| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Oct 2021 20:08:39 +0200
From: Borislav Petkov <bp@...en8.de>
To: Michael Roth <michael.roth@....com>
Cc: Brijesh Singh <brijesh.singh@....com>, x86@...nel.org,
linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
linux-efi@...r.kernel.org, platform-driver-x86@...r.kernel.org,
linux-coco@...ts.linux.dev, linux-mm@...ck.org,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Joerg Roedel <jroedel@...e.de>,
Tom Lendacky <thomas.lendacky@....com>,
"H. Peter Anvin" <hpa@...or.com>, Ard Biesheuvel <ardb@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Sean Christopherson <seanjc@...gle.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Jim Mattson <jmattson@...gle.com>,
Andy Lutomirski <luto@...nel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Sergio Lopez <slp@...hat.com>, Peter Gonda <pgonda@...gle.com>,
Peter Zijlstra <peterz@...radead.org>,
Srinivas Pandruvada <srinivas.pandruvada@...ux.intel.com>,
David Rientjes <rientjes@...gle.com>,
Dov Murik <dovmurik@...ux.ibm.com>,
Tobin Feldman-Fitzthum <tobin@....com>,
Vlastimil Babka <vbabka@...e.cz>,
"Kirill A . Shutemov" <kirill@...temov.name>,
Andi Kleen <ak@...ux.intel.com>,
"Dr . David Alan Gilbert" <dgilbert@...hat.com>,
tony.luck@...el.com, marcorr@...gle.com,
sathyanarayanan.kuppuswamy@...ux.intel.com
Subject: Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features
within #VC handler
On Wed, Oct 20, 2021 at 11:10:23AM -0500, Michael Roth wrote:
> > 1. Code checks SME/SEV support leaf. HV lies and says there's none. So
> > guest doesn't boot encrypted. Oh well, not a big deal, the cloud vendor
> > won't be able to give confidentiality to its users => users go away or
> > do unencrypted like now.
> >
> > Problem is solved by political and economical pressure.
> >
> > 2. Check SEV and SME bit. HV lies here. Oh well, same as the above.
>
> I'd be worried about the possibility that, through some additional exploits
> or failures in the attestation flow,
Well, that puts forward an important question: how do you verify
*reliably* that this is an SNP guest?
- attestation?
- CPUID?
- anything else?
I don't see this written down anywhere. Because this assumption will
guide the design in the kernel.
> a guest owner was tricked into booting unencrypted on a compromised
> host and exposing their secrets. Their attestation process might even
> do some additional CPUID sanity checks, which would at the point
> be via the SNP CPUID table and look legitimate, unaware that the
> kernel didn't actually use the SNP CPUID table until after 0x8000001F
> was parsed (if we were to only initialize it after/as-part-of
> sme_enable()).
So what happens with that guest owner later?
How is she to notice that she booted unencrypted?
> Fortunately in this scenario I think the guest kernel actually would fail to
> boot due to the SNP hardware unconditionally treating code/page tables as
> encrypted pages. I tested some of these scenarios just to check, but not
> all, and I still don't feel confident enough about it to say that there's
> not some way to exploit this by someone who is more clever/persistant than
> me.
All this design needs to be preceded with: "We protect against cases A,
B and C and not against D, E, etc."
So that it is clear to all parties involved what we're working with and
what we're protecting against and what we're *not* protecting against.
End of mail 2, more later.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
Powered by blists - more mailing lists