Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA1F0C54EAA for ; Fri, 27 Jan 2023 07:17:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232452AbjA0HR5 (ORCPT ); Fri, 27 Jan 2023 02:17:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40222 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231849AbjA0HRz (ORCPT ); Fri, 27 Jan 2023 02:17:55 -0500 Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A762DBDE for ; Thu, 26 Jan 2023 23:17:53 -0800 (PST) Received: by mail-wr1-x435.google.com with SMTP id b7so4116855wrt.3 for ; Thu, 26 Jan 2023 23:17:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Zu8F0YryLt/OgLyDbyT+COsXBWZJ+zCIx+ZWtC5IKkg=; b=WGY7E/PSjYEz982lSPv35cpucEGupEadtERlumDXtX8XKQL1ufwwK8jq1WeP0lRpj7 yvTrhd3+v8b/ZVucRajffMcKWHm1L1k7Dats/WD17n4S1Dxx6Bb8JLxFajnEfHcRHaU7 UPo/mJTsx7izz4mLpE95UWikJKc0ZFJijx1tfWVRJ/NrlFgoUEs2+qvEjq8HzgRc7tBA Tcq9KWlx08MRHTkwySZvNQ5X37m497rbR/NuBNYm6xZOo3JQdwdouGLRKA4dCcVP/qgG gBzOjNqThoUBnFSw0xHp0ddueyP9+5QEkONaBmxtJerDTpPI61wQnSLkXk7mZeE15jIW SG+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Zu8F0YryLt/OgLyDbyT+COsXBWZJ+zCIx+ZWtC5IKkg=; b=tUaISHgZABwbG5zJVUpmDtTeWViYY9muXbM59PEzaY3Z5qJT6iwKAjvyeJldGybqw9 th++pq9lN9THe8f0T6zRtCAiatiyvRRzwWDX1dzzty7ZG14bAlb3Z2CT5Mz6RcRLKssU 9ml85Gw/c3mzwpWdcK0MeCdaVO+LPYhOyTxSd4ErqJmj6eLb0AmGBdZuvf5yFxivPlsI uHX+oyk/NR7/3ig+quJ073zFl5KJK4igmfu1/5GSkqp3qiWJAjgjyrTtHCY4JNAVBVDC vMd0KIg7lshvYFfkcmwxPZICjigeXmF7qhhKf2AMC1xVt5Ay4CI6LuclYP2nZqZSZ3BA zCng== X-Gm-Message-State: AO0yUKWlUbFirqE+lkpUbpAzzspw7Lmfxr9m+OJ/nL8aFYJjLgHfglWb 1JZ6888Ll6fUZjO/WiAnVjevuQ== X-Google-Smtp-Source: AK7set+B3n3giZrrrzvhrZe5kohk1pMxsQkkUJJDZp8hEVRVSrL+hCD+foHS8sR4KeguBUH965OCDw== X-Received: by 2002:adf:f7cd:0:b0:2bf:d511:18a9 with SMTP id a13-20020adff7cd000000b002bfd51118a9mr858226wrq.29.1674803871740; Thu, 26 Jan 2023 23:17:51 -0800 (PST) Received: from vermeer ([2a01:cb1d:81a9:dd00:b570:b34c:ffd4:c805]) by smtp.gmail.com with ESMTPSA id v13-20020a5d43cd000000b0027cb20605e3sm3272136wrr.105.2023.01.26.23.17.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Jan 2023 23:17:51 -0800 (PST) Date: Fri, 27 Jan 2023 08:17:48 +0100 From: Samuel Ortiz To: Lukas Wunner Cc: "Dr. David Alan Gilbert" , Greg Kroah-Hartman , "Reshetova, Elena" , "Shishkin, Alexander" , "Shutemov, Kirill" , "Kuppuswamy, Sathyanarayanan" , "Kleen, Andi" , "Hansen, Dave" , Thomas Gleixner , Peter Zijlstra , Mika Westerberg , "Michael S. Tsirkin" , Jason Wang , "Poimboe, Josh" , "aarcange@redhat.com" , Cfir Cohen , Marc Orr , "jbachmann@google.com" , "pgonda@google.com" , "keescook@chromium.org" , James Morris , Michael Kelley , "Lange, Jon" , "linux-coco@lists.linux.dev" , Linux Kernel Mailing List , Jonathan Cameron , linux-pci@vger.kernel.org Subject: Re: Linux guest kernel threat model for Confidential Computing Message-ID: References: <20230125215333.GA18160@wunner.de> <20230126154449.GB4188@wunner.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230126154449.GB4188@wunner.de> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 26, 2023 at 04:44:49PM +0100, Lukas Wunner wrote: > On Thu, Jan 26, 2023 at 10:24:32AM +0100, Samuel Ortiz wrote: > > On Wed, Jan 25, 2023 at 11:03 PM Lukas Wunner wrote: > > > CMA/SPDM (PCIe r6.0 sec 6.31) is in active development on this branch: > > > > > > https://github.com/l1k/linux/commits/doe > > > > > > The device authentication service afforded here is generic. > > > It is up to users and vendors to decide how to employ it, > > > be it for "confidential computing" or something else. > > > > > > Trusted root certificates to validate device certificates can be > > > installed into a kernel keyring using the familiar keyctl(1) utility, > > > but platform-specific roots of trust (such as a HSM) could be > > > supported as well. > > > > This may have been discussed at LPC, but are there any plans to also > > support confidential computing flows where the host kernel is not part > > of the TCB and would not be trusted for validating the device cert chain > > nor for running the SPDM challenge? > > As long as a device is passed through to a guest, the guest owns > that device. I agree. On a SRIOV setup, the host typically owns the PF and assigns VFs to the guests. Devices must be enlightened to guarantee that once one of their VFs/interfaces is passed to a trusted VM, it can no longer be modified by anything untrusted (e.g. the hypervisor). > It is the guest's prerogative and duty to perform > CMA/SPDM authentication on its own behalf. If the guest uses > memory encryption via TDX or SEV, key material established through > a Diffie-Hellman exchange between guest and device is invisible > to the host. Consequently using that key material for IDE encryption > protects device accesses from the guest against snooping by the host. On confidential computing platforms where a security manager (e.g. Intel TDX module) manages the confidential guests, the IDE key management and stream settings would be handled by this manager. In other words, the SPDM requester would not be a Linux kernel. FWIW, Intel recently published an interesting description of TEE-IO enabling with TDX [1]. > SPDM authentication consists of a sequence of exchanges, the first > being GET_VERSION. When a responder (=device) receives a GET_VERSION > request, it resets the connection and all internal state related to > that connection. (SPDM 1.2.1 margin no 185: "a Requester can issue > a GET_VERSION to a Responder to reset a connection at any time"; > see also SPDM 1.1.0 margin no 161 for details.) > > Thus, even though the host may have authenticated the device, > once it's passed through to a guest and the guest performs > authentication again, SPDM state on the device is reset. > > I'll amend the patches so that the host refrains from performing > reauthentication as long as a device is passed through. The host > has no business mutating SPDM state on the device once ownership > has passed to the guest. > > The first few SPDM exchanges are transmitted in the clear, > so the host can eavesdrop on the negotiated algorithms, > exchanged certificates and nonces. However the host cannot > successfully modify the exchanged data due to the man in the middle > protection afforded by SPDM: The challenge/response hash is > computed over the concatenation of the exchanged messages, > so modification of the messages by a man in the middle leads > to authentication failure. Right, I was not concerned by the challenge messages integrity but by trusting the host with verifying the response and validating the device cert chains. > Obviously the host can DoS guest access to the device by modifying > exchanged messages, but there are much simpler ways for it to > do that, say, by clearing Bus Master Enable or Memory Space Enable > bits in the Command Register. DoS attacks from the host against > the guest cannot be part of the threat model at this point. Yes, the host can DoS the guest at anytime it wants and in multiple ways. It's definitely out of the confidential computing thread model at least. Cheers, Samuel. [1] https://cdrdv2-public.intel.com/742542/software-enabling-for-tdx-tee-io-fixed.pdf