Received: by 2002:a05:7412:ba23:b0:fa:4c10:6cad with SMTP id jp35csp505401rdb; Thu, 18 Jan 2024 09:43:58 -0800 (PST) X-Google-Smtp-Source: AGHT+IH/f87Ajzi7LELi2bSKjXv7kCy/e2sQzBM35gC0Q+2j+2WINUlLf41V8s18hpe8vSEQNDS7 X-Received: by 2002:a17:903:24c:b0:1d7:1211:afc6 with SMTP id j12-20020a170903024c00b001d71211afc6mr721522plh.42.1705599837989; Thu, 18 Jan 2024 09:43:57 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705599837; cv=pass; d=google.com; s=arc-20160816; b=FEgfQWHwOWix8DPlvNlFeQ9XgP+xgVe22N0ykN8D4hu+dHxu51B3mZ2KO47PF4zZ2E q/AHJrns4G6lmIukuL3u3E7bCpW5mN7mxrQ0eVLJZ7cEek++9otMZci7UN6g1eeMPL+s cEvVxar/D1wM1pWBRaXb0hRIwtkWsvJnwOsjfZpsuhOrGRLE7DjlCP7AlNCqSPeDEaMj rkFh3YZywV6AElubVq34Nv49+Y2SDBuTD3KLZJ6N8wgov+Ph2cCTknFGGWI04Oxi97LA nuDRXZjOanzfp4htFH/Xn9Gis1HNJAu5Iof4gnxkSejUeIJn6wEhA9kd/3cDekayHQTT rjUw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=NOcAiExZvR2mQb61dcNah83qN7CavovaR3DLX+XgZEM=; fh=5va4xE2fcWEk06Ba6KPoyCpdV2Gpq0a+ryYjuJbSnCQ=; b=qRfS8ZiojqN/+lQ3flkvP8hhrFHiF+ATLuQ5RX6JFE06UIOxatcFnEaRiJeu7jYaGA hE0u1OpsUBiqq01WMlv6Q4/Ck1zyqaMyeka+r54shRi/jVANPG9tWTmCSCXW8Uofq66p i2VDyzvUMrFCQu2Inf0Jm3w3BllAfZJrVMItMOthjw7S3DzWW7FhPZ+gYPS2ysjG0CAy ouZGSxX12eVt7zqOfzi3+DSpu1GFfw7yjo8Y0R2dOdUWNxV09D4apLYgRoDjKCYH7YsE t/DNiEF8ptF9i3Bp1IdLCJ/rHE8VY2JAeJKUAdK72Eyb18Qdg207EFkkKt2OCSti/CpM yV+Q== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=SN1UImHA; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-30433-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-30433-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id l18-20020a170903245200b001d6f879434bsi1852269pls.184.2024.01.18.09.43.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Jan 2024 09:43:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-30433-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=SN1UImHA; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-30433-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-30433-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id B4970B22024 for ; Thu, 18 Jan 2024 17:43:19 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6677C2D054; Thu, 18 Jan 2024 17:43:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="SN1UImHA" Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 155C52D04B for ; Thu, 18 Jan 2024 17:43:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705599789; cv=none; b=XQhkK69LcyztrcwubgBhQtGM5b+nybTRmWNTfg0k8dl6b2jWtQGYhg8gbHfJMN1YdkW8mRPlERqhUngyDSvfTVAwIlY1DoGbCUnbwBCcI0Hvu1eUofxUrQ1eZJ9PK+SMW1/4XqgtclITIwhALADsieraWHbSq//yA8A6XvgH1Gs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705599789; c=relaxed/simple; bh=NOcAiExZvR2mQb61dcNah83qN7CavovaR3DLX+XgZEM=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=NNlj0rAI9ao7ouUbywnpNuNNd0LlEuMqZL+viV8ImqAvg87WFcCmsgflEx1jptjgvigj6U0LHPUjYSym6M6NRO41WdWae4YqasuYJwe16GLNmUHvnjOsyi5ewS9M36q19iB+D8y7nZwXy9ly3pVA4TYkVu93jx9RFYeUf+Xaq78= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=SN1UImHA; arc=none smtp.client-ip=209.85.208.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-ed1-f45.google.com with SMTP id 4fb4d7f45d1cf-553e36acfbaso196a12.0 for ; Thu, 18 Jan 2024 09:43:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1705599786; x=1706204586; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=NOcAiExZvR2mQb61dcNah83qN7CavovaR3DLX+XgZEM=; b=SN1UImHAfDqvSYWPKQy1ZfJD/O0OqrYawAOLWdjaXsI33a0OrZ+m6cTHzCluqm9zUm FnsKIV9rKdjr0ZjVI/ApNjoll7ecdmMT8bJcL+ClyZhCJJ7Y28YCaAA5VsC7hoau4x4w hcfeBbh57NaFV0k2K2iSlFbdQB31RwX4QvF1Z3IQwFd4X3fCIINms2uQ815N28E/QqMk FA1cZphp957H/lonxnybMC6SoAa/W2x6lWcmbsDgoh2sxy9YU2q00xLj9zQVS3rxctZE B5Vb94E3gmky63LaMonlOLRWryGAHlADixLgG5Ndxj4bnCERsAxLlsV8BlEn5dHlw6jh UTsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705599786; x=1706204586; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NOcAiExZvR2mQb61dcNah83qN7CavovaR3DLX+XgZEM=; b=ei33ruKq5faZafUjqE7Q9P3wuPrqX+BfogkZgc7K1B2pozfdMlI+LH+X/+4fUkoZQt /yFsYKk0HL74l89t9/rinHRooDP2kFpggave+0HxIX3K8PfMVNV4h0sgj1Fd95kbRNj+ OVyTT9dzJunqwS3dNxcBeKoODHJaALJK1IF1NLq3F7ffJ/YDNk0wPnKWCq3czMnAdiDH Py9HtJrzO4QHbVd0/DsMfrne3Q0Y9GluIHnKzkv/w1E/Y6QrYctWqPVcePbHiY+5c1LY WhWgqFGScodYQMlAttnBGvHvRIMcgnXlp76io73mMJfXYXpa9YqUTxC9QQUFuqmZ5GKO 1hmQ== X-Gm-Message-State: AOJu0Yy1cBYOK4tLPNTG2RScEt6eJR8Cxh4Zk2HLMtLJTUlp2aK3o84R zBv6Yzgk70yE5usP4nLZPheikyjtXaZvKq3smsC6IM9HVK98PSsAZ22pkDTJ2cBDmI+Ks6kYyRr 4kWv0sQ1f0T6oF0HnJG/Mx13ZB+gkGSxW6WiZ X-Received: by 2002:a05:6402:b4c:b0:55a:47a0:d8ad with SMTP id bx12-20020a0564020b4c00b0055a47a0d8admr63065edb.3.1705599786153; Thu, 18 Jan 2024 09:43:06 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240114223532.290550-1-sameo@rivosinc.com> <20240118033515.2293149-1-biao.lu@intel.com> In-Reply-To: <20240118033515.2293149-1-biao.lu@intel.com> From: Dionna Amalie Glaze Date: Thu, 18 Jan 2024 09:42:50 -0800 Message-ID: Subject: Re: [RFC PATCH v1 0/4] tsm: Runtime measurement registers ABI To: biao.lu@intel.com Cc: sameo@rivosinc.com, dan.j.williams@intel.com, linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org, Joerg Roedel Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Jan 17, 2024 at 7:36=E2=80=AFPM wrote: > > Samuel Ortiz wrote: > > Some confidential computing architectures (Intel TDX, ARM CCA, RISC-V > > CoVE) provide their guests with a set of measurements registers that ca= n > > be extended at runtime, i.e. after the initial, host-initiated > > measurements of the TVM are finalized. Those runtime measurement > > registers (RTMR) are isolated from the host accessible ones but TSMs > > include them in their signed attestation reports. > > > > All architectures supporting RTMRs expose a similar interface to their > > TVMs: An extension command/call that takes a measurement value and an > > RTMR index to extend it with, and a readback command for reading an RTM= R > > value back (taking an RTMR index as an argument as well). This patch se= ries > > builds an architecture agnostic, configfs-based ABI for userspace to ex= tend > > and read RTMR values back. It extends the current TSM ops structure and > > each confidential computing architecture can implement this extension t= o > > provide RTMR support. > > Hi, Samuel > The ABI does not include eventlog, but eventlog is usually used with RTMR= . > What do you think about how to implement eventlog? > > I had the same question and deleted my reply. The event log in TPM is made available in sysfs only up to the point that control transitions to user space. After that, all extensions to PCRs have to be logged by user space with whatever chosen workload event log representation. I imagine the same is true for RTMRs. What this patch series doesn't take into account is how RTMRs might not be represented in the hardware attestation, but rather would be in a supervisor service whose integrity is chained from hardware attestation. In the configfs-tsm model, tsm/report with its single provider requirement will not be able to interface with the SVSM attestation protocol /and/ the AMD hardware protocol. That may as well be okay, but that's a choice folks need to be aware of. There's still the issue of attesting a single service vs attesting all services in the SVSM. I imagine single service attestation will have to be abandoned. In SVSM, a vTPM is a service that an updated linux driver will be able to get a quote from, and the same AMD SEV-SNP attestation report TSM provider would still be present, but if we want a simpler RTMR service, then we're in a little pickle with this design. --=20 -Dionna Glaze, PhD (she/her)