-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] td-shim release with reference MRTD #577
Comments
@Xynnn007 , please submit issue and PR. |
I have made a test repo to build IMO CoCo will have multiple components together with their reference value to be built. Let's take TDX for example:
A first impression is that we use @sameo @fitzthum @fidencio @jyao1 @peterzcst @dcmiddle @mythi @arronwy @jialez0 |
I am OK if it aligns to other project. |
I think you're on the right track. My biggest question is how we can integrate reference artifacts with our existing build pipelines. For example for td-shim we use versions.yaml file to track which version will be built into the payload container. Should this also be where we generate reference measurements or should we try to decouple the building of our artifacts from the Kata CI? Also, are we making some assumptions about how different platforms will measure components? For |
OVMF can support one binary for TDX/SEV/non-CC. |
I think we get the same question. There are two ways
As we are planning to make a website for CoCo, it would be great to have a download page that points to the hyperlink of the artifacts together with their reference values. Thus I prefer to way 2. I'd also like to hear some point views of @fidencio for this.
A reference value does not necessarily correspond to one component, it may correspond to multiple components, which depends on how TEE measures. For example, TDX measures guest firmware like td-shim/OVMF and store the measurements into MRTD register. Thus in RVPS we use key This hints that we should release a binary bundle for different platforms together with the reference values. Back to the question itself. If we release a same OVMF binary for both TDX/SEV, we would have two reference value files for each platforms. Other platforms should have their different mechanisms but we can fit well with the design. |
Some components, like OVMF, seem like they could be decoupled from the Kata build system fairly easily. To me it seems a bit weird that Kata is building OVMF. Other components, like the rootfs, are more closely tied to Kata and would be tricky to replicate elsewhere. I suspect that Kata is somewhat attached to building components themselves, which does enable some significant tooling such as the kernel patching/building scripts. On the other hand, we also have the image buiders for peer pods, which already duplicate some of the functionality of the kata tooling. That's another place we'll need to come up with some reference values.
Yeah, I agree. Reference values will have to be platform specific. Btw this is something that igvm might be able to help out with. |
I don't think there is QEMU support yet, but I've heard a rumor that someone is working on it. Hyper-V as well as CLH seem to be supported. There is some info here. |
Btw another thing about the current release process is that the tagging of releases, which is typically done whenever we reach that step in the release checklist, is not really in sync with development. We just come through and tag the repo whenever the CoCo project happens to be doing a release. So far this doesn't seem to have caused any issues, but it doesn't seem ideal. |
Now to support the full lifetime of confidential containers, we should start to think about the origin of the guest FW/kernel/rootfs. To have a reference, let's start with TDX stack.
Background
Now we have leveraged tdx verifier inside attestation-service. A end user can deploy an attestation-service to verify the quote sent from the attestation-agent inside the TEE guest. However, currently the attestation-service only verifies the validity/endorsement of the quote, s.t. the signature. The other fields, like MRTD, RTMR, etc are left and organized into a parsed claims. Among them, MRTD is related to td-shim. As a community, we should provide a reference solution of this. That is
In this way a CSP could use this community-version td-shim to quickly set up a service, and the end user can use this published reference value to check if the guest firmware is as expected.
Rationality
Although reprodicible build is the most safe way for the user to ensure that no backdoors are embedded in the td-shim binary, there is still some work to do. reference to
If users trust the neutral CoCo community, they can directly use the component binaries from CoCo and use the published reference values to verify, without building them locally, which will save a lot of effort.
Roadmap
Please give some suggestions. If it seems good, let me open related sub issues to track on this.
The text was updated successfully, but these errors were encountered: