Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp689547pxb; Thu, 21 Oct 2021 07:41:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxRCxmupTildqmeDO0M09JUzo1bw6utrcl04nAGLCmK+A0DE0+Ltsxx/WvsxdU6eH8hMoz5 X-Received: by 2002:a62:d11e:0:b0:446:d705:7175 with SMTP id z30-20020a62d11e000000b00446d7057175mr6019550pfg.74.1634827278628; Thu, 21 Oct 2021 07:41:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634827278; cv=none; d=google.com; s=arc-20160816; b=efuTSIjdLD++R4IWqxa7+/TTu3RnoGv9iEo1fkjQMaWr8qinXCXZ10k9B47dtPlf+3 aymqFIUZBpMKmseakI480GQc7++831CMsp14SKdtqEt5nKCq459Ad38EDP2EqBkZgNGU gnj/SIamHHEpzXK4RyT2uXJQ+AyM7hHr6eCMVZd4LstVw/Bx3T7/F1NU+JJhDWBD8p2w FVgmszxr70thV7GaMdBw1ZRclMw9/NVwZV85Q0hnrUhv5E0JlUgaILylmS02ky2x3kMf 4CtNDghy7UCYR8IpVAih9msW62i+xh+2u720/XQEJ94MMESUAdl51Onr/LO5W9G62hRQ shHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=y17JTnGMD0mtwTslqhoBBVABf5L1UdFOBWZGIOCjXBc=; b=ZeldOVCFLqS5eYml++ZjSCYchuU52Hmzfg3tYiWr5agor5cS8V53VcGifDa4VlNBXt 9AuC6GD9siyqK0HfRtrLZgx34Cy9OT5ykq+38kO3dLZnbgbknNKf1SWY9XNWRJxfS3ev mXMkte3gadl529zVdhdEnv75te2RRMVtF9u4Q09blZEG1wNUTtNban/f/wIdw3Y1CTsC xFEjMFQcKtBNtjcrSjmCrvJLrC7bIERGBza7diS0x3x/Z+hPI3uat0LhSX8+WnLhU+dy 3RmYhRy0mVmIp0X+QoT2sLCqS5TcFBl7Ube1C4QQWEQNLbfdfDERo9E4nIXVK6Qd8v0y Hnmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@alien8.de header.s=dkim header.b=WBGqbz72; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g184si7312588pgc.603.2021.10.21.07.41.05; Thu, 21 Oct 2021 07:41:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@alien8.de header.s=dkim header.b=WBGqbz72; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230283AbhJUOlz (ORCPT + 99 others); Thu, 21 Oct 2021 10:41:55 -0400 Received: from mail.skyhub.de ([5.9.137.197]:56822 "EHLO mail.skyhub.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230483AbhJUOlu (ORCPT ); Thu, 21 Oct 2021 10:41:50 -0400 Received: from zn.tnic (p200300ec2f1912003b8abe7004197216.dip0.t-ipconnect.de [IPv6:2003:ec:2f19:1200:3b8a:be70:419:7216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id 1D5941EC03C9; Thu, 21 Oct 2021 16:39:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim; t=1634827173; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=y17JTnGMD0mtwTslqhoBBVABf5L1UdFOBWZGIOCjXBc=; b=WBGqbz725B0Tn4Gqi9IfVffxfPZHOyMrX9swMzwzKOKDnAf95Ur6JThfCJ9KBP7gbW1Dh0 r24q9fqe9U0q38J4Z4zQLkXLXqluT8qQUy7iWT1AHe+c2HFsXO79fNq8iAHcPUE/bd0dTI 8uOp5LTDa0i52bQxYYTnt6TwbG41+zU= Date: Thu, 21 Oct 2021 16:39:31 +0200 From: Borislav Petkov To: Michael Roth Cc: Brijesh Singh , x86@kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-efi@vger.kernel.org, platform-driver-x86@vger.kernel.org, linux-coco@lists.linux.dev, linux-mm@kvack.org, Thomas Gleixner , Ingo Molnar , Joerg Roedel , Tom Lendacky , "H. Peter Anvin" , Ard Biesheuvel , Paolo Bonzini , Sean Christopherson , Vitaly Kuznetsov , Jim Mattson , Andy Lutomirski , Dave Hansen , Sergio Lopez , Peter Gonda , Peter Zijlstra , Srinivas Pandruvada , David Rientjes , Dov Murik , Tobin Feldman-Fitzthum , Vlastimil Babka , "Kirill A . Shutemov" , Andi Kleen , "Dr . David Alan Gilbert" , tony.luck@intel.com, marcorr@google.com, sathyanarayanan.kuppuswamy@linux.intel.com Subject: Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler Message-ID: References: <20211008180453.462291-1-brijesh.singh@amd.com> <20211008180453.462291-9-brijesh.singh@amd.com> <20211018184003.3ob2uxcpd2rpee3s@amd.com> <20211020161023.hzbj53ehmzjrt4xd@amd.com> <20211021020542.v5s7xr4s2j3gsale@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20211021020542.v5s7xr4s2j3gsale@amd.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 20, 2021 at 09:05:42PM -0500, Michael Roth wrote: > According to the APM at least, (Rev 3.37, 15.34.10, "SEV_STATUS MSR"), the > SEV MSR is the appropriate source for guests to use. This is what is used > in the EFI code as well. So that seems to be the right way to make the > initial determination. Yap. > There's a dependency there on the SEV CPUID bit however, since setting the > bit to 0 would generally result in a guest skipping the SEV MSR read and > assuming 0. So for SNP it would be more reliable to make use of the CPUID > table at that point, since it's less-susceptible to manipulation, or do the > #VC-based SEV MSR read (or both). So the CPUID page is supplied by the firmware, right? Then, you parse it and see that the CPUID bit is 1, then you start using the SEV_STATUS MSR and all good. If there *is* a CPUID page but that bit is 0, then you can safely assume that something is playing tricks on ya so you simply refuse booting. > Fully-unencrypted should result in a crash due to the reasons below. Crash is a good thing in confidential computing. :) > But there may exist some carefully crafted outside influences that could > goad the guest into, perhaps, not marking certain pages as private. The > best that can be done to prevent that is to audit/harden all the code in the > boot stack so that it is less susceptible to that kind of outside > manipulation (via mechanisms like SEV-ES, SNP page validation, SNP CPUID > table, SNP restricted injection, etc.) So to me I wonder why would one use anything *else* but an SNP guest. We all know that those previous technologies were just the stepping stones towards SNP. > Then of course that boot stack needs to be part of the attestation process > to provide any meaningful assurances about the resulting guest state. > > Outside of the boot stack the guest owner might take some extra precautions. > Perhaps custom some kernel driver to verify encryption/validated status of > guest pages, some checks against the CPUID table to verify it contains sane > values, but not really worth speculating on that aspect as it will be > ultimately dependent on how the cloud vendor decides to handle things after > boot. Well, I've always advocated having a best-practices writeup somewhere goes a long way to explain this technology to people and how to get their feet wet. And there you can give hints how such verification could look like in detail... > That would indeed be useful. Perhaps as a nice big comment in sme_enable() > and/or the proposed sev_init() so that those invariants can be maintained, > or updated in sync with future changes. I'll look into that for the next > spin and check with Brijesh on the details. There is Documentation/x86/amd-memory-encryption.rst, for example. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette