Skip to content

docs: add proposal for new tcbmapping design#910

Open
haitaohuang wants to merge 8 commits into
intel:mainfrom
haitaohuang:tcbmap_proposal
Open

docs: add proposal for new tcbmapping design#910
haitaohuang wants to merge 8 commits into
intel:mainfrom
haitaohuang:tcbmap_proposal

Conversation

@haitaohuang

Copy link
Copy Markdown
Contributor

No description provided.

haitaohuang and others added 2 commits July 7, 2026 16:36
Co-authored-by: Copilot <[email protected]>
Signed-off-by: Haitao Huang <[email protected]>
@haitaohuang haitaohuang force-pushed the tcbmap_proposal branch 2 times, most recently from 22ee829 to f799991 Compare July 7, 2026 16:40
haitaohuang and others added 4 commits July 7, 2026 18:11
Promote the outer policy-blob signature removal from a future
consideration into the main proposal (agreed with maintainers): RTMR2
authenticates policyData content directly, so no policy-signing key is
kept. servtdTcbMapping and servtdIdentity retain their own issuer
signatures.

Also remove the Mig-NRX future-support section (out of scope) and add
an implementation note that the new design replaces the current
implementation without feature gating.

Co-authored-by: Copilot <[email protected]>
Signed-off-by: Haitao Huang <[email protected]>
Redact servtdTcbMappingIssuerChain from the RTMR2 canonical extend
alongside servtdTcbMapping. The chain is redacted only because it is
already measured into RTMR1, so measuring it again in RTMR2 would be
redundant -- not to make it hash-neutral: swapping the chain still
changes RTMR1 and therefore tdinfo_hash, and hash-neutral chain/leaf-key
rotation depends on the separate RTMR1 signer-anchor proposal. Only the
servtdTcbMapping *content* (measured nowhere) is re-issuable without
touching the hash. The TCB-mapping signer remains anchored by RTMR1
(unchanged), which measures the TCBMapping issuer cert chain.

Update the measurement diagram, RTMR2 tables, redacted-extend rationale,
alternatives table, and build flow accordingly. Also simplify the
outer-policy-signature wording and drop the redundant "No policy-signing
key" benefit bullet.

Co-authored-by: Copilot <[email protected]>
Signed-off-by: Haitao Huang <[email protected]>
…oposal

Copy the reasoning from validate_peer_cert_chain (src/crypto/src/lib.rs)
about intentionally not checking intermediate cert identity, and the
leaf-Subject uniqueness assumption, into the RTMR1 signer-anchor design
doc. The anchor excludes intermediate CAs (matching peer validation), so
intermediate-CA rotation under the same root + leaf Subject is
measurement-stable.

Added in the trust-model description, anchor formula, alignment table,
benefits, and the security trade-off note.

Co-authored-by: Copilot <[email protected]>
Signed-off-by: Haitao Huang <[email protected]>
Document the security consequence of the RTMR1 root+Subject anchor and the
revocation control that addresses it, and broaden the doc title/scope to
cover both coupled parts (anchor measurement + signer revocation).

Security considerations:
- A stolen intermediate CA can mint a same-Subject leaf that is
  measurement-indistinguishable under the anchor -- the new exposure this
  proposal introduces. A stolen leaf key reusing its existing certificate
  is invisible to measurement with or without the anchor (pre-existing).
- Mitigations: strict key protection (especially intermediate CA keys) as
  the primary control; certificate revocation as the in-guest control that
  closes both cases; and an optional notBefore policy floor as a lightweight
  complement for the common leaf-key-leak case.

Revocation -- the servTD signer CRL:
- Deliver an optional CRL via servtdCollateral.servtdCrl, authenticate it
  against the RTMR1-anchored signer CA, enforce fail-closed on the local and
  peer signer chains (the peer chain checked against the LOCAL CRL), and gate
  a monotonic servtd_crl_num floor -- reusing the existing platform
  pck_crl / root_ca_crl machinery. No trusted clock in-guest, so nextUpdate
  freshness stays service-side.

Co-authored-by: Copilot <[email protected]>
Signed-off-by: Haitao Huang <[email protected]>
haitaohuang and others added 2 commits July 12, 2026 22:12
The TCB mapping signer is now renamed as policy signer in the proposal

Signed-off-by: Haitao Huang <[email protected]>
Co-authored-by: Copilot <[email protected]>
…1 anchor proposal

- Use 'policy signer' consistently, matching the TCB-mapping proposal (the
  RTMR1-anchored signer signs servtdTcbMapping; no separate TCB-mapping signer).
- Trim the mitigations recommendation and drop the 'cRLSign KeyUsage' and
  'per-issuer CRLs' open-question bullets: marginal value under the shared-root
  trust model, and the existing CRL machinery checks cA=TRUE only.
- Minor wording/punctuation fixes.

Signed-off-by: Haitao Huang <[email protected]>
Co-authored-by: Copilot <[email protected]>
Copilot-Session: 0e3356e2-6b75-4348-bb8d-95c05491ef8b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Proposing a new TCBMapping design with one hash endorsement

1 participant