AP-TEE event log

Question

AP-TEE event log

jyao1 opened this issue 8 months ago · 10 comments

jyao1 commented 8 months ago

Since AP-TEE includes dynamic_measurements, should AP-TEE also need measurement event log?

Other attestation related spec defined the event log clearly, such as

TCG Platform Firmware Profile Spec defined TCG event log
UEFI Spec Confidential Computing Extension defined (Confidential Computing) CC event log.

Do we want to use similar concept to add RISC-V extension for CC event log?

This is a direction check. If we do want to, we can work out next level detail.

For example, we may need add an extension to UEFI spec

#define EFI_CC_TYPE_RISCV_COVE  3

Answer 1 · 2024-01-16T17:43:34.000Z

This is a good idea to maintain compatibility @jyao1 - would this add requirements into the CoVE ABI or would it be limited to the UEFI (TVM guest firmware)?

Answer 2 · 2024-01-21T04:19:25.000Z

My recommendation is:

Submit RISCV COVE proposal to UEFI specification. If you agree, I can help on this.
Just mention CoVE ABI, that: if a UEFI firmware is used to initialize the RISCV COVE guest environment, then refer to UEFI specification confidential computing chapter for CC runtime measurement extension and event log creation.

Answer 3 · 2024-01-21T10:21:36.000Z

My recommendation is:

1. Submit RISCV COVE proposal to UEFI specification. If you agree, I can help on this.

I think we should proceed with that, yes. @rsahita do you agree?

2. Just mention CoVE ABI, that: if a UEFI firmware is used to initialize the RISCV COVE guest environment, then refer to UEFI specification [confidential computing chapter](https://uefi.org/specs/UEFI/2.10/38_Confidential_Computing.html) for CC runtime measurement extension and event log creation.

Right, so there would not be any CoVE ABI impact, but only a spec addition describing that if a TVM boots a UEFI firmware, then it may provide the UEFI CC protocol (unless the firmware implements a full virtual TPM iiuc).

Answer 4 · 2024-01-31T06:20:01.000Z

@rsahita do we reach consensus to submit UEFI spec change?

Answer 5 · 2024-02-23T23:02:36.000Z

sorry for the delay - yes lets submit the required request to the UEFI spec

Answer 6 · 2024-03-10T22:09:49.000Z

@jyao1 @sameo

Answer 7 · 2024-03-20T17:56:07.000Z

added a note in spec - PR #73
cc @jyao1

Answer 8 · 2024-03-23T03:30:02.000Z

Thanks @rsahita, I created
CodeFirst - Add RISC-V CC-EventLog 002.docx.

Please review it and feedback.

Once we agree the content in AP-TEE TG, we can submit to UEFI together.

Answer 9 · 2024-03-27T00:36:52.000Z

Thank you @rsahita, I have submitted to https://bugzilla.tianocore.org/show_bug.cgi?id=4738, and UEFI mantis 2449.

Update CodeFirst.-.Add.RISC-V.CC-EventLog.003.docx with informative text - adding URL for AP-TEE.

Answer 10 · 2024-04-05T23:37:57.000Z

thanks - closing this issue.