Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp491631pxf; Wed, 10 Mar 2021 10:14:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJyFJ5zxf2SBU0Vl9HPQ18okca0UtTYrd6elfawsOp8Pm2H1ytXkRP5isRP49UvSPzZ4nv29 X-Received: by 2002:aa7:dd49:: with SMTP id o9mr4746437edw.14.1615400076477; Wed, 10 Mar 2021 10:14:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615400076; cv=none; d=google.com; s=arc-20160816; b=VTCHyM/U+prNa2TvnvgkehGw4zTA1FuJoTak13cBFxYSIoWYyixyiCUNQHObgtBdNM 3kLRc2zVVe5fSHacsaSV2pjW1EIti/ldWht7BV71LPDJe+/T5npL3RBkP6AmmgKNns9q M9z3aGi//EbHW+2irRNsA8PNk//e1l+2joqWIXeGO6V6/WTVPAJHoo3zEshGKG8qTMBY eja2ZOLVByhzXpFmNMvBPDXdxBKhBZOKtmf0Olyg5kQyu0R1bddm8FRJwHgYvANHwecC d5O8VimIxptypCVqCv/IEyNApeZFVnPj5WCAbmIY4hH9wFne6VVymvanY8Z81jH/bs6S rydQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=u7OI8DEe+NFQ9osOSl+yhqMf9zckEsOBhWXjBCNNUbk=; b=aumjaSFnn1Olmk5qNCMCdM4Lc5d/NlbXDBCBZEobrbwWxLswvlCDOIod1hDwYbga0S rW3apG09yFXL3f2HURF5tmaYLQZYpR9/hyG794JDkQpID5qUBAs18UU3Ft4H4sIVppP/ 1MVikw9n47SUSk2odQw05j21LlgavIzntm/If69gJuJ8fLRmBBOto9PpqdAL+S5upF91 TkzJZg2KXGECd1fr95RezjiTVKbLMrGbc1ijVZNSwcei2SSVyNEdHNtli7wAma+gKoDT uadQhNQ7p8Atg94dRE9+rTQMdnCrekJyLnPh95jjNiycM5eqgEJ3qYe7+vDgXjPjK3WW r6sA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=WOAj1tiU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z16si58699ejm.714.2021.03.10.10.14.13; Wed, 10 Mar 2021 10:14:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=WOAj1tiU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233666AbhCJSLI (ORCPT + 99 others); Wed, 10 Mar 2021 13:11:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51558 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233633AbhCJSLG (ORCPT ); Wed, 10 Mar 2021 13:11:06 -0500 Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 17723C061760; Wed, 10 Mar 2021 10:11:06 -0800 (PST) Received: by mail-lf1-x12c.google.com with SMTP id r3so26891689lfc.13; Wed, 10 Mar 2021 10:11:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=u7OI8DEe+NFQ9osOSl+yhqMf9zckEsOBhWXjBCNNUbk=; b=WOAj1tiUzgeiWPaKYhYiHiSWjWJPR55uY7pPW48ySeBQVJdbndEtGD1a4FuLRINeEm AGDkYl6omMnOJoZxXLs09+i+jqt92g54LlJJ016fcAk4ZTsx/hj1XBrQqBztXIIrrUtH OsFzfdoMudG8MDmd8QCe+ROU7MyOlWi4VFML+aP31d2xs3V4quXulYM4B2ujz4JH0Wqu 73QqgUAuaz7+DuODxFqOwZ87fb9cMA4RHMfzL8JWsJzAwrCose0DADEHZcc+3mNMlUiH CtqYBaAK04dQe6G8/13hCyLNl9kwGTIbfcYE7IfxTm1ksMS8WRuWfbFyYL6SX5lCU50W NFWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=u7OI8DEe+NFQ9osOSl+yhqMf9zckEsOBhWXjBCNNUbk=; b=h+uoX9W5FLdekX2XP/wbOR9iVRXb5nRkDYfaPFUrgQgYVwpCNdcO3V5iHInO6UQE0t jb+eSO0CX6EHYvFHxmfnJlpvn4HqHJzZjkMThn9bGUsyv72acHdSivt2In4eDjP/zY8O L0DovLJVDml1xqe/MYWdw5MQ6h0WYpEZ4pXDZWHAW34CcQqDG/UEZXYl+ATigv7V06bk QA4SRAc4kY4d0AZmX4KgBT9RIzDDTyIgedQCIt0kBOR+N882SfIrXjTi1ZqFZhWXUj5s RFf3dHY/DcdbsWLIPzI6h+UoUlBaLvq9ynVJlh0qwN3tZ9lejmTCIkSH/v+1awHTQ44J CkXQ== X-Gm-Message-State: AOAM533PwnKJyNpDj7nIBydDkOcbl14MO5V/+eYxbofHIwhJ/w3MyFy8 HP+gOcYR5Bc4YrC9x+U1PNc= X-Received: by 2002:ac2:546b:: with SMTP id e11mr2663951lfn.48.1615399852379; Wed, 10 Mar 2021 10:10:52 -0800 (PST) Received: from martin-ThinkPad-T440p (88-115-234-24.elisa-laajakaista.fi. [88.115.234.24]) by smtp.gmail.com with ESMTPSA id r15sm68506ljj.88.2021.03.10.10.10.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Mar 2021 10:10:52 -0800 (PST) Date: Wed, 10 Mar 2021 19:10:49 +0100 From: Martin Radev To: Sean Christopherson Cc: Joerg Roedel , x86@kernel.org, Joerg Roedel , hpa@zytor.com, Andy Lutomirski , Dave Hansen , Peter Zijlstra , Jiri Slaby , Dan Williams , Tom Lendacky , Juergen Gross , Kees Cook , David Rientjes , Cfir Cohen , Erdem Aktas , Masami Hiramatsu , Mike Stunes , Arvind Sankar , linux-kernel@vger.kernel.org, kvm@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: Re: [PATCH v2 5/7] x86/boot/compressed/64: Add CPUID sanity check to 32-bit boot-path Message-ID: References: <20210310084325.12966-1-joro@8bytes.org> <20210310084325.12966-6-joro@8bytes.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 10, 2021 at 09:51:48AM -0800, Sean Christopherson wrote: > On Wed, Mar 10, 2021, Martin Radev wrote: > > On Wed, Mar 10, 2021 at 08:08:37AM -0800, Sean Christopherson wrote: > > > On Wed, Mar 10, 2021, Joerg Roedel wrote: > > > > + /* > > > > + * Sanity check CPUID results from the Hypervisor. See comment in > > > > + * do_vc_no_ghcb() for more details on why this is necessary. > > > > + */ > > > > + > > > > + /* Fail if Hypervisor bit not set in CPUID[1].ECX[31] */ > > > > > > This check is flawed, as is the existing check in 64-bit boot. Or I guess more > > > accurately, the check in get_sev_encryption_bit() is flawed. AIUI, SEV-ES > > > doesn't require the hypervisor to intercept CPUID. A malicious hypervisor can > > > temporarily pass-through CPUID to bypass the CPUID[1].ECX[31] check. > > > > If erroneous information is provided, either through interception or without, there's > > this check which is performed every time a new page table is set in the early linux stages: > > https://elixir.bootlin.com/linux/v5.12-rc2/source/arch/x86/kernel/sev_verify_cbit.S#L22 > > > > This should lead to a halt if corruption is detected, unless I'm overlooking something. > > Please share more info. > > That check is predicated on sme_me_mask != 0, sme_me_mask is set based on the > result of get_sev_encryption_bit(), and that returns '0' if CPUID[1].ECX[31] is > '0'. > > sme_enable() also appears to have the same issue, as CPUID[1].ECX[31]=0 would > cause it to check for SME instead of SEV, and the hypervisor can simply return > 0 for a VMGEXIT to get MSR_K8_SYSCFG. > > I've no idea if the guest would actually survive with a bogus sme_me_mask, but > relying on CPUID[1] to #VC is flawed. > > Since MSR_AMD64_SEV is non-interceptable, that seems like it should be the > canonical way to detect SEV/SEV-ES. The only complication seems to be handling > #GP faults on the RDMSR in early boot. > > > > The hypervisor likely has access to the guest firmware source, so it > > > wouldn't be difficult for the hypervisor to disable CPUID interception once > > > it detects that firmware is handing over control to the kernel. > > > > > > > You probably don't even need to know the firmware for that. There the option > > to set CR* changes to cause #AE which probably gives away enough information. I see what you mean but I never tried out disabling interception for cpuid. There was the idea of checking for bogus information in the VC handler, but what you suggested would bypass it, I guess. If the C-bit is not set and memory gets interpreted as unencrypted, then the HV can gain code execution easily by means of ROP and then switch to the OVMF page table to easily do proper payload injection. If interested, check video at https://fosdem.org/2021/schedule/event/tee_sev_es/ on minute 15.