Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports

From: Dionna Amalie Glaze
Date: Tue Aug 08 2023 - 13:19:41 EST

Next message: Andy Shevchenko: "Re: [PATCH v4 4/4] iio: adc: mcp3911: add support for the whole MCP39xx family"
Previous message: Andrew Davis: "Re: [PATCH 04/13] arm64: dts: ti: k3-am65: Enable OSPI nodes at the board level"
In reply to: Dan Williams: "Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports"
Next in thread: Dan Williams: "Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> At least that was not the level of concurrency I was worried about. The
> sysfs approach makes it so that concurrency problem of option-writing vs
> report-reading is pushed to userspace.
>

The reason I would advocate against making attestation report
collection single-threaded in user space at a machine level is that
there are new schemes of attested connections that may become the
basis of server handshakes. I think folks are mainly looking at this
from the use case of

1. workload will do large amounts of work on behalf of the VM owner,
provided it gets a sealing key released by the VM owner once on boot
after proving its code identity

however I'm thinking of the case of a more user-centric use case that
enables service users to challenge for proof of workload identity

2. workload is a server that accepts incoming connections that include
a hardware attestation challenge. It generates an attestation report
that includes the challenge as part of the connection handshake

This posits the existence of such an advanced user, but high security
applications also have users with high expectations. I want the option
to be open to empower more users to have access to provable workload
provenance, not just the VM owners that are unlocking resources.

> For example, take the following script:
>
> $ cat -n get_report
> 1 #!/bin/bash
> 2 tsm=/sys/class/tsm/tsm0
> 3 echo $1 > ${tsm}/privlevel
> 4 echo $2 > ${tsm}/format
> 5 echo "hex encoded attestation report for: $(cat ${tsm}/provider)"
> 6 xxd -p -c 0 -r ${tsm}/report
>
> The kernel handles the concurrency of line 6 where it synchronizes
> against new writes to the options for the duration of emitting a
> coherent report. However, if you do:
>
> $ get_report 2 extended > reportA & get_report 0 default > reportB
>
> ...there is race between those invocations to set the options and read
> the report.
>
> So to solve that concurrency problem userspace needs to be well behaved
> and only have one thread at a time configuring the options and reading
> out the report before the next agent is allowed to proceed. There are
> several ways to do that, but the kernel only guarantees that the state
> of the options is snapshotted for the duration of 6.

--
-Dionna Glaze, PhD (she/her)

Next message: Andy Shevchenko: "Re: [PATCH v4 4/4] iio: adc: mcp3911: add support for the whole MCP39xx family"
Previous message: Andrew Davis: "Re: [PATCH 04/13] arm64: dts: ti: k3-am65: Enable OSPI nodes at the board level"
In reply to: Dan Williams: "Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports"
Next in thread: Dan Williams: "Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]