Does the VTPM Generate an Endorsement Key? #437
Comments
|
@IT302 current implementation re-manufacture the vTPM at every boot, so the vTPM for now is ephemeral and its EK changes with each boot. The EK is in SVSM's memory, but as soon as CVM is turned off, all vTPM state goes away. (cc @cclaudio for more details). We are working on supporting saving the state, but this requires an early attestation in SVSM. See #421 |
|
Thanks @stefano-garzarella your help. For my initial use case, a persistent vTPM is not required. However, I do need an SNP attestation report at VMPL0, as well as another report that covers the EKpub generated at boot time. |
hi @stefano-garzarella , I wonder where the EKpub is stored (The exact TPM object context). I also need a VMPL0 attestation report with Sha512(EKpub) in the report data |
|
In the function |
|
Hi @IT302 You might be interested on the TCG Credential Profile EK 2.0, it explains about the EK NV indices and also the templates. The Endorsement Primary Seed (EPS) is set in the TPM manufacture procedure. If the EPS is not changed, the same EK can be regenerated multiple times. So, the EK can be created any time later in boot as needed and choosing the template (e.g. RSA, ECC_256, etc) that better fits the purpose of the confidential VM. Soon, when the AMD Attestation Protocol is implemented, the SVSM will need to cache an EK object so that it can be returned as an evidence of the EPS that is set in the vTPM. |
|
Thanks @cclaudio for the pointer. Relying on EPS is elegant, and the SVSM can start off by supporting RSA 2048-bit and ECC NISTP-256-bit keys. Everything should work as long as users do not run TPM2_ChangeEPS. I am working on a PoC that adds EK creation and caching to coconut-svsm. I am collaborating with folks active in Keylime and should have something to share in the next couple of weeks. |
|
@IT302 if it could be interesting for you, @osteffenrh and I are working on a persistent state support for SVSM to unlock persistent vTPM. We'll talk about it next week at LPC and KVM Forum. We are also preparing a PoC here: https://github.com/stefano-garzarella/snp-svsm-vtpm |
|
@stefano-garzarella Yes, I am very much interested in the persistent vTPM work and will be at the KVM Forum next week. Looking forward to your talk. |
vTPM service attestation is described in section 8.3 of "Secure VM Service Module for SEV-SNP Guests, Publication #58019 Revision: 1.00 Issue Date: July 2023". It certifies the Endorsement Key (EK) of the vTPM by providing the TPMT_PUBLIC structure of the EK. This is crucial for downstream projects like Keylime, as the SVSM vTPM lacks an EK certificate found in physical TPMs to anchor trust. The attestation is part of the SVSM Attestation Protocol and uses the SVSM_ATTEST_SINGLE_SERVICE call (see section 7 of the specifications). It is triggered by making an SVSM_ATTEST_SINGLE_SERVICE call with the GUID set to c476f1eb-0123-45a5-9641-b4e7dde5bfe3. The attestation code returns the VMPL0 attestation report and the vTPM Service Manifest Data Structure (TPMT_PUBLIC structure of the EK). The REPORT_DATA in the SNP attestation request is the SHA-512 digest of the input nonce and the vTPM Service Manifest Data Structure. The vTPM initialization function was modified to generate an RSA 2048-bit EK from the TPM's Endorsement Primary Seed (EPS) and cache the public key as a TPMT_PUBLIC structure. This cached EK public key can be retrieved later for vTPM service attestation. The EK is created with the TCG default EK template (see Table 4 of the "TCG EK Credential Profile For TPM Family 2.0; Level 0 Version 2.5 Revision 2.0"). Since the EK is derived from the EPS, it can be recreated upstream at any time. For example, the same EK can be recreated in an OS using the TSS2 command "tpm2_createek -c ek.ctx -G rsa -u ek.pub" and compared against the one returned by vTPM service attestation. vTPM service attestation as specified can only return one type of EK, so the implementation supports RSA 2048-bit EK as defined in Table 4 of the "TCG EK Credential Profile For TPM Family 2.0; Level 0 Version 2.5 Revision 2.0," which is the most common Trusted Computing Group(TCG) EK type. Resolves coconut-svsm#437, resolves coconut-svsm#361 Signed-off-by: Geoffrey Ndu <[email protected]>
vTPM service attestation is described in section 8.3 of "Secure VM Service Module for SEV-SNP Guests, Publication #58019 Revision: 1.00 Issue Date: July 2023". It certifies the Endorsement Key (EK) of the vTPM by providing the TPMT_PUBLIC structure of the EK. This is crucial for downstream projects like Keylime, as the SVSM vTPM lacks an EK certificate found in physical TPMs to anchor trust. The attestation is part of the SVSM Attestation Protocol and uses the SVSM_ATTEST_SINGLE_SERVICE call (see section 7 of the specifications). It is triggered by making an SVSM_ATTEST_SINGLE_SERVICE call with the GUID set to c476f1eb-0123-45a5-9641-b4e7dde5bfe3. The attestation code returns the VMPL0 attestation report and the vTPM Service Manifest Data Structure (TPMT_PUBLIC structure of the EK). The REPORT_DATA in the SNP attestation request is the SHA-512 digest of the input nonce and the vTPM Service Manifest Data Structure. The vTPM initialization function was modified to generate an RSA 2048-bit EK from the TPM's Endorsement Primary Seed (EPS) and cache the public key as a TPMT_PUBLIC structure. This cached EK public key can be retrieved later for vTPM service attestation. The EK is created with the TCG default EK template (see Table 4 of the "TCG EK Credential Profile For TPM Family 2.0; Level 0 Version 2.5 Revision 2.0"). Since the EK is derived from the EPS, it can be recreated upstream at any time. For example, the same EK can be recreated in an OS using the TSS2 command "tpm2_createek -c ek.ctx -G rsa -u ek.pub" and compared against the one returned by vTPM service attestation. vTPM service attestation as specified can only return one type of EK, so the implementation supports RSA 2048-bit EK as defined in Table 4 of the "TCG EK Credential Profile For TPM Family 2.0; Level 0 Version 2.5 Revision 2.0," which is the most common Trusted Computing Group(TCG) EK type. Resolves coconut-svsm#437, resolves coconut-svsm#361 Signed-off-by: Geoffrey Ndu <[email protected]>
I'm currently exploring using the vTPM for attestation and have a question regarding the endorsement key. Does the current vTPM implementation generate an endorsement key at startup? If it does, where is it stored?
Any guidance on this matter would be greatly appreciated.
Geoffrey
The text was updated successfully, but these errors were encountered: