Does the VTPM Generate an Endorsement Key?

[IT302]

I'm currently exploring using the vTPM for attestation and have a question regarding the endorsement key. Does the current vTPM implementation generate an endorsement key at startup? If it does, where is it stored?

Any guidance on this matter would be greatly appreciated.

Geoffrey

[stefano-garzarella]

@IT302 current implementation re-manufacture the vTPM at every boot, so the vTPM for now is ephemeral and its EK changes with each boot. The EK is in SVSM's memory, but as soon as CVM is turned off, all vTPM state goes away. (cc @cclaudio for more details).

We are working on supporting saving the state, but this requires an early attestation in SVSM. See #421

[IT302]

Thanks @stefano-garzarella your help.

For my initial use case, a persistent vTPM is not required. However, I do need an SNP attestation report at VMPL0, as well as another report that covers the EKpub generated at boot time.

[jianlinjiang]

@IT302 current implementation re-manufacture the vTPM at every boot, so the vTPM for now is ephemeral and its EK changes with each boot. The EK is in SVSM's memory, but as soon as CVM is turned off, all vTPM state goes away. (cc @cclaudio for more details).

We are working on supporting saving the state, but this requires an early attestation in SVSM. See #421

hi @stefano-garzarella , I wonder where the EKpub is stored (The exact TPM object context). I also need a VMPL0 attestation report with Sha512(EKpub) in the report data

[jianlinjiang]

In the function TPM_Manufacture of ms-tpm-20-ref , It seems the function doesn't create a primary key for the vTPM.

[cclaudio]

Hi @IT302

You might be interested on the TCG Credential Profile EK 2.0, it explains about the EK NV indices and also the templates.

The Endorsement Primary Seed (EPS) is set in the TPM manufacture procedure. If the EPS is not changed, the same EK can be regenerated multiple times. So, the EK can be created any time later in boot as needed and choosing the template (e.g. RSA, ECC_256, etc) that better fits the purpose of the confidential VM.

Soon, when the AMD Attestation Protocol is implemented, the SVSM will need to cache an EK object so that it can be returned as an evidence of the EPS that is set in the vTPM.

[IT302]

Thanks @cclaudio for the pointer. Relying on EPS is elegant, and the SVSM can start off by supporting RSA 2048-bit and ECC NISTP-256-bit keys. Everything should work as long as users do not run TPM2_ChangeEPS.

I am working on a PoC that adds EK creation and caching to coconut-svsm. I am collaborating with folks active in Keylime and should have something to share in the next couple of weeks.

[stefano-garzarella]

@IT302 if it could be interesting for you, @osteffenrh and I are working on a persistent state support for SVSM to unlock persistent vTPM. We'll talk about it next week at LPC and KVM Forum. We are also preparing a PoC here: https://github.com/stefano-garzarella/snp-svsm-vtpm

[IT302]

@stefano-garzarella Yes, I am very much interested in the persistent vTPM work and will be at the KVM Forum next week. Looking forward to your talk.