Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does the VTPM Generate an Endorsement Key? #437

Open
IT302 opened this issue Aug 7, 2024 · 8 comments · May be fixed by hpe-security-lab/svsm#1
Open

Does the VTPM Generate an Endorsement Key? #437

IT302 opened this issue Aug 7, 2024 · 8 comments · May be fixed by hpe-security-lab/svsm#1

Comments

@IT302
Copy link

IT302 commented Aug 7, 2024

I'm currently exploring using the vTPM for attestation and have a question regarding the endorsement key. Does the current vTPM implementation generate an endorsement key at startup? If it does, where is it stored?

Any guidance on this matter would be greatly appreciated.

Geoffrey

@stefano-garzarella
Copy link
Member

@IT302 current implementation re-manufacture the vTPM at every boot, so the vTPM for now is ephemeral and its EK changes with each boot. The EK is in SVSM's memory, but as soon as CVM is turned off, all vTPM state goes away. (cc @cclaudio for more details).

We are working on supporting saving the state, but this requires an early attestation in SVSM. See #421

@IT302
Copy link
Author

IT302 commented Aug 8, 2024

Thanks @stefano-garzarella your help.

For my initial use case, a persistent vTPM is not required. However, I do need an SNP attestation report at VMPL0, as well as another report that covers the EKpub generated at boot time.

@jianlinjiang
Copy link

@IT302 current implementation re-manufacture the vTPM at every boot, so the vTPM for now is ephemeral and its EK changes with each boot. The EK is in SVSM's memory, but as soon as CVM is turned off, all vTPM state goes away. (cc @cclaudio for more details).

We are working on supporting saving the state, but this requires an early attestation in SVSM. See #421

hi @stefano-garzarella , I wonder where the EKpub is stored (The exact TPM object context). I also need a VMPL0 attestation report with Sha512(EKpub) in the report data

@jianlinjiang
Copy link

In the function TPM_Manufacture of ms-tpm-20-ref , It seems the function doesn't create a primary key for the vTPM.

@cclaudio
Copy link
Member

Hi @IT302

You might be interested on the TCG Credential Profile EK 2.0, it explains about the EK NV indices and also the templates.

The Endorsement Primary Seed (EPS) is set in the TPM manufacture procedure. If the EPS is not changed, the same EK can be regenerated multiple times. So, the EK can be created any time later in boot as needed and choosing the template (e.g. RSA, ECC_256, etc) that better fits the purpose of the confidential VM.

Soon, when the AMD Attestation Protocol is implemented, the SVSM will need to cache an EK object so that it can be returned as an evidence of the EPS that is set in the vTPM.

@IT302
Copy link
Author

IT302 commented Sep 12, 2024

Thanks @cclaudio for the pointer. Relying on EPS is elegant, and the SVSM can start off by supporting RSA 2048-bit and ECC NISTP-256-bit keys. Everything should work as long as users do not run TPM2_ChangeEPS.

I am working on a PoC that adds EK creation and caching to coconut-svsm. I am collaborating with folks active in Keylime and should have something to share in the next couple of weeks.

@stefano-garzarella
Copy link
Member

@IT302 if it could be interesting for you, @osteffenrh and I are working on a persistent state support for SVSM to unlock persistent vTPM. We'll talk about it next week at LPC and KVM Forum. We are also preparing a PoC here: https://github.com/stefano-garzarella/snp-svsm-vtpm

@IT302
Copy link
Author

IT302 commented Sep 12, 2024

@stefano-garzarella Yes, I am very much interested in the persistent vTPM work and will be at the KVM Forum next week. Looking forward to your talk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants