On Mon, Nov 25, 2024 at 05:23:44PM -0500, Stefan Berger wrote: > > > On 11/25/24 2:56 PM, Jean-Philippe Brucker wrote: > > Create an event log, in the format defined by Trusted Computing Group > > for TPM2. It contains information about the VMM, the Realm parameters, > > any data loaded into guest memory before boot and the initial vCPU > > state. > > > > The guest can access this log from RAM and send it to a verifier, to > > help the verifier independently compute the Realm Initial Measurement, > > and check that the data we load into guest RAM is known-good images. > > Without this log, the verifier has to guess where everything is loaded> > and in what order. > > Typically these logs are backed by extensions of TPM PCRs and when you send > a log to a verifier you send a TPM quote along with it for the verifer to > replay the log and check the TPM quote. Also, early code in the firmware is > typically serving as a root of trust that starts the chain of measurements > of code and data, first measuring itself and then other parts of the > firmware before it jumps into the other parts. Now here you seem to just > have a log and no PCR extensions and therefore no quote over PCRs can be > used. Then what prevents anyone from faking this log and presenting a > completely fake log to the verifier?
In addition, a measurement log is just one of the interesting features that a TPM provides to OS. The other TPM features are still relevant and useful to confidential VMs. As a high level goal I think we should be aiming to make it possible for users to move their existing VM workloads from non-confidentail to confidential environments, simply as a choice at deployment time. To make this as practical as possible, confidential VMs need to be aiming to match non-confidential VM features where ever it is practical to do so. Users & vendors should not need to build & carry around 2 sets of disk images - one setup for confidential and one setup for non-confidential. Following existing standards will reduce the work both for OS developers, app developers and users alike, to adopt the CVM world. IOW, this is a long winded way of saying that we should be looking to provide a complete *standards compliant*, trusted TPM implementation to confidential VMs, not providing a cherry-picked selection of a few TPM-like features. On the x86 side of things, the route to providing a trusted TPM is via SVSM, both for SNP and TDX. Microsoft's recently open sources openhcl similarly provides a st I don't know so much about RME. Is providing a trusted TPM a job for the RMM ? With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
