Library to communicate with the SVSM and attest the VTPM from the guest

[ShannonSD]

Is there currently an interface for a guest to communicate with the SVSM to request a VMPL0 attestation report that attests and binds the vTPM to the guest (perhaps by inclduing the vTPM's EK and SK)?

[cclaudio]

Hi @ShannonSD

Yes, I believe you are looking for the Attestation protocol defined in the SVSM specification (chapter 7). I implemented this protocol some time ago, I can rebase it to latest and submit.

The SVSM spec, section 8.3.3, defines that the vTPM EK is returned to the SVSM_ATTEST_SINGLE_SERVICE caller, but not the vTPM SK.

The Linux patch series below will be required, specially the patch 14. Currently, it is under review.
https://lore.kernel.org/lkml/9a4c4a16d00834c1b7ff458e25c185ac1c9bcf79.1713974291.git.thomas.lendacky@amd.com/

Claudio

[cclaudio]

The Linux patch series below will be required, specially the patch 14. Currently, it is under review.
https://lore.kernel.org/lkml/9a4c4a16d00834c1b7ff458e25c185ac1c9bcf79.1713974291.git.thomas.lendacky@amd.com/

Sorry, I wanted to share with you a link to our COCONUT/linux repository, but I ended picking up the upstream.
coconut-svsm/linux@84357db

[deeglaze]

This issue is stale. Okay to close?

[IT302]

Hi @cclaudio

I am interested in using TSM to obtain the vTPM's EK. Would it possible to rebase what you have implemented and commit?

Geoffrey

[cclaudio]

Hi @IT302
I will try to do that for next week

[Isaac-Matthews]

Hi @cclaudio is there an update on this?
Thanks