Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
MIME-Version: 1.0
References: <169199898909.1782217.10899362240465838600.stgit@dwillia2-xfh.jf.intel.com>
 <57f3a05e-8fcd-4656-beea-56bb8365ae64@linux.microsoft.com> <64da606b171cc_2138e29484@dwillia2-xfh.jf.intel.com.notmuch>
In-Reply-To: <64da606b171cc_2138e29484@dwillia2-xfh.jf.intel.com.notmuch>
From:   Peter Gonda <pgonda@google.com>
Date:   Tue, 15 Aug 2023 08:27:46 -0600
Message-ID: <CAMkAt6q1ZedWBQ+ZLmD5QRKc0jcz2nrdwEAw6g8R2fZ5e2ed_A@mail.gmail.com>
Subject: Re: [PATCH v2 0/5] tsm: Attestation Report ABI
To:     Dan Williams <dan.j.williams@intel.com>
Cc:     Jeremi Piotrowski <jpiotrowski@linux.microsoft.com>,
        linux-coco@lists.linux.dev, Brijesh Singh <brijesh.singh@amd.com>,
        Kuppuswamy Sathyanarayanan 
        <sathyanarayanan.kuppuswamy@linux.intel.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        Borislav Petkov <bp@alien8.de>,
        Dionna Amalie Glaze <dionnaglaze@google.com>,
        Samuel Ortiz <sameo@rivosinc.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        James Bottomley <James.Bottomley@hansenpartnership.com>,
        x86@kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

On Mon, Aug 14, 2023 at 11:12=E2=80=AFAM Dan Williams <dan.j.williams@intel=
.com> wrote:
>
> Jeremi Piotrowski wrote:
> > On 8/14/2023 9:43 AM, Dan Williams wrote:
> > > Changes since v1:
> > > - Switch from Keyring to sysfs (James)
> > >
> > > An attestation report is signed evidence of how a Trusted Virtual
> > > Machine (TVM) was launched and its current state. A verifying party u=
ses
> > > the report to make judgements of the confidentiality and integrity of
> > > that execution environment. Upon successful attestation the verifying
> > > party may, for example, proceed to deploy secrets to the TVM to carry
> > > out a workload. Multiple confidential computing platforms share this
> > > similar flow.
> > >
> > > The approach of adding adding new char devs and new ioctls, for what
> > > amounts to the same logical functionality with minor formatting
> > > differences across vendors [1], is untenable. Common concepts and the
> > > community benefit from common infrastructure.
> > >
> > > Use sysfs for this facility for maintainability compared to ioctl(). =
The
> > > expectation is that this interface is a boot time, configure once, ge=
t
> > > report, and done flow. I.e. not something that receives ongoing
> > > transactions at runtime. However, runtime retrieval is not precluded =
and
> > > a mechanism to detect potential configuration conflicts from
> > > multiple-threads using this interface is included.
> > >
> >
> > I wanted to speak up to say that this does not align with the needs we =
have
> > in the Confidential Containers project. We want to be able to perform a=
ttestation
> > not just once during boot but during the lifecycle of the confidential =
VM. We
> > may need to fetch a fresh attestation report from a trusted agent but a=
lso from
> > arbitrary applications running in containers.
> >
> > The trusted agent might need attestation when launching a new container=
 from an
> > encrypted container image or when a new secret is being added to the VM=
 - both
> > of these events may happen at any time (also when containerized applica=
tions
> > are already executing).
> >
> > Container applications have their own uses for attestation, such as whe=
n they need
> > to fetch keys required to decrypt payloads. We also have things like pe=
rforming
> > attestation when establishing a TLS or ssh connection to provide an att=
ested e2e
> > encrypted communication channel.
>
> ...and you expect that the boot time attestation becomes invalidated
> later at run time such that ongoing round trips to the TSM are needed? I
> am looking at "Table 21. ATTESTATION_REPORT Structure" for example and
> not seeing data there that changes from one request to the next. Runtime
> validation likely looks more like the vTPM use case with PCRs. That will
> leverage the existing / common TPM ABI.

I thought we were dropping the TSM acronym as requested by Jarkko?

Why do we need to be so prescriptive about "boot time" vs "runtime"
attestations? A user may wish to attest to several requests as Jeremi
notes. And why should users be forced into using a vTPM interface if
their usecase doesn't require all the features and complexity of a
vTPM? Some users may prefer less overall code within their Trusted
Computer Base (TCB) and a TPM emulate is a significant code base.

It seems like you are just reading the SNP spec, if you read the TDX
spec you'll see there are RTMRs which can be extended with new data.
This leads to a different data in the attestation. Similar there are
REMs in the ARM CCA spec.

>
> > I don't think sysfs is suitable for such concurrent transactions. Also =
if you think
> > about exposing the sysfs interface to an application in a container, th=
is requires
> > bind mounting rw part of the sysfs tree into the mount namespace - not =
ideal.
>
> sysfs is not suitable for concurrent transactions. The container would
> need to have an alternate path to request that the singleton owner of
> the interface generate new reports, or use the boot time attestation to
> derive per container communication sessions to the attestation agent.