Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-19 Thread Dr. David Alan Gilbert
* Matthew Garrett (mj...@coreos.com) wrote: > On Fri, Jul 15, 2016 at 4:29 AM, Dr. David Alan Gilbert > wrote: > > > * Matthew Garrett (mj...@coreos.com) wrote: > >a) (one that works) 'are all the VMs on my hosts running trusted OSs' > > That works with this just

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-18 Thread Matthew Garrett
On Jul 18, 2016 17:46, "Stefan Berger" wrote: > > > Matthew Garrett wrote on 07/18/2016 08:39:07 PM: > > > > > > On Jul 18, 2016 17:08, "Stefan Berger" wrote: > > > The point of the TPM is that the device that holds the state of > > the

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-18 Thread Stefan Berger
Matthew Garrett wrote on 07/18/2016 08:39:07 PM: > > On Jul 18, 2016 17:08, "Stefan Berger" wrote: > > The point of the TPM is that the device that holds the state of > the PCRs provides the signatures over their state rather than some > other 'entity'

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-18 Thread Matthew Garrett
On Jul 18, 2016 17:08, "Stefan Berger" wrote: > The point of the TPM is that the device that holds the state of the PCRs provides the signatures over their state rather than some other 'entity' whose trustworthiness wouldn't be clear. Admittedly the device comes with its own

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-18 Thread Stefan Berger
Matthew Garrett <mj...@coreos.com> wrote on 07/18/2016 07:52:22 PM: > Subject: Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware > > On Mon, Jul 18, 2016 at 4:40 PM, Stefan Berger <stef...@us.ibm.com> wrote: > > The TPM security's model related to

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-18 Thread Stefan Berger
Matthew Garrett wrote on 07/18/2016 05:26:03 PM: > > On Fri, Jul 15, 2016 at 11:11 AM, Stefan Berger wrote: > > > > > > Typically the TPM is there for the reason: it is a hardware root > of trust that signs the current state of the PCRs that were >

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-18 Thread Matthew Garrett
On Mon, Jul 18, 2016 at 4:40 PM, Stefan Berger wrote: > The TPM security's model related to logs, the state of the PCRs, and > attestation involves the following pieces: > > - PCRs > - measurement log > - EK + certificate > - platform certificate > - AIK + certificate > -

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-18 Thread Matthew Garrett
On Fri, Jul 15, 2016 at 11:11 AM, Stefan Berger wrote: > > Are you also providing a measurement log that goes along with these PCR > extensions? Like a measurement log we have in the TCPA ACPI table? Just > measurements without knowing what was measured wouldn't be all that

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-18 Thread Matthew Garrett
On Fri, Jul 15, 2016 at 4:29 AM, Dr. David Alan Gilbert wrote: > * Matthew Garrett (mj...@coreos.com) wrote: >a) (one that works) 'are all the VMs on my hosts running trusted OSs' > That works with this just as well as with a vTPM; you ask your > hypervisor to >

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-15 Thread Stefan Berger
"Dr. David Alan Gilbert" wrote on 07/15/2016 07:29:24 AM: > > * Matthew Garrett (mj...@coreos.com) wrote: > > Hi Matthew, > (Ccing in Stefan who has been trying to get vTPM in for years and >Paolo for any x86ism and especially the ACPIisms, and Daniel for > crypto

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-15 Thread Dr. David Alan Gilbert
* Matthew Garrett (mj...@coreos.com) wrote: Hi Matthew, (Ccing in Stefan who has been trying to get vTPM in for years and Paolo for any x86ism and especially the ACPIisms, and Daniel for crypto stuff) I'll repeat some of my comments from yesterday's irc chat so you can reply on list. So

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-14 Thread Matthew Garrett
On Thu, Jul 14, 2016 at 11:54 PM, Daniel P. Berrange wrote: > On Thu, Jun 23, 2016 at 04:36:59PM -0700, Matthew Garrett wrote: > > In combination with work in SeaBIOS and the kernel, this permits a fully > measured > > boot in a virtualised environment without the overhead

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-14 Thread Daniel P. Berrange
On Thu, Jun 23, 2016 at 04:36:59PM -0700, Matthew Garrett wrote: > Trusted Boot is based around having a trusted store of measurement data and a > secure communications channel between that store and an attestation target. In > actual hardware, that's a TPM. Since the TPM can only be accessed via

Re: [Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-07-14 Thread Matthew Garrett
Any feedback on this?

[Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-06-23 Thread Matthew Garrett
Trusted Boot is based around having a trusted store of measurement data and a secure communications channel between that store and an attestation target. In actual hardware, that's a TPM. Since the TPM can only be accessed via the host system, this in turn requires that the TPM be able to perform

[Qemu-devel] [PATCH] hw/misc: Add simple measurement hardware

2016-06-23 Thread Matthew Garrett
Trusted Boot is based around having a trusted store of measurement data and a secure communications channel between that store and an attestation target. In actual hardware, that's a TPM. Since the TPM can only be accessed via the host system, this in turn requires that the TPM be able to perform