On 11/25/24 2:56 PM, Jean-Philippe Brucker wrote:
Create an event log, in the format defined by Trusted Computing Group
for TPM2. It contains information about the VMM, the Realm parameters,
any data loaded into guest memory before boot and the initial vCPU
state.
The guest can access this log from RAM and send it to a verifier, to
help the verifier independently compute the Realm Initial Measurement,
and check that the data we load into guest RAM is known-good images.
> Without this log, the verifier has to guess where everything is
loaded> and in what order.
Typically these logs are backed by extensions of TPM PCRs and when you
send a log to a verifier you send a TPM quote along with it for the
verifer to replay the log and check the TPM quote. Also, early code in
the firmware is typically serving as a root of trust that starts the
chain of measurements of code and data, first measuring itself and then
other parts of the firmware before it jumps into the other parts. Now
here you seem to just have a log and no PCR extensions and therefore no
quote over PCRs can be used. Then what prevents anyone from faking this
log and presenting a completely fake log to the verifier?
