Refactor CEL AppendEvent, to support RTMR #486
Conversation
f59a705 to
f712448
Compare
f712448 to
e361054
Compare
|
/gcbrun |
e361054 to
72ea282
Compare
a6590ed to
878d7ad
Compare
|
/gcbrun |
878d7ad to
73683ca
Compare
|
/gcbrun |
1 similar comment
|
/gcbrun |
73683ca to
d0df067
Compare
|
/gcbrun |
launcher/agent/agent.go
Outdated
| } | ||
|
|
||
| // append TPM PCR event to eventlog | ||
| return a.cosCel.AppendEvent(cel.CosEventPCR, event, tpmDigestsmap) |
There was a problem hiding this comment.
MeasureEvent only appends TPM PCR event, do u have a plan to have support for measuring RTMR event to event log and integration into the current container runner for TDX CS image?
There was a problem hiding this comment.
AppendEvent is now register-agnostics, then actual "extend" operation on pcr or rtmr should be done outside "AppendEvent" function.
There was a problem hiding this comment.
nit: Given that MeasureEvent appends TPM PCR event, could you rename it to something like MeasurePCREvent to distinguish it from RMTR event measurement?
server/eventlog.go
Outdated
| return getCosStateFromCEL(rawCanonicalEventLog, cryptoHash, pcrs.GetPcrs()) | ||
| } | ||
|
|
||
| func parseCanonicalEventLogRTMR(rawCanonicalEventLog []byte, rtmrs [][]byte) (*pb.MachineState, error) { |
There was a problem hiding this comment.
Two things:
- could you export this function because GAV will likely consume it.
- From GAV perspective, what's the source of
rtmrs? I knowrawCanonicalEventLogcomes from this proto field(https://source.corp.google.com/piper///depot/google3/google/cloud/confidentialcomputing/v1main/service.proto;rcl=650697927;l=231), but where can I locatertmrswhich is a digest array?
There was a problem hiding this comment.
RTMRs should be read from the TD quote. https://github.com/google/go-tdx-guest/blob/main/rtmr/ccel.go#L58
There was a problem hiding this comment.
+1 to Yawang. Could you export this function?
There was a problem hiding this comment.
You should just use the register.RTMRBank type since that's what go-eventlog and go-tdx-guest use.
There was a problem hiding this comment.
- could you export this function because GAV will likely consume it.
I thought this function is only going to be consumed by the server.VerifyAttestation? But sure I can export it.
There was a problem hiding this comment.
GAV will consume this function to parse and verify CosState from CEL logs for TDX RTMR. Also looks like this function is not called by server.VerifyAttestation from your PR changes.. so I think export is needed here.
alexmwu
left a comment
There was a problem hiding this comment.
Given this PR has breaking changes, please note what broke (AppendEvent, Replay) in the description.
cel/canonical_eventlog.go
Outdated
| type Record struct { | ||
| RecNum uint64 | ||
| PCR uint8 | ||
| PCR uint8 // can also be RTMR index |
There was a problem hiding this comment.
Did we ever check with the TCG WG about putting a RTMR or CCMR type?
There was a problem hiding this comment.
not yet, I'll send an email
cel/canonical_eventlog.go
Outdated
| } | ||
| } | ||
|
|
||
| func (c *CEL) AppendEvent(index int, event Content, digestsMap map[crypto.Hash][]byte) error { |
There was a problem hiding this comment.
You do not mention how callers should populate digestsMap. Regardless, passing digestsMap seems like the wrong interface since the value is derivable from content.
Maybe we should pass either a func or a type that implements an interface as follows:
type Extender interface {
// Extend hash extends the given MR bank's index with the supplied digest.
Extend(crypto.Hash, int, []byte) error
}
This also has the pro of decoupling the cel package from needing a real/simulated TPM to test AppendEvent.
There was a problem hiding this comment.
Thought about this I also think it's better. We need have configfsi.Client type and the tpm type to implement this interface, I think I can do this later.
For now I just created two separate functions fro RTMR and PCR.
server/eventlog.go
Outdated
| return getCosStateFromCEL(rawCanonicalEventLog, cryptoHash, pcrs.GetPcrs()) | ||
| } | ||
|
|
||
| func parseCanonicalEventLogRTMR(rawCanonicalEventLog []byte, rtmrs [][]byte) (*pb.MachineState, error) { |
There was a problem hiding this comment.
You should just use the register.RTMRBank type since that's what go-eventlog and go-tdx-guest use.
c1e95d0 to
bb5785b
Compare
server/eventlog_test.go
Outdated
| // Faking PCR with RTMR | ||
| imposterPcrBank := map[uint32][]byte{} | ||
| imposterPcrBank[1] = rtmrBank.RTMRs[0].Digest | ||
| imposterPcrBank[2] = rtmrBank.RTMRs[1].Digest | ||
| imposterPcrBank[3] = rtmrBank.RTMRs[2].Digest | ||
| imposterPcrBank[4] = rtmrBank.RTMRs[3].Digest | ||
| imposterPcrs := &pb.PCRs{Hash: pb.HashAlgo_SHA384, Pcrs: imposterPcrBank} | ||
|
|
||
| if msState, err = ParseCosCanonicalEventLogPCR(buf.Bytes(), imposterPcrs); err != nil { | ||
| t.Errorf("expecting no error from parseCosEventLogRTMR(), but get %v", err) | ||
| } else { | ||
| if diff := cmp.Diff(msState.Cos.Container, &attestpb.ContainerState{}, protocmp.Transform()); diff != "" { | ||
| t.Error("expect no claims when replaying against imposter PCR") | ||
| } | ||
| if diff := cmp.Diff(msState.Cos.HealthMonitoring, &attestpb.HealthMonitoringState{}, protocmp.Transform()); diff != "" { | ||
| t.Error("expect no claims when replaying against imposter PCR") | ||
| } |
There was a problem hiding this comment.
this should go in a separate test that makes it clear what you're trying to do.
There was a problem hiding this comment.
Will refactor in the next PR
| } | ||
|
|
||
| // AppendEventPCR appends a new PCR record to the CEL. | ||
| func (c *CEL) AppendEventPCR(tpm io.ReadWriteCloser, pcr int, hashAlgos []crypto.Hash, event Content) error { |
There was a problem hiding this comment.
I will again note that adding an AppendEvent[RegisterType] seems like the wrong interface. We will have to add a new one if we ever want to support NV registers, ARM registers, SVSM-simulated registers, GPU registers, etc.. This also introduces new dependencies every time we support a new register type since we have to create AppendEventARM and then import the ARM register library. Hopefully that's not often, but it's possible other companies decide to follow the Intel model.
I do think passing an extend func/interface as a parameter is the right call due to the decoupling, but I will leave this as optional.
There was a problem hiding this comment.
Agree, AppendEvent should work on arbitrary register type (instead of creating one AppendEvent for each). The change involves upstream go-tdx-guest, I will keep this for now, and update it in a later PR.
|
/gcbrun |
dd82acc to
96b1a14
Compare
|
/gcbrun |
Add new RTMR CEL AppendEventRTMR Redirect AppendEvent to AppendEventPCR Signed-off-by: Jiankun Lu <[email protected]>
|
/gcbrun |
CEL code was written based on TPM PCR. Now we want to support RTMR based CEL.