lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6e74ba5e6dc40b4d3bb90b7a7f0d8a1b9655964c.camel@intel.com>
Date:   Wed, 14 Sep 2022 21:09:26 +0000
From:   "Huang, Kai" <kai.huang@...el.com>
To:     "sathyanarayanan.kuppuswamy@...ux.intel.com" 
        <sathyanarayanan.kuppuswamy@...ux.intel.com>,
        "kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>
CC:     "linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>,
        "shuah@...nel.org" <shuah@...nel.org>,
        "tim.gardner@...onical.com" <tim.gardner@...onical.com>,
        "Luck, Tony" <tony.luck@...el.com>,
        "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
        "Cox, Philip" <philip.cox@...onical.com>,
        "ak@...ux.intel.com" <ak@...ux.intel.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
        "wander@...hat.com" <wander@...hat.com>,
        "marcelo.cerri@...onical.com" <marcelo.cerri@...onical.com>,
        "hpa@...or.com" <hpa@...or.com>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "bp@...en8.de" <bp@...en8.de>,
        "isaku.yamahata@...il.com" <isaku.yamahata@...il.com>,
        "khalid.elmously@...onical.com" <khalid.elmously@...onical.com>,
        "x86@...nel.org" <x86@...nel.org>
Subject: Re: [PATCH v13 3/3] Documentation/x86: Document TDX attestation
 process

On Tue, 2022-09-13 at 18:23 -0700, Sathyanarayanan Kuppuswamy wrote:
> Attestation is used to verify the TDX guest trustworthiness to other
> 
> entities before provisioning secrets to the guest. For example, a key
> 
> server may request attestation quote before releasing the encryption
> 
> keys to mount the encrypted rootfs or secondary drive.

I would replace "may request attestation quote" to "may want to use attestation
to verify the guest is the desired one".  The "quote" was never mentioned before
here so it's -EPARSE.  Also getting the quote is not the purpose, the purpose is
to get it verified by verification service.

> 
> 
> 
> The TDX module records the state of the TDX guest in various stages of
> 
> the guest boot process using build time measurement register (MRTD) and
> 
> runtime measurement registers (RTMR). Measurements related to guest
> 
> initial configuration and firmware image are recorded in the MRTD
> 
> register. Measurements related to initial state, kernel image, firmware
> 
> image, command line options, initrd, ACPI tables, etc are recorded in
> 
> RTMR registers. For more details, please refer to TDX Virtual Firmware
> 
> design specification, sec titled "TD Measurement". At TDX guest runtime,
> 
> the attestation process is used to attest to these measurements.

I would like to point out that "TDVF is is just an example".  TDVF can be
replaced with other BIOS, theoretically (especially if you consider container
case in the future), so all things in TDVF can only just be an "example".  I
don't like the idea to bind TDX architecture with TDVF.

How about:

"For more details as an example, please refer to TDX virtual Firmware ...".

Otherwise looks good.  You can have my Ack anyway:

Acked-by: Kai Huang <kai.huang@...el.com>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ