What is an mkey really? #230
Comments
|
As far as I know Intel isn't using mkey. I agree that the 'sub-environment' philosophical context doesn't make a lot of sense, but it has been used to provide some additional context in terms of providing hints for identifying the entity that is responsible for the environment-map name space. But as an extensible value, it could be used for other things too. I don't think it is absolutely necessary to try to resolve the philosophy / justification right now, but it may be worth some text that discourages its use? |
This statement seems like a non-sequitur. Does it belong in a different issue? |
|
I believe the original intent was for mkey values to be created as part of manifest authoring. |
|
When you say manifest authoring, are you talking about reference manifests or manifests that are reflected from evidence at the time of verification? The latter is the part I'm confused about. I don't know how you identify an ephemeral SPDM channel ahead of time for reference values. |
Reference/Endorsement Manifests
Consider a hot-plug use case (or other similar use case) where a component is discovered to be in the system but a Reference / Endorsement Manifest didn't predict its discovery. Lets say it was a second NIC card. Upon insertion a system bus starts reporting activity on the endpoint. An Attesting Environment might collect claims and include additional evidence. If only the class-map environment is used, both NICs would have the same measurements, but there would be two instances of evidence. How should a Verifier disambiguate the two? Possibly there was a glitch that reported the same evidence block twice? Or it was a hot-plug event that shows two NICs when there used to only be one. If the Attesting Env had a way to disambiguate each NIC, that might help the Verifier. One possible approach is to leverage mkey to encode bus endpoint identifiers (but an alternative is to define a new measurement/claim type and add it to the other measurements in the evidence block) - I don't think this is resolved yet. In terms of handling reference values, it is possible that an endorsement manifest reports the existence of the system bus. But it can't know if the endpoint is populated (until the hot plug event). The ephemeral SPDM channel use case seems to have similar dynamics. The challenge with SPDM and the way it reports evidence is there isn't the logical equivalent of |
|
Attesters report evidence though, not reference values and endorsements. There's a phase distinction between provisioning and runtime here. I don't think that attesters should be reusing CoRIM as a representation of evidence, here adding in some kind of mkey metadata. |
yogeshbdeshpande
added
the
preferable first release
Evidence needs to follow the schema of the reference values (or vice versa), otherwise, there needs to be a schema translation layer built into the tooling. The RATS Arch and Endorsement I-D point to the complexity issues associated with both schema translation and format translation. There are existing specs in TCG that are aligned with CoMID at the ECT level of abstraction. One defines CBOR encoding while the other an BER encoding. Both align with the CoRIM schema's ECT structures. The use of mkey to solve a real problem is only one possible approach. I'm not advocating necessarily for this approach. |
This issue, #230, is referenced from issue #70. A resolution to #70 is needed which may resolve the #230 thread as well? It isn't clear to me that there is an issue here. The thread seems to be soliciting clarification and context. Hence, I think its premature to prioritize it as something to be fixed. Issue #248 also has an |
|
I can appreciate that the translation step can be a burden, but you have a very real problem here for phase distinction. Can we have a shared base CDDL that both evidence and CoRIM use to avoid problems in representations? There's already a problem with measurement-map's authorized-by leaking from stateful-environment-map's conditions on authorizers to reference values' ability to misattribute authorization of reference values to a principal other than the CoRIM issuer. Make illegal states unrepresentable. While it may lead to code points that seem largely the same, the phase of when the data is generated is important to distinguish with a hard line. |
Seems like we need an issue detailing the concern with |
|
Okay, might I suggest that we change this issue to deprecate mkey in favor of something like $$environment-map-extensions? I'm finding it particularly difficult to model SEV-SNP attestations to account for CHIP_ID as instance of the host, and REPORT_ID as instance of the guest on the host, and REPORT_ID_MA as instance of the guest across migrations. @thomas-fossati have you thought more about Realms CCA ephemeral instance ids? |
|
It probably doesn't make sense for environment-map to be extensible by profile since you need to be able to name specific instances across profiles. But that also makes mkey difficult to account for as profile-extensible, since that is also naming the subject :-/ |
Removing Nevertheless, all three forms are extensible using $class-id-type-choice, $group-id-type-choice, or $instance-id-type-choice. But given tagged-bytes is common to all of them ( Some have positioned that |
reference-triple-record = [
reference-triple-record = [ |
The IETF corim design team, at one point, thought the multiplicity of measurement-maps wasn't desirable since it requires disambiguation in terms of which environment it belongs in. mkey could be used for that purpose, but it also could be used to provide other information such as identifying an originator of the measurement. It also seems to be a less elegant way to model parent-child relationships. Since then, the scope of environment-map was clarified to be global. But the namespace scope for mkey, if used, has some value as a locally scoped identifier (which seems to reduce the verbosity of the overall expression). |
Thank you for the info!
|
This will help to have the evidence and the reference triple records aligned per "TCG DICE Concise Evidence Binding for SPDM". Should this be opened as a separate topic? Appreciate your comments. |
|
I also agree that mkey is really part of the One significant issue will be backwards compatibility with DICE/SPDM import of manifests which include mkey. That process has moved to a new draft If we decide that we have to keep mkey then IMHO it should move to |
👍 |
|
I've dug a little into the corim repo and see an example for PSA tokens that mkey is used to distinguish the bootloader and PRoT as separately measured components. Given that the corim repo represents a value triple with an evironment and an array of measurements and the draft has no such array, there is no added benefit of mkey given the "merge" semantics, unless the idea is that should be interpreted as duplicating Now I wonder, given this example, if With this interpretation of mkey, it makes verifiers less burdensome to write. There's little reason for me to use the values map extension. I can use |
|
For PSA, we could (re)use EAT measured components, e.g.: |
|
@deeglaze would something like the above work for you if we added SVNs to EAT measured components? I.e.: |
|
SVN was an example of many things we account for in TDX and SEV-SNP quotes. I don't know why 5678 would be a valid place to replicate the mkey/mval meaning when there are already standard measurement value types. |
I'm confused what mkey is supposed to mean. Why isn't the mkey an element of the environment itself? What is a sub-environment if not just a more specific environment? It seems like it was added to help represent accepted claims and not as a way to represent a reference integrity manifest.
The ACS reusing the CoRIM CDDL seems to have had ill effects.
The text was updated successfully, but these errors were encountered: