Feature: Fetch OVMF and kernel command line arguments

Question

Feature: Fetch OVMF and kernel command line arguments

Closed this issue a month ago · 3 comments

danko-miladinovic commented 3 months ago

Is your feature request related to a problem? Please describe.

This feature will enable the client (the member of the consortium) to fetch the missing information to calculate the measurement. The OVMF version, the kernel command line arguments, and the number of vcpus and vcpu-type.

Describe the feature you are requesting, as well as the possible use case(s) for it.

The idea is to enable the users to calculate the expected measurement that is needed during the aTLS verification and validation process.

Indicate the importance of this feature to you.

Must-have

Anything else?

No response

Answer 1 · 2024-09-11T12:12:06.000Z

This potentially opens an attack vector because now we need to trust the manager-backend communication. We need to discuss this one @drasko @danko-miladinovic.

Answer 2 · 2024-09-11T12:24:35.000Z

@dborovcanin this is OK, because these measurements are signed with AMD firmware and SEV-SNP keys in the HW.

I would like to have more detailed explication how this approach maps to IETF RATS spec.

Answer 3 · 2024-09-25T14:08:06.000Z

This is resolved in #245 by adding a measurement directly to the backend.