Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports

From: Dionna Amalie Glaze
Date: Tue Aug 08 2023 - 18:33:58 EST

Next message: Sui Jingfeng: "[PATCH v2 00/11] Fix typos, comments and copyright"
Previous message: pr-tracker-bot: "Re: [GIT PULL] hardening fixes for v6.5-rc6"
In reply to: James Bottomley: "Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports"
Next in thread: Jarkko Sakkinen: "Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> For an ephemeral TPM, the EK should be guaranteed to be random and
> therefore non repeating, so there's not much need for the nonce to add
> non-repeatability. So, in theory, the vTPM/EK binding can be published
> once and relied on even for multiple different tenant endpoints, sort
> of like the EK cert for a physical TPM.
>

Okay that sounds reasonable.

Regarding my other comment about daemons, we might already be in that
state for containers even without the sysfs proposal, given that the
sev-guest device requires root.
We'd need a daemon to provide protected access to the attestation
report (e.g., https://github.com/confidential-containers/attestation-agent)
so that's a bit of a sad situation.

--
-Dionna Glaze, PhD (she/her)

Next message: Sui Jingfeng: "[PATCH v2 00/11] Fix typos, comments and copyright"
Previous message: pr-tracker-bot: "Re: [GIT PULL] hardening fixes for v6.5-rc6"
In reply to: James Bottomley: "Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports"
Next in thread: Jarkko Sakkinen: "Re: [PATCH 0/4] keys: Introduce a keys frontend for attestation reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]