lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <cd8f0c33-1f26-48a5-a3d4-1d4ad4192160@oracle.com>
Date: Tue, 21 Jan 2025 20:18:55 +0000
From: Liam Merwick <liam.merwick@...cle.com>
To: Melody Wang <huibo.wang@....com>, kvm@...r.kernel.org
Cc: linux-coco@...ts.linux.dev, linux-kernel@...r.kernel.org,
        Paolo Bonzini <pbonzini@...hat.com>,
        Sean Christopherson
 <seanjc@...gle.com>, roedel@...e.de,
        Tom Lendacky <thomas.lendacky@....com>, ashish.kalra@....com,
        pankaj.gupta@....com, dionnaglaze@...gle.com,
        Michael Roth <michael.roth@....com>
Subject: Re: [PATCH v4 1/1] KVM: Introduce KVM_EXIT_SNP_REQ_CERTS for SNP
 certificate-fetching



On 20/01/2025 21:58, Melody Wang wrote:
> From: Michael Roth <michael.roth@....com>
> 
> For SEV-SNP, the host can optionally provide a certificate table to the
> guest when it issues an attestation request to firmware (see GHCB 2.0
> specification regarding "SNP Extended Guest Requests"). This certificate
> table can then be used to verify the endorsement key used by firmware to
> sign the attestation report.
> 
> While it is possible for guests to obtain the certificates through other
> means, handling it via the host provides more flexibility in being able
> to keep the certificate data in sync with the endorsement key throughout
> host-side operations that might resulting in the endorsement key
> changing.
> 
> In the case of KVM, userspace will be responsible for fetching the
> certificate table and keeping it in sync with any modifications to the
> endorsement key by other userspace management tools. Define a new
> KVM_EXIT_SNP_REQ_CERTS event where userspace is provided with the GPA of
> the buffer the guest has provided as part of the attestation request so
> that userspace can write the certificate data into it while relying on
> filesystem-based locking to keep the certificates up-to-date relative to
> the endorsement keys installed/utilized by firmware at the time the
> certificates are fetched.
> 
> Also introduce a KVM_CAP_EXIT_SNP_REQ_CERTS capability to enable/disable
> the exit for cases where userspace does not support
> certificate-fetching, in which case KVM will fall back to returning an
> empty certificate table if the guest provides a buffer for it.
> 
>    [Melody: Update the documentation scheme about how file locking is
>    expected to happen.]
> 
> Signed-off-by: Michael Roth <michael.roth@....com>
> Signed-off-by: Melody Wang <huibo.wang@....com>

Reviewed-by: Liam Merwick <liam.merwick@...cle.com>


> ---
>   Documentation/virt/kvm/api.rst  | 106 ++++++++++++++++++++++++++++++++
>   arch/x86/include/asm/kvm_host.h |   1 +
>   arch/x86/kvm/svm/sev.c          |  43 +++++++++++--
>   arch/x86/kvm/x86.c              |  11 ++++
>   include/uapi/linux/kvm.h        |  10 +++
>   include/uapi/linux/sev-guest.h  |   8 +++
>   6 files changed, 173 insertions(+), 6 deletions(-)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ