Hello all, On Thu, 11 Apr 2024 at 03:20, Yao, Jiewen <jiewen....@intel.com> wrote: > > Hi Dionna/Qinkun > I am not sure if systemd is the last software in guest we need to patch to > support coexistence to extend the measurement. > Are you aware of any other Linux guest software needs to be updated? Such as > Linux IMA (Integrity Measurement Architecture)? > > To move this forward. > > In Intel, we had discussed and we did see the potential security risk. As I > mentioned in the first email, "In case that any the guest component only > knows one of vTPM or RTMR, and only extends one of vTPM or RTMR, but the > other one only verifies the other, then the chain of trust is broken." > > At same time, we also respect that it might be a valid use case for Google. > I would like to ask the opinion in the EDKII community, especially the OVMF > and CC maintainer and reviewer. > > > Hi Ard Biesheuvel > Do you think Kernel is OK with this coexistence proposal? > Are you willing to give "reviewed-by"? >
I think it is a bad idea to go and apply changes all across the boot software ecosystem to measure the same assets into different measurement protocols. I'mm afraid it creates technical debt that will come and bite us in the future. Given that RTMR is a proper subset of vTPM (modulo the PCR/RTMR index conversion), I feel that it should be the CoCo firmware's responsibility to either: - expose RTMR and not vTPM - expose vTPM, and duplicate each measurement into RTMR as they are taken However, I understand that this is only viable for execution under the UEFI boot services, and after that, the vTPM and RTMR are exposed in different ways to the OS. Could someone explain how that piece of the puzzle is supposed to work? Do we measure into RTMR after ExitBootServices()? -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117616): https://edk2.groups.io/g/devel/message/117616 Mute This Topic: https://groups.io/mt/105070442/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
