Re: [PATCH v5 6/7] virt: sevguest: Add TSM_REPORTS support for SNP_GET_EXT_REPORT

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: Dionna Amalie Glaze <dionnaglaze@google.com>
To: Dan Williams <dan.j.williams@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
	linux-coco@lists.linux.dev,  Borislav Petkov <bp@alien8.de>,
	Brijesh Singh <brijesh.singh@amd.com>,
	 Jeremi Piotrowski <jpiotrowski@linux.microsoft.com>,
	peterz@infradead.org,
	 sathyanarayanan.kuppuswamy@linux.intel.com,
	dave.hansen@linux.intel.com,  Erdem Aktas <erdemaktas@google.com>
Subject: Re: [PATCH v5 6/7] virt: sevguest: Add TSM_REPORTS support for SNP_GET_EXT_REPORT
Date: Wed, 11 Oct 2023 15:21:38 -0700	[thread overview]
Message-ID: <CAAH4kHatSdJ31sTSqKEEsNYfuhZmn3Z2WGMBLcErt4qTKJV1RA@mail.gmail.com> (raw)
In-Reply-To: <652713f6d5bac_780ef294b9@dwillia2-xfh.jf.intel.com.notmuch>

> >
> > I agree with Dionna here, you must keep the GUID<-->Cert relationship
> > here. I think you can just copy the full returned cert buffer into the
> > destination buffer. Then it would look just like what the ioctl() returns
> > and make it easier for userspace programs to switch to the new mechanism.
>
> This reverses the feedback from Jeremi where he asked for a separate
> "certs" file.
>
> Hmm, perhaps this should be an optional @auxblob attribute where a
> backend can publish supplemental data to the report. The issue from a
> common ABI perspective is that the SNP report format is independent of
> the conveyed certificates and the TDX quote format includes a reference
> to the "certs" from the "reportblob". In the SNP case that certs
> reference is conveyed in the ioctl envelope which does not exist in the
> configfs-tsm case.
>
> So the proposal is @auxblob is documented as supplemental data to the
> report, and then when @provider indicates "sev-guest" the format of
> @auxblob is defined by 'struct cert_table' in GHCB 4.1.8.1
> MSG_REPORT_REQ.
>
> In the @provider == "tdx-guest" case the @auxblob attribute is hidden,
> or empty.

auxblob might need to get added anyways, because the quoting enclave's
embedding of the PCK certificate isn't through PEM but a decomposition
into big endian integer pairs for the ECDSA curve.
This makes extension for a platform maintainer to provide cached RIMs
for things like trusted I/O devices and vendored firmware much more
difficult.

I would need Intel to comment more directly on
https://github.com/intel/SGXDataCenterAttestationPrimitives/issues/336


--
-Dionna Glaze, PhD (she/her)

next prev parent reply	other threads:[~2023-10-11 22:21 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-11  5:27 [PATCH v5 0/7] configfs-tsm: Attestation Report ABI Dan Williams
2023-10-11  5:27 ` [PATCH v5 1/7] virt: sevguest: Fix passing a stack buffer as a scatterlist target Dan Williams
2023-10-11  5:27 ` [PATCH v5 2/7] virt: coco: Add a coco/Makefile and coco/Kconfig Dan Williams
2023-10-11  5:27 ` [PATCH v5 3/7] configfs-tsm: Introduce a shared ABI for attestation reports Dan Williams
2023-10-11  6:29   ` Kuppuswamy Sathyanarayanan
2023-10-11  5:27 ` [PATCH v5 4/7] virt: sevguest: Prep for kernel internal get_ext_report() Dan Williams
2023-10-11  5:27 ` [PATCH v5 5/7] mm/slab: Add __free() support for kvfree Dan Williams
2023-10-11  6:31   ` Kuppuswamy Sathyanarayanan
2023-10-11  5:27 ` [PATCH v5 6/7] virt: sevguest: Add TSM_REPORTS support for SNP_GET_EXT_REPORT Dan Williams
2023-10-11 16:13   ` Dionna Amalie Glaze
2023-10-11 20:41     ` Dan Williams
2023-10-11 21:06       ` Dionna Amalie Glaze
2023-10-11 19:24   ` Tom Lendacky
2023-10-11 21:30     ` Dan Williams
2023-10-11 22:21       ` Dionna Amalie Glaze [this message]
2023-10-11 22:24       ` Tom Lendacky
2023-10-12  0:38         ` Dan Williams
2023-10-11  5:27 ` [PATCH v5 7/7] virt: tdx-guest: Add Quote generation support using TSM_REPORTS Dan Williams
2023-10-11  6:44 ` [PATCH v5 0/7] configfs-tsm: Attestation Report ABI Kuppuswamy Sathyanarayanan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAAH4kHatSdJ31sTSqKEEsNYfuhZmn3Z2WGMBLcErt4qTKJV1RA@mail.gmail.com \
    --to=dionnaglaze@google.com \
    --cc=bp@alien8.de \
    --cc=brijesh.singh@amd.com \
    --cc=dan.j.williams@intel.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=erdemaktas@google.com \
    --cc=jpiotrowski@linux.microsoft.com \
    --cc=linux-coco@lists.linux.dev \
    --cc=peterz@infradead.org \
    --cc=sathyanarayanan.kuppuswamy@linux.intel.com \
    --cc=thomas.lendacky@amd.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.