Re: [PATCH v2 3/5] virt: sevguest: Prep for kernel internal {get, get_ext}_report()

From: Dionna Amalie Glaze
Date: Wed Aug 16 2023 - 15:39:39 EST

Next message: Andrew Lunn: "Re: [PATCH net] net: mdio: mdio-bitbang: Fix C45 read/write protocol"
Previous message: Justin Stitt: "[PATCH] leds: pca955x: fix -Wvoid-pointer-to-enum-cast warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Definitely, instead it was this comment from James that gave me pause:
>
> "To get a bit off topic, I'm not sure derived keys are much use. The
> problem is in SNP that by the time the PSP does the derivation, the key
> is both tied to the physical system and derived from a measurement too
> general to differentiate between VM images (so one VM could read
> another VMs stored secrets)."
>

Key derivation on AMD SEV-SNP is not necessarily tied to a physical
system with the introduction of VLEK-based attestation. It's now tied
to a CSP's fleet of machines. We can use key derivation in the SVSM as
a basis for further key derivation based on measurement registers, so
the utility increases to provide something like persisted sealed data
that can only be unsealed when the SVSM witnesses a particular runtime
measurement configuration.
We can use NIST 800-90A Rev. 1 for combining keys from the PSP with
measurement register values for example.

> http://lore.kernel.org/r/c6576d1682b576ba47556478a98f397ed518a177.camel@xxxxxxxxxxxxxxxxxxxxx

--
-Dionna Glaze, PhD (she/her)

Next message: Andrew Lunn: "Re: [PATCH net] net: mdio: mdio-bitbang: Fix C45 read/write protocol"
Previous message: Justin Stitt: "[PATCH] leds: pca955x: fix -Wvoid-pointer-to-enum-cast warning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]