Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp910503rwi; Thu, 27 Oct 2022 08:55:14 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4Hn5eGjUnrsKoZAjs1whnAVJ2WWMTC5RFdlAPfJG97o5In/uSysADIBSxBsobOPd5ZiTTH X-Received: by 2002:a63:1b16:0:b0:46b:8e7:3e0a with SMTP id b22-20020a631b16000000b0046b08e73e0amr41910962pgb.86.1666886114561; Thu, 27 Oct 2022 08:55:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666886114; cv=none; d=google.com; s=arc-20160816; b=P37E7lh5jOATCqMMcBayVV2VacBi8irKCtX/C0DUtHWSl6HhCK1gqiUNdS2YT5CTDk RzlU8bmadhftH4xotztlRXS7k0GqXWoenE2PxogWZdfdxbWbnI6cJUbqA3i4ryUBOstJ 3xg/8Y1R8tcrzOQ4asWiXSM8bfpVUSSJMhWN81MRR4B24kzjY/PpRHMgG5DmkLzNzYl7 hkeipkWEYJx7ERxBpDbap7rnxzYpquvHSfDSR6Y1WkEIdoQBcVdjpYwjnwW4muPIkmyC lwvB2FdiefRjetbGELEIBGT0UQXo24XvA0UDwr04PoQEElU3eoELzVEro679PTDIlDOL 1FRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=x43WQSDSdduVvRqUykrv5fQezd0RCHir1Z866mjqV7A=; b=WAVn/j1lG2IJPaPS7ZJ8MEttQn+Jkl3sF38BE9u9oab8WXnDUjRFAX0lnkQlncFfVg HpkhVna49ph+/zI4673LIvsCICDs/Vc0FMqqICSFKvIYcg//TKTOG7DZYe3GMke8Ax5Z /AFVfLhCuTYYQBle4nWaLk/hqbEHobPlHmEqS0rihClBiAXYzfN469058Xyu8GxAf8PF J/0H97B4himFrMUP4KExxPzlPvIK1qVounPnhdwsevr5FK/lGrAY5XFQMtaGlM/47LzF TaJPnBZyfNF6vUscB2kbB6uufunuhfXW8lZOSKf/OuANUqBkYQ8kTpMTpkghtQAxnt13 xFPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=qHJtiLSp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v7-20020a634647000000b0046f3dfb9282si1999464pgk.52.2022.10.27.08.54.59; Thu, 27 Oct 2022 08:55:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=qHJtiLSp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235350AbiJ0PGF (ORCPT + 99 others); Thu, 27 Oct 2022 11:06:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234035AbiJ0PGD (ORCPT ); Thu, 27 Oct 2022 11:06:03 -0400 Received: from mail-pj1-x104a.google.com (mail-pj1-x104a.google.com [IPv6:2607:f8b0:4864:20::104a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3370BD6B81 for ; Thu, 27 Oct 2022 08:06:02 -0700 (PDT) Received: by mail-pj1-x104a.google.com with SMTP id nl16-20020a17090b385000b002138288fd51so358332pjb.6 for ; Thu, 27 Oct 2022 08:06:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:from:to:cc:subject :date:message-id:reply-to; bh=x43WQSDSdduVvRqUykrv5fQezd0RCHir1Z866mjqV7A=; b=qHJtiLSprjfCsziSAgE/n8Hv6lbaec01bI8j0JPBQwtnWR/HXzBpHPAOtz7uSNNjVG dflOcCPkGIzgGy+w0WnCgGI3MiNNcBEODNSWqDip39a5m3AgWA9kUW5BTQwadIjp17nS 8hBss5xaReOi41Q4vkedXvTnG4L00S69gzhhUhdrd6WbQClqzq/Ji5qomSB/xCI24ej6 Y2gxzLN+3SM7mg74Ic+Kq0CN8mJR0PtHOfVDrL/28s6VUJdatkZ3/uDAh5H5L8Q9lj1s pSr3eMn9l6oxpghMfgZhfZodlweMqWllkdSbnMJt7mgO7pON2XeP/Y4sBv+HZC6h0ZYm yZUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:mime-version:message-id:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=x43WQSDSdduVvRqUykrv5fQezd0RCHir1Z866mjqV7A=; b=7jO8OfQr0TP3/UxQi75BD6CiY7YqOYmiJR5mz30IvWoRIeogGNLfvIFJSd+zkmrQMS FsYnvijO1OEvdnQcbBEOiiHBMv0f6vL8hxFqPpZJLrTrzmz82kNeG3kFroFBgMfm2Ahc zbDLqfInteqELGVu+KqSGqmLJLd2ChYrJC7Et1IwtyLz518Ol4qKvrPR3oQHkme3iDmu xAdAcHmP0UcZIPSD/WDXp638nIrhYsDdsJkNvpoygBvFaKlaeJYgS37/4Rz+ML1LYp6U hC18+5EM9Pw5cWZWbSvaz9TAU6Pp2xAmfZtHmskllVcXOytTKXUBWE5e4i1cbAhDIYdw BNtA== X-Gm-Message-State: ACrzQf3ZyVlWBC6x79RehBtS32XaR7ijqulyhqf970HugB9KO4eQekMn iHR48Prs54vD2W1DMsOb8DM5+lzppJo= X-Received: from pgonda1.kir.corp.google.com ([2620:0:1008:11:da0c:de35:6ecf:7c48]) (user=pgonda job=sendgmr) by 2002:a63:6c07:0:b0:457:523c:4bd0 with SMTP id h7-20020a636c07000000b00457523c4bd0mr42197743pgc.101.1666883161698; Thu, 27 Oct 2022 08:06:01 -0700 (PDT) Date: Thu, 27 Oct 2022 08:05:56 -0700 Message-Id: <20221027150558.722062-1-pgonda@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.38.0.135.g90850a2211-goog Subject: [PATCH V3 0/2] Fix security issue in SNP guest AES-GCM usage From: Peter Gonda To: thomas.lendacky@amd.com Cc: Peter Gonda , Dionna Glaze , Borislav Petkov , Michael Roth , Haowen Bai , Yang Yingliang , Marc Orr , David Rientjes , Ashish Kalra , linux-kernel@vger.kernel.org, kvm@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently the ASP and SNP guest use an AES-GCM bases secure channel to communicate with each other. The IV for this encryption scheme is a sequence that each party maintains. Currently the ASP requires the sequence number of the request to be exactly one more than its saved sequence number and the ASP only increments its saved sequence number after a successful command. That means if the guest request ever fails it can only ever retry that exact encrypted command or discontinue its use of that VMPCK. If it were to try another command it would either need to reuse the sequence number which is the IC. That can lead to the encryption scheme failing with AES-GCM. Or if it incremented the sequence number the ASP would never accept the command due to sequence number mismatch. https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf Cc: Dionna Glaze Cc: Borislav Petkov Cc: Tom Lendacky Cc: Michael Roth Cc: Haowen Bai Cc: Yang Yingliang Cc: Marc Orr Cc: David Rientjes Cc: Ashish Kalra Cc: linux-kernel@vger.kernel.org Cc: kvm@vger.kernel.org Peter Gonda (2): virt: sev: Prevent IV reuse in SNP guest driver virt: sev: Allow for retrying SNP extended requests arch/x86/include/asm/svm.h | 6 ++ arch/x86/kernel/sev.c | 28 ++++++-- drivers/virt/coco/sev-guest/sev-guest.c | 93 ++++++++++++++++--------- 3 files changed, 91 insertions(+), 36 deletions(-) -- 2.38.0.135.g90850a2211-goog