Re: [Part2 PATCH v5.1 12.6/31] crypto: ccp: Implement SEV_PDH_GEN ioctl command

From: Borislav Petkov
Date: Thu Oct 12 2017 - 16:23:44 EST

Next message: Tom Saeger: "[PATCH 0/8] Documentation: fix invalid Documentation refs (2)"
Previous message: Borislav Petkov: "Re: [Part2 PATCH v5.1 12.5/31] crypto: ccp: Implement SEV_PEK_GEN ioctl command"
In reply to: Brijesh Singh: "Re: [Part2 PATCH v5.1 12.6/31] crypto: ccp: Implement SEV_PDH_GEN ioctl command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 12, 2017 at 03:21:04PM -0500, Brijesh Singh wrote:
> We need to follow the platform state machine logic defined in SEV spec
> section 5.1.2. The PEK_GEN can not be issued when platform is in WORKING
> state because the command actually re-generate the identity of the
> platform itself (in other words re-generate the Platform Endorsement
> Key). Whereas, the PDH_GEN command is used for re-generating Platform
> Diffie-Hellman Key which can be changed while the guest is running.

I see.

So the proposition to carve out and split the platform *init commands
might come in handy here too...

--
Regards/Gruss,
Boris.

SUSE Linux GmbH, GF: Felix ImendÃrffer, Jane Smithard, Graham Norton, HRB 21284 (AG NÃrnberg)
--

Next message: Tom Saeger: "[PATCH 0/8] Documentation: fix invalid Documentation refs (2)"
Previous message: Borislav Petkov: "Re: [Part2 PATCH v5.1 12.5/31] crypto: ccp: Implement SEV_PEK_GEN ioctl command"
In reply to: Brijesh Singh: "Re: [Part2 PATCH v5.1 12.6/31] crypto: ccp: Implement SEV_PDH_GEN ioctl command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]