lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 31 Aug 2021 16:11:39 -0500
From:   Brijesh Singh <brijesh.singh@....com>
To:     Dov Murik <dovmurik@...ux.ibm.com>, x86@...nel.org,
        linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
        linux-efi@...r.kernel.org, platform-driver-x86@...r.kernel.org,
        linux-coco@...ts.linux.dev, linux-mm@...ck.org
Cc:     brijesh.singh@....com, Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Joerg Roedel <jroedel@...e.de>,
        Tom Lendacky <thomas.lendacky@....com>,
        "H. Peter Anvin" <hpa@...or.com>, Ard Biesheuvel <ardb@...nel.org>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Sean Christopherson <seanjc@...gle.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Jim Mattson <jmattson@...gle.com>,
        Andy Lutomirski <luto@...nel.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Sergio Lopez <slp@...hat.com>, Peter Gonda <pgonda@...gle.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Srinivas Pandruvada <srinivas.pandruvada@...ux.intel.com>,
        David Rientjes <rientjes@...gle.com>,
        Tobin Feldman-Fitzthum <tobin@....com>,
        Borislav Petkov <bp@...en8.de>,
        Michael Roth <michael.roth@....com>,
        Vlastimil Babka <vbabka@...e.cz>,
        "Kirill A . Shutemov" <kirill@...temov.name>,
        Andi Kleen <ak@...ux.intel.com>, tony.luck@...el.com,
        marcorr@...gle.com, sathyanarayanan.kuppuswamy@...ux.intel.com
Subject: Re: [PATCH Part1 v5 38/38] virt: sevguest: Add support to get
 extended report



On 8/31/21 3:22 PM, Dov Murik wrote:
> Hi Brijesh,
> 
> On 20/08/2021 18:19, Brijesh Singh wrote:
>> Version 2 of GHCB specification defines NAE to get the extended guest
>> request. It is similar to the SNP_GET_REPORT ioctl. The main difference
>> is related to the additional data that be returned. The additional
>> data returned is a certificate blob that can be used by the SNP guest
>> user.
> 
> It seems like the SNP_GET_EXT_REPORT ioctl does everything that the
> SNP_GET_REPORT ioctl does, and more.  Why expose SNP_GET_REPORT to
> userspace at all?
> 
> 

Since both of these options are provided by the GHCB protocol so I 
exposed it. Its possible that some applications may not care about the 
extended certificate blob. And in those case, if the hypervisor is 
programmed with the extended certificate blob and caller does not supply 
the enough number of pages to copy the blob then command should fail. 
This will enforce a new requirement on that guest application to 
allocate an extra memory. e.g:

1. Hypervisor is programmed with a system wide certificate blob using 
the SNP_SET_EXT_CONFIG ioctl().

2. Guest wants to get the report but does not care about the certificate 
blob.

3. Guest issues a extended guest report with the npages = 0. The command 
will fail with invalid length and number of pages will be returned in 
the response.

4. Guest will not need to allocate memory to hold the certificate and 
reissue the command.

The #4 is unnecessary for a guest which does not want to get. In this 
case, a guest can simply call the attestation report without asking for 
certificate blob. Please see the GHCB spec for more details.

thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ