Re: [PATCH 0/4] tsm: Unified Measurement Register ABI for TVMs

From: Dan Williams
Date: Wed Feb 19 2025 - 18:03:18 EST

Next message: Rob Herring (Arm): "Re: [PATCH 1/6] dt-bindings: rockchip-thermal: Add RK3576 compatible"
Previous message: Rob Herring: "Re: [PATCH 2/8] dt-bindings: watchdog: sama5d4-wdt: Add sama7d65-wdt"
In reply to: Xing, Cedric: "Re: [PATCH 0/4] tsm: Unified Measurement Register ABI for TVMs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James Bottomley wrote:
[..]
> What I still don't get is this. The difference between RTMRs and the
> subset of TPM functionality that also provides it is non-existent.
> It's like a distinction without a difference. If the SVSM authors had
> written for a pure RTMR implementation (just usng a CRB API) would that
> have made a difference?

That is an interesting hypothetical, "would things be different if the
authors, that were forced by SEV-SNP architectural necessity to push
runtime measurement functionality into an SVSM layer exclusively, had
considered that some architectures would include runtime measurement
functionality in the CVM technology directly?". I do not think it helps
because that presupposes that vTPM for these other architectures already
exists.

When I look at the proposed solutions for TDX-vTPM based on service VMs
and other complications brought on by architectural differences between
TDX and SEV-SNP, and compare that to a potential vTPM that wraps RTMR I
see a net reduction in complexity. In other words, a path to a
cross-architecture RTMR-backed vTPM without requiring SVSM and
approximation of the VMPL mechanism. It follows that userspace, not the
kernel, needs to wrap architectural RTMR differences to build that vTPM.

So to me the question is less "RTMR vs TPM" and more about vTPM
implementation choice where RTMR-backed and SVSM-based vTPM solutions
are not mutually exclusive.

For the kernel this mean leaking architecture specific RTMR details into
its ABI and punting the vTPM interface problem to userspace. It also
means that software, in some cases, could forgo vTPM and use raw RTMR.
However, I do not think that ultimately fragments the ecosystem. TPM
momentum and portability concerns limits how far raw RTMR usage will
extend, but in the meantime for use cases that "don't want to have to
depend on the vTPM", like the one Dionna mentioned, are enabled.

If those use case ultimately melt away and transition to vTPM (whether
RTMR backed or SVSM backed), great. If those use cases persist then that
is also a useful system evolution signal from the ecosystem.

Next message: Rob Herring (Arm): "Re: [PATCH 1/6] dt-bindings: rockchip-thermal: Add RK3576 compatible"
Previous message: Rob Herring: "Re: [PATCH 2/8] dt-bindings: watchdog: sama5d4-wdt: Add sama7d65-wdt"
In reply to: Xing, Cedric: "Re: [PATCH 0/4] tsm: Unified Measurement Register ABI for TVMs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]