Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Calculate measurements outside of TDX #263

Open
YurkoWasHere opened this issue Nov 3, 2024 · 6 comments
Open

Calculate measurements outside of TDX #263

YurkoWasHere opened this issue Nov 3, 2024 · 6 comments

Comments

@YurkoWasHere
Copy link

After a TDX Quote has been generated, attested to and signed it contains measurements (RTMR 0-4)

Given the access to the boot component (ovmf, kernel, kernel parameters and initrd) how can some one calculate the RTMRs values outside of the TDX environment to validate the quote is as expected.

Copy link

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/PEK-1442.

This message was autogenerated

@hector-cao
Copy link
Collaborator

hector-cao commented Nov 14, 2024

the RTMR[0-2] measurement values are calculated from eventlog entries digest, you can display the eventlog with the tool we have here : https://github.com/canonical/tdx/tree/noble-24.04/tests/lib/tdx-tools
you can install inside the guest

the command is : tdeventlog

@jkr0103
Copy link
Contributor

jkr0103 commented Dec 10, 2024

the RTMR[0-2] measurement values are calculated from eventlog entries digest, you can display the eventlog with the tool we have here : https://github.com/canonical/tdx/tree/noble-24.04/tests/lib/tdx-tools you can install inside the guest

the command is : tdeventlog

I think this is not what user want here. These eventlogs or the tool https://github.com/canonical/tdx/tree/noble-24.04/tests/lib/tdx-tools produce measurements only on TDX machine and not on non-TDX machine. User's ask is to generate these measurements statically on a non-TDX machine, if possible, without running the TD guest.

Also I think the eventlogs or the tool doesn't calculate the measurements but just read from the already generated reports, specifically at /dev/tdx-guest or /dev/tdx_guest or /sys/kernel/config/tsm/... location.

@hector-cao
Copy link
Collaborator

the RTMR[0-2] measurement values are calculated from eventlog entries digest, you can display the eventlog with the tool we have here : https://github.com/canonical/tdx/tree/noble-24.04/tests/lib/tdx-tools you can install inside the guest
the command is : tdeventlog

I think this is not what user want here. These eventlogs or the tool https://github.com/canonical/tdx/tree/noble-24.04/tests/lib/tdx-tools produce measurements only on TDX machine and not on non-TDX machine. User's ask is to generate these measurements statically on a non-TDX machine, if possible, without running the TD guest.

Also I think the eventlogs or the tool doesn't calculate the measurements but just read from the already generated reports, specifically at /dev/tdx-guest or /dev/tdx_guest or /sys/kernel/config/tsm/... location.

Good question,

AFAIU, part of the measurements cover the real hardware so I don't think we can generate the all reference values off-board, potentially, some part of the RTMRs can be computed off-board but for now, this topic is a quite complex challenge and we are not yet working on it

@YurkoWasHere
Copy link
Author

Thank you for all this wonderful information. Its a great start!

The scenario I am trying to solve for is:

  • The GUEST provides a VM to a HOST operator
  • The HOST starts a VM.
  • The GUEST requires to verify that the HOST started the GUEST's vm correctly before being confident in its integrity.

From what you described, It sounds like this cannot be done with the TDX attestation alone and would require looking at the TDX Event log (This would allow you to accept the hardware values you cannot verify (provided by the HOST's hardware) and verify the value provided by the GUEST)

My understanding is there are 4 ingredients that we must verify to boot a machine (i included the sha384 of each)

  • OVMF (or firmware)
    • b1a735321a1c1817a94558989df255e41f93390c34766d325a47e90515644e5db840fdc4ac4c5b17f946b77c4af996cc
  • Kernel
    • a18e82e07e4b652ca5a7506cbfe7901993e199f86ddbeb48f201a3d55e809674c42ef32ab1fd5a6461b2f649a27cfb3b
  • Append/Kernel parameters
    • 5ea248c073c9ad842e99b5bbe3d418b742547f3726c61dee8bdee7fde8b0c46f71bc90bb22aee917aac9602b3732d7c4
  • Initrd
    • d90a1634a377172fd69f091807efa15d30332d87f54a59ac40c5d85d1623ebd368d888fc63aec7914e86b0f993b7c966

After dumping the logs using your tools i Found the hash for initrd only

I attached the event log

RTMR Log.txt

Any suggestions?

@msanft
Copy link

msanft commented Dec 11, 2024

@YurkoWasHere this probably needs some tweaking for your use-case, but check out our internal tool we use in Contrast to do TDX measurement precalulation: https://github.com/edgelesssys/contrast/blob/main/tools/tdx-measure/main.go

The diff between your calculated parameters is probably caused by not the raw components (e.g. kernel ELF) being measured, but their in-memory forms. Check out #298 for more on that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants