openvmm icon indicating copy to clipboard operation
openvmm copied to clipboard
verified publisher icon microsoft

Support dynamic command line & debug tracing with attested measurement

Open cperezvargas opened this issue 10 months ago • 4 comments

We want the ability to allow a dynamic command line for diagnostics and debugging, but we need some way to claim in the measurement if the dynamic portion of the command line is empty or not. Additionally, we need the way to enable additional traces and have that reflected in the measurement.

Summarizing in a different way, we shouldn't need two separate IGVM files to support a confidential launch and a non-confidential, debug launch.

cperezvargas avatar Jan 20 '25 19:01 cperezvargas

FYI @chris-oo and @mebersol making sure this is on your radar

cperezvargas avatar Jan 20 '25 19:01 cperezvargas

I think what we'd want to do here is have the bootshim report via dt the unmeasured portion of the command line (if any), since the bootshim is the only part that knows what the static and dynamic parts are. Then in usermode, we can attest to just the dynamic portion.

That should be pretty easy, I'll post a PR for that later today.

chris-oo avatar May 29 '25 17:05 chris-oo

@chris-oo Do you know: do we just need a true/false for whether the dynamic part is empty, or do we need more detail in the attestation?

stunes-ms avatar May 29 '25 17:05 stunes-ms

I don't know - I think that's something we'll need to discuss with the attestation folks. In my PR I intend to report the string contents of the dynamic part.

chris-oo avatar May 29 '25 17:05 chris-oo

@jstarks Sarah told me this ties into your device filtering work; do you know exactly what needs to be attested in the dynamic command line?

stunes-ms avatar May 30 '25 20:05 stunes-ms