| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Feb 2024 07:56:07 +0000
From: "Reshetova, Elena" <elena.reshetova@...el.com>
To: "Dr. Greg" <greg@...ellic.com>, "Daniel P. Berrang??"
<berrange@...hat.com>
CC: Theodore Ts'o <tytso@....edu>, "Jason A. Donenfeld" <Jason@...c4.com>,
"Hansen, Dave" <dave.hansen@...el.com>, "Kirill A. Shutemov"
<kirill.shutemov@...ux.intel.com>, Thomas Gleixner <tglx@...utronix.de>,
"Ingo Molnar" <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen
<dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>,
"x86@...nel.org" <x86@...nel.org>, Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@...ux.intel.com>, "Nakajima, Jun"
<jun.nakajima@...el.com>, Tom Lendacky <thomas.lendacky@....com>, "Kalra,
Ashish" <ashish.kalra@....com>, Sean Christopherson <seanjc@...gle.com>,
"linux-coco@...ts.linux.dev" <linux-coco@...ts.linux.dev>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 2/2] x86/random: Issue a warning if RDRAND or RDSEED fails
> > > The bigger question, which I will respond to Elena with, is how much
> > > this issue calls the entire question of confidential computing into
> > > question.
>
> > A denial of service (from a panic on RDRAND fail) doesn't undermine
> > confidental computing. Guest data confidentiality is maintained by
> > panicing on RDRAND failure and DoS protection isn't a threat that CC
> > claims to be able to mitigate in general.
>
> Yes, if there is a problem with RDRAND we have a CoCo solution, full
> stop.
>
> The issue that I was raising with Elena is more generic, to wit:
>
> Her expressed concern is that a code construct looking something like this,
> rdrand() returning 0 on success:
>
> for (i= 0; i < 9; ++i)
> if (!rdrand(&seed))
> break;
> sleep(some time);
> }
> if (i == 9)
> BUG("No entropy");
>
> do_something_with(seed);
>
> Could be sufficiently manipulated by a malicious hypervisor in a TDX
> environment so as to compromise its functionality.
This is not what I had in mind. How does the above can be manipulated
by a malicious hypervisor? If the above construction can be
logically manipulated we have other issues than rdrand, this is imo
already a control flow manipulation attack that you are stating here.
What a malicious hypervisor can *in theory* do is to insert the execution
delays and make the above loop fail even if we assume that the probability
of falling the 10 retry loop is negligible in normal cases (assuming tightness
or other timing requirements). But again, this is theoretical at this point.
But if the SW refuses to proceed and panics in such cases, we have a DoS
as we already discussed.
Best Regards,
Elena.
>
> If this level of control is indeed possible, given the long history of
> timing and side-channel attacks against cryptography, this would seem
> to pose significant questions as to whether or not CoCo can deliver on
> its stated goals.
>
> > With regards,
> > Daniel
>
> Have a good evening.
>
> As always,
> Dr. Greg
>
> The Quixote Project - Flailing at the Travails of Cybersecurity
> https://github.com/Quixote-Project
Powered by blists - more mailing lists