lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <32ed551f-d499-47fe-8f76-f80cb1513d9a@oracle.com>
Date: Fri, 10 Jan 2025 08:58:17 +0000
From: Liam Merwick <liam.merwick@...cle.com>
To: Michael Roth <michael.roth@....com>, kvm@...r.kernel.org
Cc: linux-coco@...ts.linux.dev, linux-kernel@...r.kernel.org,
        pbonzini@...hat.com, seanjc@...gle.com, jroedel@...e.de,
        thomas.lendacky@....com, ashish.kalra@....com, pankaj.gupta@....com,
        dionnaglaze@...gle.com, huibo.wang@....com, liam.merwick@...cle.com
Subject: Re: [PATCH v3] KVM: Introduce KVM_EXIT_SNP_REQ_CERTS for SNP
 certificate-fetching



On 18/12/2024 15:22, Michael Roth wrote:
> For SEV-SNP, the host can optionally provide a certificate table to the
> guest when it issues an attestation request to firmware (see GHCB 2.0
> specification regarding "SNP Extended Guest Requests"). This certificate
> table can then be used to verify the endorsement key used by firmware to
> sign the attestation report.
> 
> While it is possible for guests to obtain the certificates through other
> means, handling it via the host provides more flexibility in being able
> to keep the certificate data in sync with the endorsement key throughout
> host-side operations that might resulting in the endorsement key
> changing.
> 
> In the case of KVM, userspace will be responsible for fetching the
> certificate table and keeping it in sync with any modifications to the
> endorsement key by other userspace management tools. Define a new
> KVM_EXIT_SNP_REQ_CERTS event where userspace is provided with the GPA of
> the buffer the guest has provided as part of the attestation request so
> that userspace can write the certificate data into it while relying on
> filesystem-based locking to keep the certificates up-to-date relative to
> the endorsement keys installed/utilized by firmware at the time the
> certificates are fetched.
> 
> Also introduce a KVM_CAP_EXIT_SNP_REQ_CERTS capability to enable/disable
> the exit for cases where userspace does not support
> certificate-fetching, in which case KVM will fall back to returning an
> empty certificate table if the guest provides a buffer for it.
> 
> Signed-off-by: Michael Roth <michael.roth@....com>

Reviewed-by: Liam Merwick <liam.merwick@...cle.com>
Tested-by: Liam Merwick <liam.merwick@...cle.com>

> ---
>   Documentation/virt/kvm/api.rst  | 93 +++++++++++++++++++++++++++++++++
>   arch/x86/include/asm/kvm_host.h |  1 +
>   arch/x86/kvm/svm/sev.c          | 43 ++++++++++++---
>   arch/x86/kvm/x86.c              | 11 ++++
>   include/uapi/linux/kvm.h        | 10 ++++
>   include/uapi/linux/sev-guest.h  |  8 +++
>   6 files changed, 160 insertions(+), 6 deletions(-)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ