh.jf.intel.com> <64c5ed6eb4ca1_a88b2942a@dwillia2-xfh.jf.intel.com.notmuch> <64cdb5f25c56_2138e294f1@dwillia2-xfh.jf.intel.com.notmuch> <1180481830431165d49c5e64b92b81c396ebc9b1.camel@HansenPartnership.com> <64d17f5728fbc_5ea6e2943f@dwillia2-xfh.jf.intel.com.notmuch> <2425e00b-defb-c12b-03e5-c3d23b30be01@linux.intel.com> <64d263e44e401_2138e29486@dwillia2-xfh.jf.intel.com.notmuch> <9c9c62f9243595a1faa3b0745fa8a1f8f018d9b8.camel@HansenPartnership.com> <3ff1bee6d121ce76fd78217dbe3e5ab2f0134f54.camel@HansenPartnership.com> In-Reply-To: <3ff1bee6d121ce76fd78217dbe3e5ab2f0134f54.camel@HansenPartnership.com> From: Dionna Amalie Glaze Date: Tue, 8 Aug 2023 15:33:43 -0700 Message-ID: Subject: Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports To: James Bottomley Cc: Dan Williams , Sathyanarayanan Kuppuswamy , dhowells@redhat.com, Brijesh Singh , Peter Zijlstra , Tom Lendacky , Borislav Petkov , Jarkko Sakkinen , Samuel Ortiz , Greg Kroah-Hartman , Andrew Morton , linux-coco@lists.linux.dev, keyrings@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > For an ephemeral TPM, the EK should be guaranteed to be random and > therefore non repeating, so there's not much need for the nonce to add > non-repeatability. So, in theory, the vTPM/EK binding can be published > once and relied on even for multiple different tenant endpoints, sort > of like the EK cert for a physical TPM. > Okay that sounds reasonable. Regarding my other comment about daemons, we might already be in that state for containers even without the sysfs proposal, given that the sev-guest device requires root. We'd need a daemon to provide protected access to the attestation report (e.g., https://github.com/confidential-containers/attestation-agent) so that's a bit of a sad situation. -- -Dionna Glaze, PhD (she/her)