From: Tom Lendacky <thomas.lendacky@amd.com>
To: Dionna Amalie Glaze <dionnaglaze@google.com>
Cc: linux-kernel@vger.kernel.org, x86@kernel.org,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Dan Williams <dan.j.williams@intel.com>,
Michael Roth <michael.roth@amd.com>,
Ashish Kalra <ashish.kalra@amd.com>
Subject: Re: [PATCH 10/11] x86/sev: Extend the config-fs attestation support for an SVSM
Date: Thu, 1 Feb 2024 15:14:49 -0600 [thread overview]
Message-ID: <d91b980c-b019-415d-8549-af4890a21d2f@amd.com> (raw)
In-Reply-To: <CAAH4kHaw7Cpq713sPW2-+TTzmy41O8qHRKYsG2MO06vF1eSJaQ@mail.gmail.com>
On 1/29/24 14:04, Dionna Amalie Glaze wrote:
> On Mon, Jan 29, 2024 at 7:02 AM Tom Lendacky <thomas.lendacky@amd.com> wrote:
>>
>> On 1/26/24 19:27, Dionna Amalie Glaze wrote:
>>> On Fri, Jan 26, 2024 at 2:19 PM Tom Lendacky <thomas.lendacky@amd.com> wrote:
>>>>
>>>> When an SVSM is present, the guest can also request attestation reports
>>>> from the SVSM. These SVSM attestation reports can be used to attest the
>>>> SVSM and any services running within the SVSM.
>>>>
>>>> Extend the config-fs attestation support to allow for an SVSM attestation
>>>> report. This involves creating four (4) new config-fs attributes:
>>>>
>>>> - 'svsm' (input)
>>>> This attribute is used to determine whether the attestation request
>>>> should be sent to the SVSM or to the SEV firmware.
>>>
>>> This is where I'm torn. If there's an SVSM, it's there to provide
>>> paravirtualization for unenlightened guests /or/ it's there to protect
>>
>> An SVSM is for enlightened guests. A para-visor would be for unenlightened
>> guests.
>>
>>> runtime measurement registers. I don't see there being any particular
>>> value in bifurcating the attestation report space by adding this
>>> option. If there's an SVSM present, the configfs-tsm report should
>>> return the full SVSM attestation only.
>>
>> I don't necessarily agree with that. The guest should still be able to
>> request a traditional attestation report.
>>
>> Maybe I can remove the SVSM attribute and direct the call based on
>> requested VMPL level. If VMPL0 is requested, it goes through the SVSM.
>> If VMPL1+ is requested, it goes to the ASP.
>>
>> That would mean that the privlevel_floor would need to stay at zero.
>>
>>>
>>>>
>>>> - 'service_guid' (input)
>>>> Used for requesting the attestation of a single service within the
>>>> SVSM. A null GUID implies that the SVSM_ATTEST_SERVICES call should
>>>> be used to request the attestation report. A non-null GUID implies
>>>> that the SVSM_ATTEST_SINGLE_SERVICE call should be used.
>>>>
>>>> - 'service_version' (input)
>>>> Used with the SVSM_ATTEST_SINGLE_SERVICE call, the service version
>>>> represents a specific service manifest version be used for the
>>>> attestation report.
>>>
>>> I know that this is specified for the SVSM, but I still don't know
>>> what the intended use case is such that we wouldn't simply always
>>> return the full service manifest.
>>> I can see an argument for an evidence requester not being ready for a
>>> new manifest version and wanting the older version until they can
>>> bridge the gap. I don't see that as needing configuration from the
>>> user space. We can either require new service GUIDs for new versions,
>>> require manifest ABIs to be internally versioned to be additive-only
>>> to not break verifiers that understand up to manifest byte X, or we
>>> allow breaking version changes through control plane configuration
>>> that's passed directly to the SVSM.
>>>
>>> New versions get new GUIDs allows for gradual deprecation at the
>>> expense of size. I think that is a reasonable trade-off to keep from
>>> making tsm/report vendor-specific.
>>
>> This was requested and discussed during the SVSM spec review and there
>> were no objections raised. See the this thread where this was discussed:
>>
>> https://lore.kernel.org/linux-coco/09819cb3-1938-fe86-b948-28aaffbe584e@amd.com/
>>
>
> We also hadn't had the configfs-tsm unification point, so I think it's
> worth folding in that discussion.
> In terms of querying specific services, would you help me with a
> concrete example of where the evidence collector ought to query a
> specific version instead of the service enumeration?
Here is where the request was initially brought up:
https://lore.kernel.org/linux-coco/fbc84da05c5343c5228c5adb697d4b66f1ea6308.camel@HansenPartnership.com/
>
>> The changes you're requesting would require a new version of the spec
>> and updates to the protocol.
>>
>
> I think the changes I'm requesting are to just limit the exposure of
> the protocol to linux. What specifically about what I wrote requires a
> change to the spec? Is it the lack of plural handling of 'its GUID
> value' in "Each service will document its GUID value and the format of
> its manifest content."?
The spec is currently written so that a service has a single GUID. If I
understand correctly, you are asking that each version of the manifest
for a service gets a unique GUID. That would require a change to the
specification to document such a behavior and possibly a protocol
modification to somehow indicate to ignore the version field when
requesting a single service attestation or a new protocol that does not
take/use a version.
Thanks,
Tom
>
>>>
>>>>
>>>> - 'manifestblob' (output)
>>>> Used to return the service manifest associated with the attestation
>>>> report.
>>>
>>> Given the above, I think we can just append the manifest to the report
>>> since the report size is known a priori.
>>
>> We could have theoretically done the same thing with the auxblob (certs
>> data), but that is separate. I prefer the idea of having an individual
>> entry per piece of data being returned.
>
> Fair enough, another RO blob seems okay enough.
>
>>
>> Thanks,
>> Tom
>>
>>>
next prev parent reply other threads:[~2024-02-01 21:14 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-26 22:15 [PATCH 00/11] Provide SEV-SNP support for running under an SVSM Tom Lendacky
2024-01-26 22:15 ` [PATCH 01/11] x86/sev: Rename snp_init() in the boot/compressed/sev.c file Tom Lendacky
2024-01-27 0:05 ` Dionna Amalie Glaze
2024-01-27 14:38 ` Tom Lendacky
2024-01-26 22:15 ` [PATCH 02/11] x86/sev: Make the VMPL0 checking function more generic Tom Lendacky
2024-01-26 22:15 ` [PATCH 03/11] x86/sev: Check for the presence of an SVSM in the SNP Secrets page Tom Lendacky
2024-01-26 22:15 ` [PATCH 04/11] x86/sev: Use kernel provided SVSM Calling Areas Tom Lendacky
2024-01-27 0:45 ` Dionna Amalie Glaze
2024-01-27 14:43 ` Tom Lendacky
2024-01-26 22:15 ` [PATCH 05/11] x86/sev: Perform PVALIDATE using the SVSM when not at VMPL0 Tom Lendacky
2024-01-27 0:59 ` Dionna Amalie Glaze
2024-01-27 15:18 ` Tom Lendacky
2024-01-26 22:15 ` [PATCH 06/11] x86/sev: Use the SVSM to create a vCPU when not in VMPL0 Tom Lendacky
2024-01-26 22:16 ` [PATCH 07/11] x86/sev: Provide SVSM discovery support Tom Lendacky
2024-01-29 10:41 ` Jeremi Piotrowski
2024-01-29 15:18 ` Tom Lendacky
2024-01-26 22:16 ` [PATCH 08/11] x86/sev: Provide guest VMPL level to userspace Tom Lendacky
2024-01-27 1:06 ` Dionna Amalie Glaze
2024-01-27 15:43 ` Tom Lendacky
2024-01-26 22:16 ` [PATCH 09/11] virt: sev-guest: Choose the VMPCK key based on executing VMPL Tom Lendacky
2024-01-26 22:16 ` [PATCH 10/11] x86/sev: Extend the config-fs attestation support for an SVSM Tom Lendacky
2024-01-27 1:27 ` Dionna Amalie Glaze
2024-01-29 15:02 ` Tom Lendacky
2024-01-29 20:04 ` Dionna Amalie Glaze
2024-02-01 21:14 ` Tom Lendacky [this message]
2024-02-02 7:10 ` Dan Williams
2024-02-05 23:29 ` Kuppuswamy, Sathyanarayanan
2024-02-06 18:53 ` Tom Lendacky
2024-02-06 18:48 ` Tom Lendacky
2024-02-13 2:34 ` Dan Williams
2024-02-16 19:07 ` Tom Lendacky
2024-02-16 20:46 ` Dan Williams
2024-02-23 20:41 ` Tom Lendacky
2024-02-24 0:02 ` Dan Williams
2024-02-26 14:42 ` Tom Lendacky
2024-01-26 22:16 ` [PATCH 11/11] x86/sev: Allow non-VMPL0 execution when an SVSM is present Tom Lendacky
2024-02-12 10:40 ` [PATCH 00/11] Provide SEV-SNP support for running under an SVSM Reshetova, Elena
2024-02-16 19:46 ` Tom Lendacky
2024-02-19 16:57 ` Shutemov, Kirill
2024-02-19 17:54 ` Reshetova, Elena
2024-02-23 20:23 ` Tom Lendacky
2024-02-27 14:56 ` Reshetova, Elena
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d91b980c-b019-415d-8549-af4890a21d2f@amd.com \
--to=thomas.lendacky@amd.com \
--cc=ashish.kalra@amd.com \
--cc=bp@alien8.de \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=dionnaglaze@google.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=michael.roth@amd.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.