Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp1131492rdb; Fri, 2 Feb 2024 15:07:53 -0800 (PST) X-Google-Smtp-Source: AGHT+IEVKIdTARsb4cQIL6T6d+VE0tFvHdIOy7FloqvbA0NaPg6cdoi/fyMEFQ3bl6KsbrtORMuN X-Received: by 2002:a92:d208:0:b0:363:9dd4:40bd with SMTP id y8-20020a92d208000000b003639dd440bdmr7328987ily.10.1706915272904; Fri, 02 Feb 2024 15:07:52 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706915272; cv=pass; d=google.com; s=arc-20160816; b=uiEZEpXGG4ONkbgwKog3S27xf5w1wvL5eXxDlx4QzZuis+gB5JofJmnE4JcZZjRliQ NRywGr/0p29nF8daAqTCKSqYWGhpURBgyn+j/SgcmUMhWuefGaKDhGR30gCEbPpwqiUE YQ1pV2fJByHHFShMgzJOLYBVvBB8BeT0DVP6QohfyUxlRtFjI/XH9FIjYDvWTlHp7XcC G0sFG/8G9ump44D+jsnA0it8g1JnUc7kfjgwSdIzyYXFwDmKbYLYikm8lnIKmG2MpiAN mGpFNVY3iCmBNN+GsJTEeEX/UJMEBt8zBBtSLgcdMIbI/Z1H6fSvwDaXSbOwji+WKI9g 8Irg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=VwesMQtZbG6fLbo1NwGxZ8NLZ/IMqDWvAYTwbxBRcMg=; fh=g2dOvPvztFBtuIMZP1UOZufeNsjso3E2PM1vOh25D8Q=; b=dNI0ttqDPOA3z0IqDbnCmyeMbuUboaCsRGlXif0/Zn1ze52T8SAMTo1Lw7qqDq6gpq nj0J527hVZEEZCiaqxzyhOcGgOMaQWUlmFNc4ddtv8RyXM1PAcKQVcRPhxGPHZpdvaoc CC2x7G5ig04sCPkqrAHUJxUPZwmVx7LkiHkvtFGV6k7TXMhBLFEC2QPMEA7gqdwuYGTs +LRT/DVmd/ekgTp6hYFyZ2NqmHAFmoh7eosT+m60xamZcuevhTkowVAcxSHdO11Gt49A sKiekiP8v+m0x1QnGA52QByMgpw6dXvE464DPAvIIE0er0LUdDkfWnhGsgWq4RDxL9fz QeTw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ek9puBpt; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-50691-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-50691-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Forwarded-Encrypted: i=1; AJvYcCUi/MAeRahPSc6JeKPA1LDnx6C2m2EDMhU1w+4wDhg1kVfNdgycMsmXVNnEJsR1Ayz4NFd6DOp+PWshaYTSf/H3dTXrg/h/yEkBi8RbVQ== Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id e7-20020a630f07000000b005dbec1e99c6si2295377pgl.309.2024.02.02.15.07.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Feb 2024 15:07:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-50691-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ek9puBpt; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-50691-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-50691-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 95B2EB22C82 for ; Fri, 2 Feb 2024 23:07:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A153F12C7E8; Fri, 2 Feb 2024 23:07:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="ek9puBpt" Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0503B85626; Fri, 2 Feb 2024 23:07:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.10 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706915261; cv=none; b=AagmConz+4OYOgtET9XRbpGjwsmr7G7WhqI8sT/lFRqiNtcUGujBXLE3gr/d7ZzoyqGlBNHvFfyjQ0neWX+3+tFuVAhUlrUYEwO/mFVxhic4ufSGv/enDhxF3VsenrPrNEqZtxrcy1uJuZ+c+F8d71tPQoPJ15KbKVB9jIujBxk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706915261; c=relaxed/simple; bh=I4kgLC3tSksK++ityeMyPTC5f5gRQSkqZH6Pa8WTjlk=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=cu4Nl/wIsBGEXGcSYBeNKdL34JmZ61Au8Y7Bh4UpdLkqmG2BhBX3j2/kLCf75iaXyHenacjCYowd2i9N68v3r+BxmFHvCaRW3jzvUNP701FtqvnQkoyb9xdWAGoynD19H0ky3qxBZYRhiODE0RmLO9vC9sC4cpe1hzV91u/o+yk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=ek9puBpt; arc=none smtp.client-ip=198.175.65.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1706915260; x=1738451260; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=I4kgLC3tSksK++ityeMyPTC5f5gRQSkqZH6Pa8WTjlk=; b=ek9puBpt6DTFNskqJUKALFVx2NSJaxtblSJhEGNETN4htqvRBaN7saQB LKNacQuayRNgIst3Tv+YjyQ87783v0csrG+vpKQEvMKUNpkwoObHSG0eU XgU53uPKhOTh1+dPyBQeGak/6VWm/W2Mx9oM7E6UV7tyac/AR1PO8UKpw GjUG88TafV6AxSkLxp4qOs76GoSC6z//8k9Ibm8cgJLe03AQOBEw/qyoA lGsaBf7vAba+8e0YE24pQxBy/nfAc7BzlG1j4TZjB6gXubIDwMbASxVbA eRcRAFMyQEUijKOISuy4Cg1jb98+lBlNMnuEqoLLUFAi+vMVVxt4MCADC Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10971"; a="17672583" X-IronPort-AV: E=Sophos;i="6.05,238,1701158400"; d="scan'208";a="17672583" Received: from fmviesa005.fm.intel.com ([10.60.135.145]) by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Feb 2024 15:07:40 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.05,238,1701158400"; d="scan'208";a="4795159" Received: from mfzarate-mobl.amr.corp.intel.com (HELO [10.92.4.37]) ([10.92.4.37]) by fmviesa005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Feb 2024 15:07:37 -0800 Message-ID: Date: Fri, 2 Feb 2024 17:07:35 -0600 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC PATCH v2 0/4] tsm: Runtime measurement registers ABI Content-Language: en-US To: James Bottomley , Samuel Ortiz , Dan Williams Cc: Kuppuswamy Sathyanarayanan , Qinkun Bao , "Yao, Jiewen" , "Xing, Cedric" , Dionna Amalie Glaze , biao.lu@intel.com, linux-coco@lists.linux.dev, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org References: <20240128212532.2754325-1-sameo@rivosinc.com> From: Dan Middleton In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 2/2/24 12:24 AM, James Bottomley wrote: > On Sun, 2024-01-28 at 22:25 +0100, Samuel Ortiz wrote: >> All architectures supporting RTMRs expose a similar interface to >> their TVMs: An extension command/call that takes a measurement value >> and an RTMR index to extend it with, and a readback command for >> reading an RTMR value back (taking an RTMR index as an argument as >> well). This patch series builds an architecture agnostic, configfs- >> based ABI for userspace to extend and read RTMR values back. It >> extends the current TSM ops structure and each confidential computing >> architecture can implement this extension to provide RTMR support. > What's the actual use case for this? At the moment the TPM PCRs only > provide a read interface to userspace (via /sys/class/tpm/tpmX/pcr- > shaY/Z) and don't have any extension ability becuase nothing in > userspace currently extends them. > > The only current runtime use for TPM PCRs is IMA, which is in-kernel > (and which this patch doesn't enable). > > Without the ability to log, this interface is unusable anyway, but even > with that it's not clear that you need the ability separately to extend > PCRs because the extension and log entry should be done atomically to > prevent the log going out of sync with the PCRs, so it would seem a log > first interface would be the correct way of doing this rather than a > PCR first one. > > James > > While we clearly need to cover PCR-like usages, I think Confidential Computing affords usages that go beyond TPM. For example, Attested Containers [1] (and similar explorations in CNCF Confidential Containers [2]) extends the measurement chain into the guest. There, a trusted agent measures container images, and extends an RTMR with those measurements. Particularly in the case of containers, the existing runtime infrastructure is user mode oriented. However the generalization here is in providing a mechanism to strongly identify an application or behavior provided by the TVM. Less concretely, I think this is an area for developer creativity. Attestation is one of the main APIs that CC gives application developers and these runtime extendable fields provide a further degree of creativity. [1] ACON https://github.com/intel/acon [2] CoCo https://github.com/confidential-containers/guest-components/commit/3c75201a8ba0327fb41b68b7e1521ff517e3ca9f Regards, Dan