[svsm-devel] Questions about crypto support

Fri Sep 22 23:04:45 CEST 2023

Hi everybody,

In the last SVSM meeting we started to discuss some design questions related to
crypto support and I mentioned that I could open a github issue for us to
continue the discussion. However, I have the impression that mailing lists have
worked better for discussions. Let me know if this is not the case.

Since the crypto support questions applies directly to the context of vTPM and
attestation, I also added a block diagram below to help us visualize the big
picture.

Feel free to add new questions or information that you find relevant.

Thanks,
Claudio

Questions
---------

Q1) FIPS 140 certification. Should we consider OpenSSL as a static or shared
library? 

Q2) How should we handle build dependencies between CPL3 modules? E.g. the vTPM
(Microsoft TPM impl.) build depends on the OpenSSL library.

Q3) What libc implementation should we use to build OpenSSL and other CPL3
modules?

Q4) Interface 1. How CPL0 code should communicate with CPL3 code?

Q5) Interface 2. CPL0 to CPL3 communication may need to carry secrets (e.g.
VMPCK0 key), how should we do that securely?

Q6) Interface 3. How a CPL3 module should communicate with other CPL3 modules?
It may also need to carry secrets such as keys.

Appendix 1: vTPM and attestation as a use case
----------------------------------------------

           .-------------.     .-------------.
           |   Runtime   |     | Attestation |
  -------->|  Protocols  |---->|   Report    |
           '-------------'     '-------------'
                  |                   |
                  |                   v
                  |            .------------.
                  |            | Crypto API |-----.
                  |            '------------'     v
                  |                           .------.
              Interface 1                     | ossl |
                  |                           '------'
                  |                               | 
          CPL0    |                          Interface 2
      |-------------------------------------------|-------|
          CPL3    |                               |
                  |                               |
                  v                               v
           .------------.                    .---------.
           |    vTPM    |                    | OpenSSL |
           |   Module   |----Interface 3---->| Module  |
           '------------'                    '---------'

A1-1) CPL0: Runtime Protocols
-----------------------------

SVSM protocols described in the SVSM spec:
- Core
- Attestation
- vTPM

A1-2) CPL0: Attestation Report
------------------------------

Implements the attestation report feature. When a VMPL0 attestation report is
requested, the request needs to be encrypted/decrypted with the VMPCK0 key
using AES-GCM.

A1-3) CPL0: Crypto API
----------------------

SVSM kernel interface (Rust trait) that abstracts the crypto module running in
CPL3.

Example in pseudo-code:

aes_gcm_encrypt(key, iv, aad, cleartext, ciphertext, authtag)
aes_gcm_decrypt(key, iv, aad, ciphertext, authtag, cleartext)

A1-4) CPL0: ossl
----------------

Crypto API implementation (wrappers) for OpenSSL.

A1-5) CPL3: vTPM Module
-----------------------

Microsoft TPM 2.0 reference (ms-tpm-20-ref) implementation; only the TPM
Simulator interface is exported.

The ms-tpm-20-ref build requires OpenSSL (or WolfSSL).

A1-6) CPL3: OpenSSL Module
--------------------------

OpenSSL library built to run in the restricted SVSM environment. Summary of the
build steps we have used (inspired on how OVMF builds OpenSSL):

- create a svsm_openssl.config that sets some compiler flags and inherited
  configs.
- disable crypto modules not needed
- reduce memory footprint
- link it against the libcrt library, which is a small libc we crafted to build
  OpenSSL (libcrt) and the Microsoft TPM.