Fix the example attestation policy for Azure vTPM #1390
Conversation
mkulke
left a comment
There was a problem hiding this comment.
not sure I understand. why would we want to hardcode values in the policy? those values will change. For SNP and similar values in other TEEs the value is queried from the reference values, no?
|
The only one I hardcoded are the ones that can just increase and not completely change. But yeah I am not fully convinced either, I just wanted to write down an initial draft to show you what I meant. Otherwise as you said we need to figure these reference values, but I have no clue how. |
I guess this is something that still needs to be answered/solved project-wide. AFAIU this part is left as an exercise for the user today. it looks like the confidential-containers/reference-values is a good place to start this effort. I would suggest remaining consistent with other TEEs here. setting some hard invariants is probably fine (we might want to assert that SMT is enabled + allowed, for example, because peerpods doesn't expose a toggle for smt=off, although I'm still unsure this is the correct approach). putting concrete firmware, microcode etc version in the policy is the wrong approach, though, I'm pretty sure. |
|
So if I understand correctly, you are suggesting to remove most of the fields? That would mean that for SNP we get: Which is ok but the hardware configuration is left empty. I guess for a public cloud this could be ok. I wonder why were these fields added in the first place though... |
no, I would suggest leaving the fields as they are and populate reference values instead. the snp tcb fields are absolutely worth checking, we don't want to discard them. the only fields where you could argue are the smt ones (b/c of limitation in peerpod configuration) but again, this might change, and this could also be set in the reference values. If CoCo a) doesn't provide sane defaults for SNP (or other TEEs') reference values and b) offers no convenient way for a user to import those, then this is a TDB for the project. and I understand Ding is working on that. In any case, I think the default policy is the wrong place to put those defaults. |
|
Ok so basically you are suggesting to wait if I understand correctly then.
Completely agree |
|
When it comes to the TCB values, I'd like us to have a similar approach for the SNP and AZ SNP platforms. I've been hoping AMD would provide some guidance on how to handle these fields or where to get the reference values. |
|
A simple idea is that if the fields are included inside the evidence, and can be changed based on different deployments, we should provide ways to check them than remove them. Back to the PR, two questions from my side is
If either one is "yes", a more practical way to me might be documents about how to write attestation policies or how to choose reference values, than hardcode them inside the policies. Other archs have similar fields, and we would need a systematic documents for advanced users to configure these advanced fields in future, which will need help from different arch owners, to help perfect this guide. With the guide, advanced users can edit attestation policy / or set reference values themselves in any shape they want, like mixing simple equals and comparations to accomplish the goal. |
Documentattion for sophisticated users makes sense in any case. Beyond that we might also want a streamlined/casual deployment story for potential adopters. (think: helm apply -f coco.yaml) This one could have reasonable defaults that resemble a production setup more closely. But I'm not sure how much of this is in the scope of downstream products rather than the CoCo project. For example, currently many scripts, guides, e2e tests result in a setup in which the relying party components and the coco runtime are deployed into the same env, which is nonsensical but pragmatic: casual visitors might not have two discrete environments (+ networking glue) available just to test coco. |
|
Yeah I think at this point this falls back on the hardware vendor rather than the cloud. AMD/Intel should provide some public (upstream) way to figure these values, as Tobin said. In general the CoCo software part is easy: built & measured upstream and downstream forks can provide their own reference values like PCRs, but the hardware doesn't follow this process. So IMO either the CoCo project doesn't provide any default att-policy/refval for hardware and just relies on the measurable software artifacts, or we figure a way to get these info from the hardware vendors. |
|
tbo I am not sure what do field like For TDX, all hardware firmware related fields will be check against Intel's PC(C)S service, which is called in tdx-verifier, rather than doing policy check in trustee, and they maintain a machanism of "Security Version" to reflect the whole of these fields. |
yes, those are about firmware. and there a several variants of the TCB fields with complicated semantics. I understand TDX is more opinionated, but you'll need a collateral service. For SNP you have to make those decisions yourself, and the values will vary from cloud/region/SKU, some might update the firmware, some might get a custom fix via microcode update, etc... |
thanks for the explaination. if so, it is good to keep codebase as is for users to configure themselves. Just like other floks said, AMD should provide more information about the rv. |
|
There are a few loose ends with the TCB values. First, I think we might actually be checking the wrong set of TCBs. I think the reported tcb corresponds to the the vcek, but there is another set with stricter guarantees regarding updates and rollbacks. It might make sense to specify a minimum reported tcb level, but we need to make sure that these SVN fields actually can be compared numerically. Currently, we just check if the version is in the list of allowed versions. That's not ideal. Another thing we could think about is having different trust levels depending on if/how we check the tcb version. This is a cool use of AR4SI, but it could ultimately be misleading/confusing since the levels are eventually collapsed into a status. |
… be pre-computed Some of the expected measurements for the Azure vtpm in the attestation policy cannot be currently pre-computed by any tool. Therefore let's comment them out for the time being. Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
I think it is reasonable to comment the measurement claim, because this is per spec not a claim that a user can rely on to remain stable (otoh, maybe they still want to assert a certain value and don't want to accept paravisor updates). SMT is hardcoded like you mentioned in peerpods currently, but that might change, and also maybe people want to use trustee outside of peerpods, so it's arguable whether we shouldn't have this claim. Finally, commenting out the TCB and policy values doesn't make sense in any scenario IMO, those are the core of an attestation policy. It's unfortunate that we don't have authoritative reference values for those, but the same also applies to snp. So, yeah, I would suggest implementing a more practical policy (works with peerpods + azure today) somewhere downstream and leave the default policy as-is in trustee, for now. |
|
Ok then closing this one. Thanks for the feedback! |
|
Sorry got this PR pretty late. Just wanted to add a small note that AMD is working on figuring out how to collect, manage reference values. Since, we need to get a lot of buy ins internally, the work is moving slowly but surely. Will keep the community posted once we have a pretty solid solution for the SNP reference values. |
See #1386 (comment)
Initial implementation of what discussed in the issue. We still need to discuss the other values (marked as TODO)