On Sat, 13 Apr 2024 at 11:37, Qinkun Bao <qin...@google.com> wrote: > ... > > > > I think it is a bad idea to go and apply changes all across the boot > > software ecosystem to measure the same assets into different > > measurement protocols. I'mm afraid it creates technical debt that will > > come and bite us in the future. > > Could you shed some lights on why it creates technical debts? >
If it is so vitally important that measurements are taken into both the TPM PCRs and the RTMRs if both are available, can we really trust all those boot components to do the right thing? And do we really want to have to reason about that? Given that the guest system firmware exposes both protocols anyway, wouldn't it make more sense to make it the guest firmware's job to duplicate measurements into the RTMRs and only expose the TCG protocol to the guest OS stack? The hybrid model of trusting the host (and using a vTPM) and not trusting the host (and therefore relying on TDX/RTMRs) at the same time seems a bit odd to me in any case: under which circumstances would a guest distrust the host but still rely on the vTPM? > > > > Given that RTMR is a proper subset of vTPM (modulo the PCR/RTMR index > > conversion), I feel that it should be the CoCo firmware's > > responsibility to either: > > - expose RTMR and not vTPM > > - expose vTPM, and duplicate each measurement into RTMR as they are taken > > > > However, I understand that this is only viable for execution under the > > UEFI boot services, and after that, the vTPM and RTMR are exposed in > > different ways to the OS. > > Yes, they are exposed in different ways. In Linux, the TPM driver uses > the mmio interface rather than the EFI service. Even if > EFI_TCG2_PROTOCOL is not installed, the TPM as a device is still > visible to the guest. The RTMR values are included in the TD report > and could be extended through a TDCALL. The security concern caused by > not measuring into every device that is available is a concern. That does not imply that each and every component should be responsible for taking both measurements. > Please > see CVE-2021-42299. > > > > > Could someone explain how that piece of the puzzle is supposed to > > work? Do we measure into RTMR after ExitBootServices()? > > Yes, we still measure into RTMR after ExitBootServices() [1]. One > example is measuring container images into RTMR2 during the loading > [2]. > Fair enough. So keeping RTMRs and PCRs in sync after EBS() is going to be problematic :-( -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117788): https://edk2.groups.io/g/devel/message/117788 Mute This Topic: https://groups.io/mt/105070442/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
