| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Dec 2020 21:25:29 -0600
From: Brijesh Singh <brijesh.singh@....com>
To: Ard Biesheuvel <ardb@...nel.org>
Cc: brijesh.singh@....com, kvm@...r.kernel.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Doc Mailing List <linux-doc@...r.kernel.org>,
James Bottomley <jejb@...ux.ibm.com>,
Tom Lendacky <Thomas.Lendacky@....com>,
David Rientjes <rientjes@...gle.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Sean Christopherson <seanjc@...gle.com>,
Borislav Petkov <bp@...en8.de>,
John Allen <john.allen@....com>,
Herbert Xu <herbert@...dor.apana.org.au>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>
Subject: Re: [PATCH] KVM/SVM: add support for SEV attestation command
On 12/9/20 1:51 AM, Ard Biesheuvel wrote:
> On Fri, 4 Dec 2020 at 22:30, Brijesh Singh <brijesh.singh@....com> wrote:
>> The SEV FW version >= 0.23 added a new command that can be used to query
>> the attestation report containing the SHA-256 digest of the guest memory
>> encrypted through the KVM_SEV_LAUNCH_UPDATE_{DATA, VMSA} commands and
>> sign the report with the Platform Endorsement Key (PEK).
>>
>> See the SEV FW API spec section 6.8 for more details.
>>
>> Note there already exist a command (KVM_SEV_LAUNCH_MEASURE) that can be
>> used to get the SHA-256 digest. The main difference between the
>> KVM_SEV_LAUNCH_MEASURE and KVM_SEV_ATTESTATION_REPORT is that the later
> latter
>
>> can be called while the guest is running and the measurement value is
>> signed with PEK.
>>
>> Cc: James Bottomley <jejb@...ux.ibm.com>
>> Cc: Tom Lendacky <Thomas.Lendacky@....com>
>> Cc: David Rientjes <rientjes@...gle.com>
>> Cc: Paolo Bonzini <pbonzini@...hat.com>
>> Cc: Sean Christopherson <seanjc@...gle.com>
>> Cc: Borislav Petkov <bp@...en8.de>
>> Cc: John Allen <john.allen@....com>
>> Cc: Herbert Xu <herbert@...dor.apana.org.au>
>> Cc: linux-crypto@...r.kernel.org
>> Signed-off-by: Brijesh Singh <brijesh.singh@....com>
>> ---
>> .../virt/kvm/amd-memory-encryption.rst | 21 ++++++
>> arch/x86/kvm/svm/sev.c | 71 +++++++++++++++++++
>> drivers/crypto/ccp/sev-dev.c | 1 +
>> include/linux/psp-sev.h | 17 +++++
>> include/uapi/linux/kvm.h | 8 +++
>> 5 files changed, 118 insertions(+)
>>
>> diff --git a/Documentation/virt/kvm/amd-memory-encryption.rst b/Documentation/virt/kvm/amd-memory-encryption.rst
>> index 09a8f2a34e39..4c6685d0fddd 100644
>> --- a/Documentation/virt/kvm/amd-memory-encryption.rst
>> +++ b/Documentation/virt/kvm/amd-memory-encryption.rst
>> @@ -263,6 +263,27 @@ Returns: 0 on success, -negative on error
>> __u32 trans_len;
>> };
>>
>> +10. KVM_SEV_GET_ATTESATION_REPORT
> KVM_SEV_GET_ATTESTATION_REPORT
>
>> +---------------------------------
>> +
>> +The KVM_SEV_GET_ATTESATION_REPORT command can be used by the hypervisor to query the attestation
> KVM_SEV_GET_ATTESTATION_REPORT
Noted, I will send v2 with these fixed.
Powered by blists - more mailing lists