docs: add proposal for new tcbmapping design#910
Open
haitaohuang wants to merge 8 commits into
Open
Conversation
Co-authored-by: Copilot <[email protected]> Signed-off-by: Haitao Huang <[email protected]>
Co-authored-by: Copilot <[email protected]> Signed-off-by: Haitao Huang <[email protected]>
22ee829 to
f799991
Compare
Promote the outer policy-blob signature removal from a future consideration into the main proposal (agreed with maintainers): RTMR2 authenticates policyData content directly, so no policy-signing key is kept. servtdTcbMapping and servtdIdentity retain their own issuer signatures. Also remove the Mig-NRX future-support section (out of scope) and add an implementation note that the new design replaces the current implementation without feature gating. Co-authored-by: Copilot <[email protected]> Signed-off-by: Haitao Huang <[email protected]>
Redact servtdTcbMappingIssuerChain from the RTMR2 canonical extend alongside servtdTcbMapping. The chain is redacted only because it is already measured into RTMR1, so measuring it again in RTMR2 would be redundant -- not to make it hash-neutral: swapping the chain still changes RTMR1 and therefore tdinfo_hash, and hash-neutral chain/leaf-key rotation depends on the separate RTMR1 signer-anchor proposal. Only the servtdTcbMapping *content* (measured nowhere) is re-issuable without touching the hash. The TCB-mapping signer remains anchored by RTMR1 (unchanged), which measures the TCBMapping issuer cert chain. Update the measurement diagram, RTMR2 tables, redacted-extend rationale, alternatives table, and build flow accordingly. Also simplify the outer-policy-signature wording and drop the redundant "No policy-signing key" benefit bullet. Co-authored-by: Copilot <[email protected]> Signed-off-by: Haitao Huang <[email protected]>
…oposal Copy the reasoning from validate_peer_cert_chain (src/crypto/src/lib.rs) about intentionally not checking intermediate cert identity, and the leaf-Subject uniqueness assumption, into the RTMR1 signer-anchor design doc. The anchor excludes intermediate CAs (matching peer validation), so intermediate-CA rotation under the same root + leaf Subject is measurement-stable. Added in the trust-model description, anchor formula, alignment table, benefits, and the security trade-off note. Co-authored-by: Copilot <[email protected]> Signed-off-by: Haitao Huang <[email protected]>
Document the security consequence of the RTMR1 root+Subject anchor and the revocation control that addresses it, and broaden the doc title/scope to cover both coupled parts (anchor measurement + signer revocation). Security considerations: - A stolen intermediate CA can mint a same-Subject leaf that is measurement-indistinguishable under the anchor -- the new exposure this proposal introduces. A stolen leaf key reusing its existing certificate is invisible to measurement with or without the anchor (pre-existing). - Mitigations: strict key protection (especially intermediate CA keys) as the primary control; certificate revocation as the in-guest control that closes both cases; and an optional notBefore policy floor as a lightweight complement for the common leaf-key-leak case. Revocation -- the servTD signer CRL: - Deliver an optional CRL via servtdCollateral.servtdCrl, authenticate it against the RTMR1-anchored signer CA, enforce fail-closed on the local and peer signer chains (the peer chain checked against the LOCAL CRL), and gate a monotonic servtd_crl_num floor -- reusing the existing platform pck_crl / root_ca_crl machinery. No trusted clock in-guest, so nextUpdate freshness stays service-side. Co-authored-by: Copilot <[email protected]> Signed-off-by: Haitao Huang <[email protected]>
f799991 to
a94d5f7
Compare
The TCB mapping signer is now renamed as policy signer in the proposal Signed-off-by: Haitao Huang <[email protected]> Co-authored-by: Copilot <[email protected]>
…1 anchor proposal - Use 'policy signer' consistently, matching the TCB-mapping proposal (the RTMR1-anchored signer signs servtdTcbMapping; no separate TCB-mapping signer). - Trim the mitigations recommendation and drop the 'cRLSign KeyUsage' and 'per-issuer CRLs' open-question bullets: marginal value under the shared-root trust model, and the existing CRL machinery checks cA=TRUE only. - Minor wording/punctuation fixes. Signed-off-by: Haitao Huang <[email protected]> Co-authored-by: Copilot <[email protected]> Copilot-Session: 0e3356e2-6b75-4348-bb8d-95c05491ef8b
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.