linux-svsm icon indicating copy to clipboard operation
linux-svsm copied to clipboard

Published 20 hours ago verified publisher icon AMDESE

vTPM support

Open drasko opened this issue 2 years ago • 2 comments

Hello, does linux-svsm already implements vTPM support and are there some examples that show how to use this to achieve vTPM in the Guest OS?

drasko avatar Aug 17 '23 14:08 drasko

Hi @drasko, I started porting the vTPM proof-of-concept to both the AMDESE/linux-svsm.git and coconut-svsm/svsm.git, but that's not complete. Do you have any specific use case for it?

cclaudio avatar Aug 21 '23 18:08 cclaudio

Hi @cclaudio - first, thangs for the exceptional work you are doing!

We (Ultraviolet) are working on cocos.ai, and currently, we are using AMD SEV-SNP. We are capable to do a usual AMD measurement from the guest, but it takes into account only UEFI OVMF block. AMD considers that the integrity of other SW booting phases (notably kernel and rootfs) needs to be established via chain-of-trust. This is where we intend to use vTPM.

Currently, we are changing/configuring EDK2 TianoCore to use a Secure Boot with subsequent artifacts - notably kernel and initramfs, which we try to boot exclusively in RAM, and this might be sufficient for putting trust in the whole CVM. But on the other hand - it might be not, and then only tool we can think that can help is TPM. Probably even when we enable Secure Boot - we will still need TPM or additional check and trust.

As soon as we finish our work on Secure Boot, we will try to help with your work and contribute as much as we can.

drasko avatar Aug 21 '23 18:08 drasko