lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c2f7bb1d-cf3c-2373-c563-a1e72ff7b83a@gmail.com>
Date:   Fri, 23 Sep 2016 21:33:00 +1200
From:   Kai Huang <kaih.linux@...il.com>
To:     Borislav Petkov <bp@...e.de>, Paolo Bonzini <pbonzini@...hat.com>
Cc:     Tom Lendacky <thomas.lendacky@....com>,
        Brijesh Singh <brijesh.singh@....com>,
        simon.guinot@...uanux.org, linux-efi@...r.kernel.org,
        kvm@...r.kernel.org, rkrcmar@...hat.com, matt@...eblueprint.co.uk,
        linus.walleij@...aro.org, linux-mm@...ck.org,
        paul.gortmaker@...driver.com, hpa@...or.com,
        dan.j.williams@...el.com, aarcange@...hat.com,
        sfr@...b.auug.org.au, andriy.shevchenko@...ux.intel.com,
        herbert@...dor.apana.org.au, bhe@...hat.com, xemul@...allels.com,
        joro@...tes.org, x86@...nel.org, mingo@...hat.com,
        msalter@...hat.com, ross.zwisler@...ux.intel.com,
        dyoung@...hat.com, jroedel@...e.de, keescook@...omium.org,
        toshi.kani@....com, mathieu.desnoyers@...icios.com,
        devel@...uxdriverproject.org, tglx@...utronix.de,
        mchehab@...nel.org, iamjoonsoo.kim@....com,
        labbott@...oraproject.org, tony.luck@...el.com,
        alexandre.bounine@....com, kuleshovmail@...il.com,
        linux-kernel@...r.kernel.org, mcgrof@...nel.org,
        linux-crypto@...r.kernel.org, akpm@...ux-foundation.org,
        davem@...emloft.net
Subject: Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when
 SEV is active



On 23/09/16 06:37, Borislav Petkov wrote:
> On Thu, Sep 22, 2016 at 08:23:36PM +0200, Paolo Bonzini wrote:
>> Unless this is part of some spec, it's easier if things are the same in
>> SME and SEV.
> Yeah, I was pondering over how sprinkling sev_active checks might not be
> so clean.
>
> I'm wondering if we could make the EFI regions presented to the guest
> unencrypted too, as part of some SEV-specific init routine so that the
> guest kernel doesn't need to do anything different.
How is this even possible? The spec clearly says under SEV only in long 
mode or PAE mode guest can control whether memory is encrypted via 
c-bit, and in other modes guest will be always in encrypted mode. Guest 
EFI is also virtual, so are you suggesting EFI code (or code which loads 
EFI) should also be modified to load EFI as unencrypted? Looks it's not 
even possible to happen.

Thanks,
-Kai
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ