Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1895203pxb; Sat, 2 Apr 2022 07:24:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw1LNSrakK5YD5H2w27QOM4rfKwYGjxfe2Hm/xjX2fQvEdKVqeqMWKh+FEfczY8IOf59hl+ X-Received: by 2002:a17:906:7056:b0:6d6:dd99:f2a4 with SMTP id r22-20020a170906705600b006d6dd99f2a4mr3884477ejj.43.1648909458064; Sat, 02 Apr 2022 07:24:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648909458; cv=none; d=google.com; s=arc-20160816; b=PUfm1NCLV2KCJCV8ScY52/P/lKvmbIlh8nfA6o31bWU0RMUZFSJw9QlGjHyaXorqia fJvHiJoMCDboawCjjbWK0qZoUIZYHUdL9208H+sXlZ3/TU2n/a1g9OQYwrt4zDIsaVOC Jkk3//CEQd6Mu+IpY3VgncmQ58E9RFJz1RypsgVBS5cJEWRenuB8rartTa7cj1WAJqrl ym9mowB8yQ7o46KNdRYl2mlchptJ4UAMAyPpKoFeAmqJkmERPKYDfMhA9jbkb96RBtEF otUFZcVeH0vBT6RLhCWmCK+9J08WoXpaolK41d4/gQqivWyF3+dYF/EC4PHVWeNkk8Mu ABcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=ljfngnAvNHoR2uZIcgbQosSticCbmJRTWA+WtGqL89M=; b=TGknxOm00pvDWWaNvhRGlgXaqJo0qB1zq+LnWw2CnTew+2X7yNNFoIEFs22bmhXh7M KgGbw5M4r4pGU+OO1Xr34UDYZBdUSNpZau8aK4w7QRqgLdXV7yxcg8uVs/OF+xeDc2aM F1iYhKrAN/Xn1DzAEdaV6yYMxRZ/qC/TYIHEqxKXw8GtQnubYtIKexuyvyJ2aPGDxP6K /5z9sFmCwTnEOtX5sfsW/JjwTPe70hvaYnnJb0qFNKf21fJvNBlVmUs46YzPVfKJnmkJ HhEwBYOz3SJ1WnB0o+svv2+mPMtAQ2tSmCPRveMqAGo87fMqbyLEYUVKD/3xgo4iov5c zn7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Y83tO+H2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c19-20020a05640227d300b00418c2b5beb8si3930363ede.410.2022.04.02.07.23.53; Sat, 02 Apr 2022 07:24:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=Y83tO+H2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240760AbiCaVH6 (ORCPT + 99 others); Thu, 31 Mar 2022 17:07:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239460AbiCaVHr (ORCPT ); Thu, 31 Mar 2022 17:07:47 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BC4F2128C4; Thu, 31 Mar 2022 14:05:57 -0700 (PDT) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 22VI9Lpd016650; Thu, 31 Mar 2022 21:05:28 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : date : mime-version : subject : to : cc : references : from : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=ljfngnAvNHoR2uZIcgbQosSticCbmJRTWA+WtGqL89M=; b=Y83tO+H2J1cQcr+zqzTh27+6htAl+sWVdVG9K48VbKWxgmQIDcbuk4pMEHz7s6Xlao1o O/ikSyZ66r62Dt0GHA6KgDdihvW+Znx8vlwPe/VREuyFEW1rz7QtU260ZQggohhEtTSx cdcHTig9ml4RCLVlLRH1fyCYOPS5GvYBjaQWC2YpGfqtjo9RdbmoIW02CPY6B23JNqSh lxqMqTmb1w++Uo0Q4QFTS21xqMsaik9zjOJnReNTsjZ4CSUwcNvm+X0P656PnbNrkU4o 0TdSy/NUCuZLu1jRhL9Hnwmhu48TJQrj1zM+VJU1yJPnuKOcbmpFAmpFACyyIntE+Xat uw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3f57rn0ugx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 31 Mar 2022 21:05:28 +0000 Received: from m0098409.ppops.net (m0098409.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 22VL0CUx020832; Thu, 31 Mar 2022 21:05:27 GMT Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com with ESMTP id 3f57rn0ugd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 31 Mar 2022 21:05:27 +0000 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 22VKw9ua022924; Thu, 31 Mar 2022 21:05:26 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma04wdc.us.ibm.com with ESMTP id 3f1tfa7cqd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 31 Mar 2022 21:05:26 +0000 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 22VL5PSJ18219286 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 31 Mar 2022 21:05:25 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 73BF5112063; Thu, 31 Mar 2022 21:05:25 +0000 (GMT) Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7474A112061; Thu, 31 Mar 2022 21:05:20 +0000 (GMT) Received: from [9.160.79.229] (unknown [9.160.79.229]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP; Thu, 31 Mar 2022 21:05:20 +0000 (GMT) Message-ID: <9e911444-0772-b3da-3e63-f5d49543c752@linux.ibm.com> Date: Fri, 1 Apr 2022 00:05:18 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH v8 0/4] Allow guest access to EFI confidential computing secret area Content-Language: en-US To: Borislav Petkov Cc: linux-efi@vger.kernel.org, Ashish Kalra , Brijesh Singh , Tom Lendacky , Ard Biesheuvel , James Morris , "Serge E. Hallyn" , Andi Kleen , Greg KH , Andrew Scull , Dave Hansen , "Dr. David Alan Gilbert" , Gerd Hoffmann , Lenny Szubowicz , Peter Gonda , Matthew Garrett , James Bottomley , Tobin Feldman-Fitzthum , Jim Cadden , Daniele Buono , linux-coco@lists.linux.dev, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Dov Murik References: <20220228114254.1099945-1-dovmurik@linux.ibm.com> <7696ba46-91c7-7119-bd68-b3521459cf37@linux.ibm.com> <247080bd-fef5-c892-7753-f9b7cf650166@linux.ibm.com> From: Dov Murik In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: aDgjCc15v1AzUzef8ru-vr1pBBoWGYfE X-Proofpoint-ORIG-GUID: 8rNkU0EGWLXxmPkK_DA2qPxqvRnBJRtD X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-31_06,2022-03-31_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 impostorscore=0 priorityscore=1501 spamscore=0 lowpriorityscore=0 suspectscore=0 mlxlogscore=841 phishscore=0 clxscore=1015 mlxscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203310111 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 31/03/2022 12:19, Borislav Petkov wrote: > On Wed, Mar 30, 2022 at 09:11:54AM +0300, Dov Murik wrote: >> If that's the case, we don't need a secure channel and secret injection. >> You can use a simple "sev=debug" (or whatever) in the kernel >> command-line to indicate your needs. > > Yeah, that would work for a normal SEV guest. > > However, if it is an -ES guest, you need to somehow tell it as the guest > owner: "hey you're being debugged and that's fine." > > Because if you want to singlestep the thing, you're going to land in > the #VC handler and destroy registers so you want to save them first if > you're being debugged and then shovel them out to the host somehow. And > that's another question but first things first. > > And "if you're being debugged" needs to be somehow told the guest > through a secure channel so that the HV doesn't go and simply enable > debugging by booting with "sev=debug" and bypass it all. > Note that the HV can also start the VM with SEV completely turned off. Similarly, it can enable debugging and "fool" the guest. Of course all this tricks will affect the measurement, and then the Guest Owner will know that something is wrong and won't inject the secrets. If you don't rely on secret injection anyway, then I think a kernel command-line param is good enough. (I might be missing a scenario though) Maybe you can use KVM_SEV_GET_ATTESTATION_REPORT (ask the host to do it for you). But I think it returns only the launch digest, and you can't figure out the SEV Policy field from it. > And SNP has access to the policy in the attestation report, says Tom, so > that's possible there. True. But not in really early boot? This is all in the sev-guest platform driver. > > So we need a way to add the debugging aspect to the measurement and be > able to recreate that measurement quickly so that a simple debugging > session of a kernel in a guest can work pretty much the same with a SEV* > guest. > > I'm still digging the details tho... >