Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Broaden the specification's scope to embedded systems with simpler hardware and reduced functionalities #75

Merged
merged 48 commits into from
Apr 22, 2024
Merged

Broaden the specification's scope to embedded systems with simpler hardware and reduced functionalities #75

merged 48 commits into from
Apr 22, 2024

Conversation

wojciechozga
Copy link
Contributor

@wojciechozga wojciechozga commented Apr 5, 2024
edited
Loading

Guerney and I introduce in this PR changes to the CoVE spec that make the spec suitable for broader number of use cases, like embedded systems, simpler processors, systems designed under the formal verification regime, such as assured confidential execution (ACE) that we develop as open source project: https://github.com/IBM/ACE-RISCV

  • We propose to add a new deployment model to address embedded systems with limited functionality needs. See newly added Appendix D.
  • We propose to allow for static and dynamic memory partitioning. Static partitioning can be done with PMP/IOPMP and thus relaxes the requirement for more complex hardware to support CoVE. Consequently, we propose to not mandate MTT.
  • We propose to allow for a different (simpler) way of creating a TVM: Single-step TVM creation. This would be an alternative to the current Multi-step TVM creation. To make it possible we propose to add a new COVH call: covh_promote_to_tvm()
  • We propose to support the local attestation that suits needs of embedded systems that might not have access to network. To make it possible, we propose to add a new COVG call: covg_retrieve_secret()
  • We propose to not mandate AIA.

gdhh and others added 23 commits March 26, 2024 12:57
@gdhh
Added definition of relying party. Updated description of multi-socke…
dbb43fe 
…t system
@gdhh
Added text to overview to allow for non smmtt implementations
b305304
@wojciechozga
Modified overview to specify that TSM-driver and TSM might run togeth…
56ad0b9 
…er in M-mode
@wojciechozga
Added description of TVM initialization
01eeb73
@wojciechozga
updated figure
1eae743
@wojciechozga
Updated SBI COVE to include promote_to_tvm call. Filled appendix D wi…
cfad83d 
…th details of the deployment model
@gdhh
Updates to the Intro to Chpater 4
76a3434 
This section has been updated to introduce the concept of COVE on a
system without Smmtt.
@gdhh
Update Section 4.4 TVM Security Requirements to address threat model
7339e6e 
There are two updates here to the second line in the tabel labeled Memory
Confidentiality. The first is to change MMU to xMMU because the IO/MMU may
also be affected. The second is to make this optional. The line above it
and this line should probably be combined. The previous line subsummes
this line. IF you prevent non-TCB components from reading TEE memory it
does not matter if the TEE memory is encrypted.
@gdhh
Updtes to chapter 5 for deployment model 3.
e76e249 
Update to integrate deployment model 3 at the appropriate locations
@gdhh
Updates to chapter 6 to allow for local attestation
84e825b 
For some use cases local attestation is arequrement because the
system running the TVM will/may not have connectivity to a
remote verifyer.
@gdhh
Updates to chapter 7 TVM Lifecycle
fab5821 
Additions/changes made to allow for deployment model 3. In deployment
model 3 Smmtt is not required so some text had to be modified.
@gdhh
Updates for Appendix D
b84b762 
Reformatting of the source and minor syntax corrections.
@gdhh
Update to local attestation in Appendix D
053863e 
A more through descripion of how local attestation worked for PEF.
something like this needs to be in Appendix D.
@wojciechozga
pass over Guerneys modifications
c3c52ad
@wojciechozga
pass over overview and refarch
2ede03f
@gdhh
Clairfy that Smmtt is not required
eccab6d 
Added a few sentences to make it clear that processors without
Smmtt can support COVE.
@gdhh
Put in the requirement for hypervisor mode.
ac8c729
@gdhh
Expand the description of local attestation
1d498ff 
Add some text describing the requirements for mutual local attestation. By
mutual we mean that the embedded platform can verify that the VM/TVm is
authorized to run on the platform. The VM/TVM must also be able to
verify that the platform configuration is correct.
@wojciechozga
Described two ways of creating TVMs. Relaxed need for MTT
556b010 
Signed-off-by: Wojciech Ozga <[email protected]>
@wojciechozga
updated figure 12
81bc431 
Signed-off-by: Wojciech Ozga <[email protected]>
@gdhh
Revise the description of local attestation
04b975f 
Local attestation for embedded systems should not require both of
the properties previously listed. When a system is disconnected
and the creator will only their firmware to run, mutual
verification is not required.
@wojciechozga
typos
ac28a56 
Signed-off-by: Wojciech Ozga <[email protected]>
@wojciechozga
Pass over local attestation
0a84f2c 
Signed-off-by: Wojciech Ozga <[email protected]>
@rsahita rsahita self-assigned this Apr 5, 2024
rsahita
rsahita reviewed Apr 5, 2024
View reviewed changes
specification/glossary.adoc Outdated Show resolved Hide resolved
rsahita
rsahita reviewed Apr 7, 2024
View reviewed changes
specification/.DS_Store Outdated Show resolved Hide resolved
@atishp04
Copy link
Contributor

Few broader questions:

  1. As per the discussion in the RVI meeting: Keeping the TSM in M-mode helps in formal verification. As per my understanding it requires OpenSBI to be formally verified as well. If we run OpenSBI in M-mode and TSM in HS mode, the formal verification effort will be the same. Isn't it ?

Do we require more involved formal verification because of privilege mode changes ?
If deployment model 3 is aimed for embedded use case, TSM can just run HS mode without any M-mode involvement. This also reduces the TCB to be verified.
Note: I don't have formal verification background. Thus, I may be asking stupid questions :)

Wojciech also replied to this. Fundamentally it appears that are proposing another deployment model. On a processor with hypervisor mode but without smmtt there are two approaches to running the TSM in HS mode. A) running the TSM beside the hypervisor (sharing HS with the hypervisor), B) it replaces the hypervisor, or C) deprivilege the hypervisor. A or B imply mean more code in the TSM and therefore more complexity to verify. C is a simplification of B. By moving the Hypervisor to S mode (a form of deprivilege). This would provide hardware separation between the TSM and the hypervisor however, all request from all VMs would have to be routed via the TSM. Whereas in the current approach only

Not necessarily if the non-confidential VMs are run as a nested VM. But TSM does have to some additional H-mode state to enable that.

request from confidential VM are routed through the TSM. (supporting confidential computation has minimal impact on normal VMs.) If this is a correct understanding of your proposal I agree that if we are successful in proving the TSM in our proposed model that proof could be leveraged for the model you have proposed. But I do not think that the current work we are doing would be sufficient to prove the new model. I believe that there would be more work, even though OpenSBI is running separately in M mode.

Agreed. I was just trying to understand the challenges of formal verification between running different models. It seems it boils down to more complex TSM code/additional privilege state management vs more code in M-mode.

As per my understanding from your and @wojciechozga's response, the later is easier. But if we can axiomatize hardware implementation and verifying only a subset of TSM functionality is okay, it shouldn't matter. Isn't it ?

@gdhh
Copy link
Contributor

gdhh commented Apr 12, 2024

Not necessarily if the non-confidential VMs are run as a nested VM. But TSM does have to some additional H-mode state to enable that.

request from confidential VM are routed through the TSM. (supporting confidential computation has minimal impact on normal VMs.) If this is a correct understanding of your proposal I agree that if we are successful in proving the TSM in our proposed model that proof could be leveraged for the model you have proposed. But I do not think that the current work we are doing would be sufficient to prove the new model. I believe that there would be more work, even though OpenSBI is running separately in M mode.

Agreed. I was just trying to understand the challenges of formal verification between running different models. It seems it boils down to more complex TSM code/additional privilege state management vs more code in M-mode.

I think this is a reasonable summary.

As per my understanding from your and @wojciechozga's response, the later is easier. But if we can axiomatize hardware implementation and verifying only a subset of TSM functionality is okay, it shouldn't matter. Isn't it ?

I believe that by verifying only a subset of TSM functionally you mean that only the functionality that affects TVM. I do not think that this is a good approach. Because the VMs and TVMs would be sharing the same TSM the side channel issue discussed below has to be considered.

If by nested VMs you mean running a second level hypervisor that services all non confidential VMs. That could possibly work (assuming the correct hardware support). However, it is more complex than what we have proposed. The other issue is that unless we change the hardware implementation, the second level hypervisor would possibly have to get services from the TSM.

In addition to proof complexity, once the TSM is servicing anyone other than TVMs we open up the possibility of side channels. In particular we would have to show that there is no way to leak information between the TVS and the VMs (or second level hypervisor). Essentially, you need to show that nothing the VMs do will influence the TVMs and that none of the VM request will be influenced by the TVMs. I believe that it is possible to build a system with this approach where this is true. But it puts an additional architecture and proof burden on the system that the approach we have proposed does not have. The TSM only services one call from the VMs. That call results in the VM either being terminated because it fails attestation or becoming a TVM. Properly chosen cryptographic algorithms and key length (and key material) means that try fail semantics to break into the system would take too long to be practical.

Our current proof approach is not without side channel issues. We have to show that TVMs do not leak information to one another because they share the same TSM. Our approach to this might also work for an approach where the TSM services both, but that is a complexity we are avoiding. My statement on the required additional proof work is only an observation of the amount of work to be done and not a judgement as to whether it can be done. We are still in the process of proving the current approach so we do not know whether we will be successful, but we suspect so. We want to add some additional capabilities but not until we have a proven base.

gdhh
gdhh reviewed Apr 12, 2024
View reviewed changes
specification/sbi_cove.adoc Outdated Show resolved Hide resolved
rsahita
rsahita reviewed Apr 15, 2024
View reviewed changes
Copy link
Collaborator

@rsahita rsahita left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after thinking some more, had a couple questions on the promote abi @wojciechozga

rsahita
rsahita requested changes Apr 18, 2024
View reviewed changes
Copy link
Collaborator

@rsahita rsahita left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm = w/ one comment - thanks

gdhh
gdhh reviewed Apr 19, 2024
View reviewed changes
Copy link
Contributor

@gdhh gdhh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

line 198 should be: The NACL memory interface is between the TSM and the host, and the TSM is

@gdhh
Update sbi_cove.adoc
8c09d6b 
Syntax changes for clarification.

Signed-off-by: Guerney D. H. Hunt <[email protected]>
@gdhh
Copy link
Contributor

gdhh commented Apr 19, 2024

I reviewed the changes an made a few minor corrections for clarity.

@wojciechozga wojciechozga requested a review from rsahita April 19, 2024 14:00
@wojciechozga @rsahita
Update specification/sbi_cove.adoc
4cbacfd 
Co-authored-by: Ravi Sahita <[email protected]>
Signed-off-by: Wojciech Ozga <[email protected]>
rsahita
rsahita approved these changes Apr 22, 2024
View reviewed changes
Copy link
Collaborator

@rsahita rsahita left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems ok to merge now (will merge today afternoon unless any objections)
@atishp04 @eckhard-delfs-qualcomm @wojciechozga @gdhh

@rsahita rsahita merged commit 94d4389 into riscv-non-isa:main Apr 22, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eckhard-delfs-qualcomm eckhard-delfs-qualcomm eckhard-delfs-qualcomm left review comments

@atishp04 atishp04 atishp04 left review comments

@rsahita rsahita rsahita approved these changes

@gdhh gdhh gdhh approved these changes

Assignees

@rsahita rsahita

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@wojciechozga @atishp04 @gdhh @rsahita @eckhard-delfs-qualcomm