Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CoRIM standard for TDX #25

Open
Xynnn007 opened this issue Mar 4, 2024 · 4 comments
Open

CoRIM standard for TDX #25

Xynnn007 opened this issue Mar 4, 2024 · 4 comments

Comments

@Xynnn007
Copy link

Xynnn007 commented Mar 4, 2024

Hi @nedmsmith . I am Ding from Confidential Containers which aiming to provide cloud native way to leverage TEE ability for containerized workload. Now I am working on the reference value publishment and consumption of the components running inside TEE (like kernel, guest firmware, ..., e.g. mr_td, rtmrs for TDX, etc.).

Two aims from my side

  • Use a standard format as carrier of reference values. CoRIM is from IETF RATS and I'd like to use it first.
  • The format should be extensible for different platforms, aiming for SGX/TDX/SNP/CCA/...

I have read the slides about CoRIM based attestation framework which follows the measurement-values-map-extension fields defined in this repo. This could help SGX to give reference values for fields like MRENCLAVE.

My question is how to apply this standard on TDX and other platforms? Is there anything I ignored or do you have any plan?

Thanks a lot!
@nedmsmith
Copy link
Owner

There are examples in https://github.com/nedmsmith/draft-cds-rats-intel-corim-profile/tree/main/cddl/examples that show Reference Values in cbor diag format. MRENCLAVE is modeled as a digest type. The Intel profile uses a different name from mrenclave. Instead, it is tee.mrtee (see -83). The name change allows sgx and tdx to use consistent naming.

@Xynnn007
Copy link
Author

Xynnn007 commented Mar 5, 2024

Thanks for your reply @nedmsmith

There is a practical problem. If I want to give a reference value manifest for tdx-module, I found there is an example

          / measurement-map / {
            / mval / 1 : / measurement-values-map / {
              / vendor / -70 : "Intel Corporation",
              / model / -71 : "TDX SEAM",
              / attributes / -82 : 60010([ 1, h'C0000000000000000000000000000000', h'FBFFFFFFFFFFFFFF0000000000000000']), / *** 16 bytes *** /
              / isvprodid / -85 : 1,
              / isvsvn / -73 : 60010([ /op.ge/ 2, 6 ]),
              / mrsigner / -84 : [
                / alg-id / 1, / sha256 /
                / digest / h'A314FC2DC663AE7A6B6BC6787594057396E6B3F569CD50FD5DDB4D1BBAFD2B6A'
              ]
            },
            / authorized-by / 2 : [
              / tagged-pkix-base64-key-type / 554("base64_key_X")
            ]

And also quote.body format for TDX defined in DCAP

typedef struct _sgx_report2_body_t {
    tee_tcb_svn_t       tee_tcb_svn;          ///<  0:  TEE_TCB_SVN Array
    tee_measurement_t   mr_seam;              ///< 16:  Measurement of the SEAM module
    tee_measurement_t   mrsigner_seam;        ///< 64:  Measurement of a 3rd party SEAM module’s signer (SHA384 hash). 
                                              ///       The value is 0’ed for Intel SEAM module
    tee_attributes_t    seam_attributes;      ///< 112: MBZ: TDX 1.0
    tee_attributes_t    td_attributes;        ///< 120: TD's attributes
    tee_attributes_t    xfam;                 ///< 128: TD's XFAM
    tee_measurement_t   mr_td;                ///< 136: Measurement of the initial contents of the TD
    tee_measurement_t   mr_config_id;         ///< 184: Software defined ID for non-owner-defined configuration on the guest TD. e.g., runtime or OS configuration
    tee_measurement_t   mr_owner;             ///< 232: Software defined ID for the guest TD's owner
    tee_measurement_t   mr_owner_config;      ///< 280: Software defined ID for owner-defined configuration of the guest TD, e.g., specific to the workload rather than the runtime or OS
    tee_measurement_t   rt_mr[4];             ///< 328: Array of 4(TDX1: NUM_RTMRS is 4) runtime extendable measurement registers
    tee_report_data_t   report_data;          ///< 520: Additional report data
}sgx_report2_body_t;

So the implied mapping here is

  • mval.attributes -> quote.body.seam_attributes
  • mval.mrsigner -> quote.body.mrsigner_seam
  • mval.isvsvn -> quote.body.tee_tcb_svn

Right?

@nedmsmith
Copy link
Owner

I believe that is a correct mapping. The thing to note is the profile relies on environment-map to disambiguate the object to which measurements apply. The DCAP usage encodes or implies the object in the measurement name. For example "mrsigner_seam" implies the seam object has the mrsigner measurement.

@Xynnn007
Copy link
Author

Xynnn007 commented Mar 7, 2024

Thanks very much. Do you have any plan inside Intel to publish reference values of TDX stack using CoRIM?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nedmsmith @Xynnn007