Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler

[PATCH v6 00/42] Add AMD Secure Nested Paging (SEV-SNP) Guest Support · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 01/42] x86/mm: Extend cc_attr to include AMD SEV-SNP · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 02/42] x86/sev: Shorten GHCB terminate macro names · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 02/42] x86/sev: Shorten GHCB terminate macro names · Borislav Petkov <bp@alien8.de> · 2021-10-11
[PATCH v6 03/42] x86/sev: Get rid of excessive use of defines · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 03/42] x86/sev: Get rid of excessive use of defines · Borislav Petkov <bp@alien8.de> · 2021-10-11
[PATCH v6 05/42] x86/sev: Define the Linux specific guest termination reasons · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 06/42] x86/sev: Save the negotiated GHCB version · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 04/42] x86/head64: Carve out the guest encryption postprocessing into a helper · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-18
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Michael Roth <hidden> · 2021-10-18
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-18
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Michael Roth <hidden> · 2021-10-20
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-20
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Michael Roth <hidden> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-20
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Michael Roth <hidden> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Michael Roth <hidden> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Dr. David Alan Gilbert <hidden> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Dr. David Alan Gilbert <hidden> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Dr. David Alan Gilbert <hidden> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Michael Roth <hidden> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Michael Roth <hidden> · 2021-10-21
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-25
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Michael Roth <hidden> · 2021-10-25
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Borislav Petkov <bp@alien8.de> · 2021-10-27
Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler · Michael Roth <hidden> · 2021-10-27
[PATCH v6 07/42] x86/sev: Add support for hypervisor feature VMGEXIT · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 07/42] x86/sev: Add support for hypervisor feature VMGEXIT · Borislav Petkov <bp@alien8.de> · 2021-10-13
[PATCH v6 09/42] x86/sev: Check SEV-SNP features support · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 09/42] x86/sev: Check SEV-SNP features support · Borislav Petkov <bp@alien8.de> · 2021-10-19
[PATCH v6 10/42] x86/sev: Add a helper for the PVALIDATE instruction · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 12/42] x86/compressed: Add helper for validating pages in the decompression stage · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 13/42] x86/compressed: Register GHCB memory when SEV-SNP is active · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 13/42] x86/compressed: Register GHCB memory when SEV-SNP is active · Borislav Petkov <bp@alien8.de> · 2021-11-02
[PATCH v6 11/42] x86/sev: Check the vmpl level · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 11/42] x86/sev: Check the vmpl level · Borislav Petkov <bp@alien8.de> · 2021-10-28
[PATCH v6 17/42] x86/kernel: Make the bss.decrypted section shared in RMP table · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 20/42] KVM: SVM: Define sev_features and vmpl field in the VMSA · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 18/42] x86/kernel: Validate rom memory before accessing when SEV-SNP is active · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 19/42] x86/mm: Add support to validate memory when changing C-bit · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 19/42] x86/mm: Add support to validate memory when changing C-bit · Borislav Petkov <bp@alien8.de> · 2021-11-09
Re: [PATCH v6 19/42] x86/mm: Add support to validate memory when changing C-bit · Brijesh Singh <hidden> · 2021-11-10
Re: [PATCH v6 19/42] x86/mm: Add support to validate memory when changing C-bit · Borislav Petkov <bp@alien8.de> · 2021-11-10
Re: [PATCH v6 19/42] x86/mm: Add support to validate memory when changing C-bit · Tom Lendacky <thomas.lendacky@amd.com> · 2021-11-11
Re: [PATCH v6 19/42] x86/mm: Add support to validate memory when changing C-bit · Borislav Petkov <bp@alien8.de> · 2021-11-11
[PATCH v6 14/42] x86/sev: Register GHCB memory when SEV-SNP is active · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 14/42] x86/sev: Register GHCB memory when SEV-SNP is active · Borislav Petkov <bp@alien8.de> · 2021-11-02
Re: [PATCH v6 14/42] x86/sev: Register GHCB memory when SEV-SNP is active · Brijesh Singh <hidden> · 2021-11-02
Re: [PATCH v6 14/42] x86/sev: Register GHCB memory when SEV-SNP is active · Borislav Petkov <bp@alien8.de> · 2021-11-02
Re: [PATCH v6 14/42] x86/sev: Register GHCB memory when SEV-SNP is active · Brijesh Singh <hidden> · 2021-11-03
Re: [PATCH v6 14/42] x86/sev: Register GHCB memory when SEV-SNP is active · Borislav Petkov <bp@alien8.de> · 2021-11-04
Re: [PATCH v6 14/42] x86/sev: Register GHCB memory when SEV-SNP is active · Brijesh Singh <hidden> · 2021-11-04
Re: [PATCH v6 14/42] x86/sev: Register GHCB memory when SEV-SNP is active · Boris Petkov <bp@alien8.de> · 2021-11-04
[PATCH v6 15/42] x86/sev: Remove do_early_exception() forward declarations · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 15/42] x86/sev: Remove do_early_exception() forward declarations · Borislav Petkov <bp@alien8.de> · 2021-11-02
[PATCH v6 21/42] KVM: SVM: Create a separate mapping for the SEV-ES save area · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 22/42] KVM: SVM: Create a separate mapping for the GHCB save area · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 23/42] KVM: SVM: Update the SEV-ES save area mapping · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 24/42] x86/sev: Use SEV-SNP AP creation to start secondary CPUs · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 25/42] x86/head: re-enable stack protection for 32/64-bit builds · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 28/42] x86/compressed/acpi: move EFI system table lookup to helper · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 16/42] x86/sev: Add helper for validating pages in early enc attribute changes · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 26/42] x86/sev: move MSR-based VMGEXITs for CPUID to helper · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 27/42] KVM: x86: move lookup of indexed CPUID leafs to helper · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 30/42] x86/compressed/acpi: move EFI vendor table lookup to helper · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 29/42] x86/compressed/acpi: move EFI config table lookup to helper · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 31/42] x86/boot: Add Confidential Computing type to setup_data · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 41/42] virt: sevguest: Add support to derive key · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 39/42] x86/sev: Register SNP guest request platform device · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 38/42] x86/sev: Provide support for SNP guest request NAEs · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 40/42] virt: Add SEV-SNP guest driver · Brijesh Singh <hidden> · 2021-10-08
Re: [PATCH v6 40/42] virt: Add SEV-SNP guest driver · Dov Murik <hidden> · 2021-10-10
Re: [PATCH v6 40/42] virt: Add SEV-SNP guest driver · Brijesh Singh <hidden> · 2021-10-13
Re: [PATCH v6 40/42] virt: Add SEV-SNP guest driver · Peter Gonda <hidden> · 2021-10-20
Re: [PATCH v6 40/42] virt: Add SEV-SNP guest driver · Brijesh Singh <hidden> · 2021-10-27
Re: [PATCH v6 40/42] virt: Add SEV-SNP guest driver · Peter Gonda <hidden> · 2021-10-27
Re: [PATCH v6 40/42] virt: Add SEV-SNP guest driver · Brijesh Singh <hidden> · 2021-10-27
Re: [PATCH v6 40/42] virt: Add SEV-SNP guest driver · Peter Gonda <hidden> · 2021-10-27
Re: [PATCH v6 40/42] virt: Add SEV-SNP guest driver · Brijesh Singh <hidden> · 2021-10-27
Re: [PATCH v6 40/42] virt: Add SEV-SNP guest driver · Peter Gonda <hidden> · 2021-10-27
[PATCH v6 36/42] x86/compressed/64: add identity mapping for Confidential Computing blob · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 37/42] x86/sev: use firmware-validated CPUID for SEV-SNP guests · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 42/42] virt: sevguest: Add support to get extended report · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 35/42] x86/compressed/64: store Confidential Computing blob address in bootparams · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 32/42] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 33/42] boot/compressed/64: use firmware-validated CPUID for SEV-SNP guests · Brijesh Singh <hidden> · 2021-10-08
[PATCH v6 34/42] x86/boot: add a pointer to Confidential Computing blob in bootparams · Brijesh Singh <hidden> · 2021-10-08

From: Borislav Petkov <bp@alien8.de>
Date: 2021-10-20 18:08:42
Also in: kvm, linux-efi, linux-mm, lkml, platform-driver-x86

On Wed, Oct 20, 2021 at 11:10:23AM -0500, Michael Roth wrote:

quoted

1. Code checks SME/SEV support leaf. HV lies and says there's none. So
guest doesn't boot encrypted. Oh well, not a big deal, the cloud vendor
won't be able to give confidentiality to its users => users go away or
do unencrypted like now.

Problem is solved by political and economical pressure.

2. Check SEV and SME bit. HV lies here. Oh well, same as the above.

I'd be worried about the possibility that, through some additional exploits
or failures in the attestation flow,

Well, that puts forward an important question: how do you verify
*reliably* that this is an SNP guest?

- attestation?

- CPUID?

- anything else?

I don't see this written down anywhere. Because this assumption will
guide the design in the kernel.

a guest owner was tricked into booting unencrypted on a compromised
host and exposing their secrets. Their attestation process might even
do some additional CPUID sanity checks, which would at the point
be via the SNP CPUID table and look legitimate, unaware that the
kernel didn't actually use the SNP CPUID table until after 0x8000001F
was parsed (if we were to only initialize it after/as-part-of
sme_enable()).

So what happens with that guest owner later?

How is she to notice that she booted unencrypted?

Fortunately in this scenario I think the guest kernel actually would fail to
boot due to the SNP hardware unconditionally treating code/page tables as
encrypted pages. I tested some of these scenarios just to check, but not
all, and I still don't feel confident enough about it to say that there's
not some way to exploit this by someone who is more clever/persistant than
me.

All this design needs to be preceded with: "We protect against cases A,
B and C and not against D, E, etc."

So that it is clear to all parties involved what we're working with and
what we're protecting against and what we're *not* protecting against.

End of mail 2, more later.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help