[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <DM8PR11MB5750B5E74AFEAB83D8A7170BE7E69@DM8PR11MB5750.namprd11.prod.outlook.com>
Date: Fri, 16 Dec 2022 15:22:15 +0000
From: "Reshetova, Elena" <elena.reshetova@...el.com>
To: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
"Hansen, Dave" <dave.hansen@...el.com>
CC: "Kirill A. Shutemov" <kirill@...temov.name>,
Borislav Petkov <bp@...en8.de>,
"Lutomirski, Andy" <luto@...nel.org>,
"Kuppuswamy Sathyanarayanan"
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
"Thomas Gleixner" <tglx@...utronix.de>,
"x86@...nel.org" <x86@...nel.org>,
"linux-coco@...ts.linux.dev" <linux-coco@...ts.linux.dev>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 2/4] x86/tdx: Use ReportFatalError to report missing
SEPT_VE_DISABLE
>
> On Thu, Dec 15, 2022 at 01:09:10PM -0800, Dave Hansen wrote:
> > On 12/15/22 10:51, Kirill A. Shutemov wrote:
> > >>> So ReportFatalError() is no good for the task. And I don't have anything
> > >>> else :/
> > >> Do we *really* have to do a hard stop when SEPT_VE_DISABLE is missing?
> > >>
> > >> Wouldn't it be simpler to just defer the check until we can spit out a
> > >> sane error message about it?
> > >>
> > >> Or is there too much security exposure by continuing?
> > > Well, I guess we can. We always have attestation as a backstop. No
> > > sensitive user data has to be exposed to the TD before it passed
> > > the attestation.
> >
> > OK, so let's just pretend that SEPT_VE_DISABLE=0 is a blatant root hole
> > that lets the VMM compromise the TDX guest (I know it's not, but let's
> > just pretend it is).
> >
> > The guest starts up, the VMM compromises it after the attestation has
> > run. The now compromised guest send along its report. But, since the
> > report contains (or implies???) SEPT_VE_DISABLE=0, the guest will be
> > assumed to be compromised and won't get any secrets provisioned?
> >
> > That assumes that the attestation service knows that SEPT_VE_DISABLE==0
> > plus Linux is bad. Is that a good assumption?
>
> I know that attestation quote includes all required information
> (attributes and kernel hash) to make the decision and I assume that
> attestation service is competent. So, yes, I think expectation Linux +
> SEPT_VE_DISABLE==0 going to be rejected is reasonable.
>
> Elena, is there anything you can elaborate on here?
Yes, attestation quote has the attribute included for SEPT_VE_DISABLE.
So the remote verifier can check this, *if* it understands that it is important.
However, it is a big *IF* imo. In TDX module spec and attestation specs,
SEPT_VE_DISABLE is marked as attribute that "potentially impacts security"
vs TUD attributes like DEBUG that are classified as "your TD is not secure at all".
So, we will be relying on verifiers to understand that in Linux case it is a critical
thing vs "potentially impacting security thing".
We will document this specifically in our TDX guest kernel documentation,
but I have no guarantees on how careful people are reading it.
My preference is to do the right thing in code.
Best Regards,
Elena.
Powered by blists - more mailing lists