-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RTMRs depending on guest memory size #289
Comments
Thank you for reporting us your feedback! The internal ticket has been created: https://warthogs.atlassian.net/browse/PEK-1499.
|
The measurements come with an eventlog which can be "replayed" to check the log entries take you to the RTMR value in the signed quote. With that, the verifier can check individual log entries for the relevant measurements. |
Thanks for the response, @mythi!
I know, and while that does help for all other measurements made except the non-deterministic (across memory sizes), we're still unable to measure that one, which, unfortunately, contains all of the kernel. So there doesn't seem to be away to get a deterministic (again, across memory sizes) kernel measurement yet, which would kind of renders the other verifications worthless? For the use-cases I'm aware of, deterministic and reproducible RTMRs would be the superior solution; But if the memory-dependent measurements should be kept, would it be a possibility to eventually move them into their own measurement event, so that the rest of the kernel (and firmware) could still be verified? |
Let me do a bit of research and ask around. btw, while not exactly the same #270 talks about the same problem space (and mentions the "no kernel measurement") |
@msanft are you using the Kata OVMF + |
Yes. We're not directly using the upstream components as we build our own versions, but generally we go OVMF -> EFI stub |
OK, great. EFI CC Measurement protocol was added to 6.9 so Kata does not have it available just yet (we need to get Kata releases moved to 6.12 LTS). I've checked today I can create reference measurements for the cmdline. Still working on the kernel part. I'm expecting it to follow |
Yeah, we use a 6.11 kernel because of that. But do I understand you correctly? Are you trying to implement measurement precalculation, or are you trying to reproduce the problem? We already have a precalculator available here: https://github.com/edgelesssys/contrast/tree/main/tools/tdx-measure |
Trying to reproduce the problem but I also didn't have any tools for it. I'll check your tool and see what I get (which can be the same what you are raporting here ;) |
Looking at your tool (which seems to "reproduce" the expected measurement flow for RTMRs), I can see you're not actually leveraging the eventlog. You don't necessarily need reference RTMR values (for all registries at least). The problem statement and why eventlog is a useful thing, is best described in a TCG doc. With some simple tweaks to your tool, I can get the kernel "reference" hash: which correctly shows up in the CCEL:
It is true that However, in my tests so far I saw only two values for I guess the remaining question is, is it possible to use the eventlog based verification? Kata/CoCo TDX evidence has CCEL included already. It sounds it's "cheaper" than maintaining OVMF/qemu patches. |
Yeah, QEMU will "fix" the address if more than 4G of memory are used: https://github.com/qemu/qemu/blob/f48c205fb42be48e2e47b7e1cd9a2802e5ca17b0/hw/i386/x86.c#L1044-L1045 Below 4G, it will be loaded to a non-fixed address that depends on memory size. So e.g. 2G and 3G should result in different kernel hashes.
It is, even if it's not "as great" as just having the reference values (due to the sheer size of the event log that needs to be sent upon any attestation). But the memory-dependent kernel hashes are still a problem, also in the event log-based case, in my opinion. |
Agree, it needs thinking. On my side, I can only see it changing below 2G VM sizes, though. The measurement above that remains the same. |
TDX RTMRs 0 and 1 currently depend on the memory size of the guest VM. This is due to two things:
Now, this doesn't play well with general remote attestation use-cases where the guest memory size is not known in advance, such as with Kata containers.
Is this considered a problem, or are things working as intended? Arguing by measuring the initial memory contents, one could advocate for this being the correct behavior, but for real-world use-cases, this poses a problem.
The text was updated successfully, but these errors were encountered: