[svsm-devel] SVSM Development Call - June 12th, 2024
James Bottomley
James.Bottomley at HansenPartnership.com
Wed Jun 12 14:29:00 CEST 2024
On Wed, 2024-06-12 at 12:00 +0200, Stefano Garzarella wrote:
> Hi Claudio,
>
> On Tue, Jun 11, 2024 at 10:46 PM Claudio Siqueira de Carvalho
> <cclaudio at ibm.com> wrote:
> >
> > Hi,
> >
> > I would like to add two topics to the SVSM meeting agenda:
>
> I won't be able to participate in today's call because I'm on my way
> to Brno for DevConf, so I post a few thoughts below.
>
> >
> > - What does TPM locality[1] mean for the SVSM vTPM?
>
> Interesting, IIUC an example could be to use different "localities"
> for SVSM itself, edk2, kernel, etc. right ?
>
> > - Is there any SVSM boot event that we want to record in the TPM
> > PCRs/Event log? E.g. a SVSM configuration, the OVMF hash, etc
>
> Talking with Daniel, it seems that now EDK2 is self-measuring itself
> in PCR0, so maybe it would be better to do this in SVSM.
> So it would be nice to have SVSM measuring itself in PCR0, SVSM
> measuring EDK2 in PCR0, and EDK2 stopping doing it.
Actually, that's not quite how it should work. edk2 has a 3 phase
measurement sequence: the SEC phase which is the current static root of
trust adds a self measurement then measures PEI (actually this is a bit
of a lie: that's what the spec says EFI is supposed to do, but not what
OVMF actually does because SEC originally didn't have the cryptographic
ability to do a measurement) and hands off to it. PEI eventually
measures DXE and hands off to it. To keep the sequence correct, the
SVSM-vTPM should really only measure SEC before handing off to it.
What really happens is that PEI adds both the SCRT measurement and its
own measurement and then measures DXE. I've asked several times if we
could fix this, because it really is a measured boot hole.
James
More information about the Svsm-devel
mailing list