[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YkVyIE8H4Ivb6J2l@zn.tnic>
Date: Thu, 31 Mar 2022 11:19:28 +0200
From: Borislav Petkov <bp@...e.de>
To: Dov Murik <dovmurik@...ux.ibm.com>
Cc: linux-efi@...r.kernel.org, Ashish Kalra <ashish.kalra@....com>,
Brijesh Singh <brijesh.singh@....com>,
Tom Lendacky <thomas.lendacky@....com>,
Ard Biesheuvel <ardb@...nel.org>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Andi Kleen <ak@...ux.intel.com>,
Greg KH <gregkh@...uxfoundation.org>,
Andrew Scull <ascull@...gle.com>,
Dave Hansen <dave.hansen@...el.com>,
"Dr. David Alan Gilbert" <dgilbert@...hat.com>,
Gerd Hoffmann <kraxel@...hat.com>,
Lenny Szubowicz <lszubowi@...hat.com>,
Peter Gonda <pgonda@...gle.com>,
Matthew Garrett <mjg59@...f.ucam.org>,
James Bottomley <jejb@...ux.ibm.com>,
Tobin Feldman-Fitzthum <tobin@...ux.ibm.com>,
Jim Cadden <jcadden@....com>,
Daniele Buono <dbuono@...ux.vnet.ibm.com>,
linux-coco@...ts.linux.dev, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v8 0/4] Allow guest access to EFI confidential computing
secret area
On Wed, Mar 30, 2022 at 09:11:54AM +0300, Dov Murik wrote:
> If that's the case, we don't need a secure channel and secret injection.
> You can use a simple "sev=debug" (or whatever) in the kernel
> command-line to indicate your needs.
Yeah, that would work for a normal SEV guest.
However, if it is an -ES guest, you need to somehow tell it as the guest
owner: "hey you're being debugged and that's fine."
Because if you want to singlestep the thing, you're going to land in
the #VC handler and destroy registers so you want to save them first if
you're being debugged and then shovel them out to the host somehow. And
that's another question but first things first.
And "if you're being debugged" needs to be somehow told the guest
through a secure channel so that the HV doesn't go and simply enable
debugging by booting with "sev=debug" and bypass it all.
And SNP has access to the policy in the attestation report, says Tom, so
that's possible there.
So we need a way to add the debugging aspect to the measurement and be
able to recreate that measurement quickly so that a simple debugging
session of a kernel in a guest can work pretty much the same with a SEV*
guest.
I'm still digging the details tho...
--
Regards/Gruss,
Boris.
SUSE Software Solutions Germany GmbH, GF: Ivo Totev, HRB 36809, AG Nürnberg
Powered by blists - more mailing lists