[svsm-devel] vTPM service attestation format update
Dionna Amalie Glaze
dionnaglaze at google.com
Wed Mar 26 22:01:55 CET 2025
As the selector is used to drive a create_primary command, it's
possible for the command to fail before getting to the attestation
report creation.
If this svsm attestation report fails with invalid_parameter, then
sev-guest will retry in a loop thinking the only way for the request
to fail is due to output buffer sizes being wrong.
I think in addition to the selector address and length, I'll use the
would-be-reserved 4 following bytes for an error code related to the
selector. If this is set, then the attestation should not be retried.
Does it make sense to add the error code as a RO configfs attribute?
We can make it visible only if the write generation is the same as the
generation it was when the error code was recorded.
On Fri, Mar 7, 2025 at 9:51 AM Dionna Amalie Glaze
<dionnaglaze at google.com> wrote:
>
> On Fri, Mar 7, 2025 at 6:24 AM James Bottomley
> <James.Bottomley at hansenpartnership.com> wrote:
> >
> > On Fri, 2025-03-07 at 11:48 +0000, Geoffrey Ndu wrote:
> > > Since the single_service_manifest call for the vTPM effectively
> > > certifies EKs, why don’t the “selector” be the handle values for EK
> > > certificates, as specified by the TCG in 2.2.2.5.1 of “TCG EK
> > > Credential Profile For TPM Family 2.0; Level 0”? This approach would
> > > simplify the user experience, as every SVSM would function
> > > identically, and SVSM vTPMs would exhibit analogous behaviour to
> > > physical TPMs.
> >
> > Because to make life easier we might want to short circuit the EK/AK
> > makecredential/activatecredential round trip and simply construct a
> > signing EK to use in place of an arbitrary AK. Then to make the
> > signing EK easily useful, we might want it not to have a policy
> > statement tying it to the endorsement hierarchy password (particularly
> > as we know that will be empty). To allow this type of thing we need to
> > allow flexibility in the EK creation which isn't listed in the TCG
> > profile EK templates.
> >
>
> I have local changes to tpm-rs that I haven't pushed to make this
> commit work on its own, but this is what I'm prototyping.
>
> https://github.com/coconut-svsm/svsm/commit/db1ad6018b04b995e0278455eb2f9a66569cbcc9
>
> > Regards,
> >
> > James
> >
>
>
> --
> -Dionna Glaze, PhD, CISSP, CCSP (she/her)
--
-Dionna Glaze, PhD, CISSP, CCSP (she/her)
More information about the Svsm-devel
mailing list