Hi all, Thank you all for the feedback.
> > In Intel, we had discussed and we did see the potential security risk. As I > > mentioned in the first email, "In case that any the guest component only > > knows one of vTPM or RTMR, and only extends one of vTPM or RTMR, but the > > other one only verifies the other, then the chain of trust is broken." > > Thank you for bringing it up. Unfortunately, it is the current status even without this patch. On a TDX VM with Grub boot: TDVF, Shim, Grub extend their measurements into RTMR. Shim, Grub extend their measurements into TPM. We are seeking to add a non-default, build-time option that makes TDVF also extend its measurement into TPM. The measurement skew should not be a huge security concern. Yes, some environments won't be able to successfully attest. Again, we are talking about TDX VMs. The security property of a TEE should be based on the attestation results. The attestation verifier/service (e.g., Intel ITA) should examine the quote and check if the chain of trust is broken. And the end user should only be trusting attestations that contain full boot chains that are known to correctly measure every step into the relevant device. > > I think it is a bad idea to go and apply changes all across the boot > software ecosystem to measure the same assets into different > measurement protocols. I'mm afraid it creates technical debt that will > come and bite us in the future. Could you shed some lights on why it creates technical debts? > > Given that RTMR is a proper subset of vTPM (modulo the PCR/RTMR index > conversion), I feel that it should be the CoCo firmware's > responsibility to either: > - expose RTMR and not vTPM > - expose vTPM, and duplicate each measurement into RTMR as they are taken > > However, I understand that this is only viable for execution under the > UEFI boot services, and after that, the vTPM and RTMR are exposed in > different ways to the OS. Yes, they are exposed in different ways. In Linux, the TPM driver uses the mmio interface rather than the EFI service. Even if EFI_TCG2_PROTOCOL is not installed, the TPM as a device is still visible to the guest. The RTMR values are included in the TD report and could be extended through a TDCALL. The security concern caused by not measuring into every device that is available is a concern. Please see CVE-2021-42299. > > Could someone explain how that piece of the puzzle is supposed to > work? Do we measure into RTMR after ExitBootServices()? Yes, we still measure into RTMR after ExitBootServices() [1]. One example is measuring container images into RTMR2 during the loading [2]. Link: [1] https://lore.kernel.org/lkml/20240128212532.2754325-1-sa...@rivosinc.com/ [2] https://github.com/confidential-containers/guest-components/pull/467/ -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117719): https://edk2.groups.io/g/devel/message/117719 Mute This Topic: https://groups.io/mt/105070442/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
