can guest vm verify tdx
matti opened this issue · comments
Can guest vm know if it's being run in TDX?
Eg. if azure claims that the machine is TDX enabled, how can I be sure?
Good suggestion, we will provide a simple script to check tdx guest status, @intelzhongjie @ruomengh could you please help that?
from inside of the vm?
from inside of the vm?
yes
Please review: #333
This script does not check if the guest is running as a secure vm - it only checks what /proc has - it's possible to fake /proc contents
/proc comes from CPUID, but either CPUID could be fake. Within the TDX guest, I did not know other approach can check.
From the host, you can dump guest memory..
@kenplusplus I read the pdf you linked in another issue and isn't this described there as some attestation thing? Almost 50% of the pages address this "how can vm verify the trust"
see this, "messurement and attestation"
Attestation is indeed a formal way to do the check if that's the requirement. Some more work is needed for that than current quick simple status check: #333
And as Matti pointed out, for now, I think user can follow the way in our document to do that attestation: https://cdrdv2-public.intel.com/780133/779108%20White%20Paper%20-%20Linux%20Stack%20for%20Intel%C2%AE%20TDX-v0.9.pdf#page37
("messurement and attestation")
Thanks @matti @intelzhongjie , you are correct, the CPU instruction of TDVMCALL can only happen within a TD guest. and the /dev/tdx-guest device node will only be created in a TD guest.
@kenplusplus but, I can create /dev/tdx-guest device node in any qemu/kvm machine even without TDX enabled cpu and fake it.
The key point is not /dev/tdx-guest, the key point is TDVMCALL instruction
@kenplusplus okay but can you elaborate on that - why can't I implement custom TDVMCALL on non tdx-enabled host hardware?
but if I somebody still implements it, how can I verify the signature?
so what I am looking for:
- a vm is started on hostile host machine
- vm downloads binary from my url
- vm runs this binary and verifies SOMEHOW that this environment is secure despite the hostile host machine
- vm posts this proof to my url
- my url responds with confidential data ONLY if proof is verified
- vm processes this confidential data
so what's the sauce for SOMEHOW here?
but if I somebody still implements it, how can I verify the signature?
- it is CPU instruction, so somebody can only create their own CPU...
- also when do TDREPORT for remote attestion, the TDREPORT include CPU/PCH/SEAM signature. So remote replying party will verify whether it is a geninue environment.
it is CPU instruction, so somebody can only create their own CPU...
But isn't it possible to modify qemu so that I'll create my own CPU instruction?
it is CPU instruction, so somebody can only create their own CPU...
But isn't it possible to modify qemu so that I'll create my own CPU instruction?
but you could not get a geninue Quote from TDREPORT, which including measurement and CPU version which signed by SGX attestation key.
@kenplusplus okay got it thanks - now can you provide a sample on this verification? I read the linked pdf and it does not contain a concrete example on how to do this.
Please check the chapter 4.3 attestation from the white paper at https://www.intel.com/content/www/us/en/content-details/780133/whitepaper-linux-stacks-for-intel-trust-domain-extension-1-0.html
After generating the quote, following command could be used to verify quote
$ git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git
$ cd SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample
$ make SGX_DEBUG=1
$ ./app -quote /quote.dat
You might take a look at source code like https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/4cb5c8b81f126f9aa3ee921d7980a909a9bd676d/QuoteVerification/QuoteVerificationService/src/qvl/VerifyQuoteWorker.cpp#L34
@kenplusplus awesome, I'll get my tdx hardware next week
@kenplusplus awesome, I'll get my tdx hardware next week
Good news! Good luck. Hope tdx-tools can really help you.