Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp1012930rwr; Wed, 26 Apr 2023 09:04:36 -0700 (PDT) X-Google-Smtp-Source: AKy350YN/VJD9IviCbAaPAMWmzbz5lVVqj5xKDmp2zHbE4C7/kzJDVbiZKwhlUGG6VpAxOXvU4XN X-Received: by 2002:a05:6a00:1341:b0:63e:6b8a:7975 with SMTP id k1-20020a056a00134100b0063e6b8a7975mr32569480pfu.9.1682525076228; Wed, 26 Apr 2023 09:04:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682525076; cv=none; d=google.com; s=arc-20160816; b=sTgye4Td47oUWhgHZBsqSryZK1ixfi4tfPnhXGEwEGGC5C81/GzJuzPhpeBlfxOmMW UO4Ek5c9OsgUzsF08wJkLGzpdCBzgDOrSUkd7ML1FaF1BmcgzH57B384g6YGABCN4mYU XUldQ+fNJzsjOOrQmrjT2G3FHUKkJL4gtmtXynxV9/HWpSsprRCKo/WMuAuam/mRsLGO WUag7LpfhqoL4b7/5UXJ8xkjBDZ6smYN8ifCpffHi3wB0eOVfWaRSeiJAylYrH8CWpYI 2Kr9S4nVAtk6nzzDZy7DdOiF0Xi4/hAZT/AmvwZ43OOuNq7IToYgaYj/+yfbczldq6g/ 2syg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=Gt+i8LH5Ee/86XlD/GvhwF0Xorz3qEvFe+jrqA/tbnw=; b=aIaxQ1wiKNyUaBw1NXoEnmN+9nCE11RbXuBZiVQB5Mnd6VwhE23cHq+vg4Tjns/18r mqwrp4mLP1mcS+oe2CAs0wJ9ETM5SVrSxP+Bytr9vh0MST538Uj0eiRNNY1TuJXrhPGv b8TiKEwU5KyH5v8eT1J2ooO0bhmfiLTAIV43beyWPWBoaWZNDfZktMSybHqUYK1UCQGA 2lgZMk9ONDWVUxciJZhd9hVJjyuz+jFvj0vUb3Z3uOMfNfqkFCgNWRAtCojdiK62NkoM 31InI3h6VuJCEiruEhWr0DhxqCNiFQQvWT4mhzg4+HPKlxxDLztfKgQDUn9OEqL25uvy zyuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=KYaLgMgI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i62-20020a625441000000b00640f330a547si3302761pfb.236.2023.04.26.09.04.12; Wed, 26 Apr 2023 09:04:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=KYaLgMgI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241183AbjDZPwA (ORCPT + 99 others); Wed, 26 Apr 2023 11:52:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55756 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241084AbjDZPvv (ORCPT ); Wed, 26 Apr 2023 11:51:51 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8AEF768F for ; Wed, 26 Apr 2023 08:51:45 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-b992ab82e0dso12171396276.3 for ; Wed, 26 Apr 2023 08:51:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1682524305; x=1685116305; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Gt+i8LH5Ee/86XlD/GvhwF0Xorz3qEvFe+jrqA/tbnw=; b=KYaLgMgIofy8doMOGV3T40pfYWfxJfZz7xSUexzlDW3/yaWyswvKdf9Lsi3GNP3hJe Lrp3OhRkwWOeEaZqL974ldY2IAFZy7lN/U0gxhjB5EO7Ff0hzzMaiYU0eaCRz6gYvgU5 khtGGStFIyXsmhns30fYSspDeRZ1M7k8Z+9TSf06a1lhx8gmAqBN71rRlOM66h7Q29pB D2ba1COpwIBEvnOanwA2uE2zjMDNPrfzaD9BnmwP30xWp+ZnvqaSlyzOlz6nf6Zi0TzT Xd0EIX+GFL+fvfTbWasDcf4aVPSoWnkqQvtAeZc1rjnBN5NjzDZ7IdU01oieF0/BKefk DpxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682524305; x=1685116305; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Gt+i8LH5Ee/86XlD/GvhwF0Xorz3qEvFe+jrqA/tbnw=; b=DNy791X6OY16RHzxZM1KQwU2NRvHkpw+GgA0E1hTBG4Y7pYagGnP8BXhwrzWX79Fx6 31oQJHctCMV2K4NwWsSdxI675Pbojxvx2HZDi8SLu5zoWHTxxiw683FjzClPrR2clHbQ KuEhVI6fLzFjPXGN7wEkhcJc2IXtMP8c8JO4vRcqbteehejrD2oUGm2Ztj0QTA8n+Zhd pB9sQmxIES64sD7wNmzZMhLg1j1s1ArJYITNQhz+rpFpuRqE86sc4sEzCRRF55eQd/nc KgzKdlcwIO2QkyzKf76fMJZL9kKOuL7dGpNoUT04DAgHsNprE2ewgJ681ri+i/VWrT2W Pr+w== X-Gm-Message-State: AAQBX9fRTaEG/OlvUmh7H933zA4RzqRw/w5rxHVlH4QmoevaNdMlJLU0 RG4OjJwmPRyKyvgRFu82xYKaeByDEHM= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a25:c905:0:b0:b8f:6b3b:8a0a with SMTP id z5-20020a25c905000000b00b8f6b3b8a0amr12067601ybf.6.1682524305065; Wed, 26 Apr 2023 08:51:45 -0700 (PDT) Date: Wed, 26 Apr 2023 08:51:43 -0700 In-Reply-To: <9fa5ce43-584d-878d-227a-fb458254c00a@amd.com> Mime-Version: 1.0 References: <20230327141816.2648615-1-carlos.bilbao@amd.com> <9fa5ce43-584d-878d-227a-fb458254c00a@amd.com> Message-ID: Subject: Re: [PATCH] docs: security: Confidential computing intro and threat model From: Sean Christopherson To: Carlos Bilbao Cc: Elena Reshetova , "corbet@lwn.net" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "ardb@kernel.org" , "kraxel@redhat.com" , "dovmurik@linux.ibm.com" , "dave.hansen@linux.intel.com" , "Dhaval.Giani@amd.com" , "michael.day@amd.com" , "pavankumar.paluri@amd.com" , "David.Kaplan@amd.com" , "Reshma.Lal@amd.com" , "Jeremy.Powell@amd.com" , "sathyanarayanan.kuppuswamy@linux.intel.com" , "alexander.shishkin@linux.intel.com" , "thomas.lendacky@amd.com" , "tglx@linutronix.de" , "dgilbert@redhat.com" , "gregkh@linuxfoundation.org" , "dinechin@redhat.com" , "linux-coco@lists.linux.dev" , "berrange@redhat.com" , "mst@redhat.com" , "tytso@mit.edu" , "jikos@kernel.org" , "joro@8bytes.org" , "leon@kernel.org" , "richard.weinberger@gmail.com" , "lukas@wunner.de" , "jejb@linux.ibm.com" , "cdupontd@redhat.com" , "jasowang@redhat.com" , "sameo@rivosinc.com" , "bp@alien8.de" , "security@kernel.org" , Andrew Bresticker , Rajnesh Kanwal , Dylan Reid , Ravi Sahita Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 26, 2023, Carlos Bilbao wrote: > Hello Sean, > > On 4/26/23 8:32 AM, Reshetova, Elena wrote: > > Hi Sean, > > > > Thank you for your review! Please see my comments inline. > > > >> On Mon, Mar 27, 2023, Carlos Bilbao wrote: ... > >>> More details on the x86-specific solutions can be > >>> +found in > >>> +:doc:`Intel Trust Domain Extensions (TDX) ` and > >>> +:doc:`AMD Memory Encryption `. > >> > >> So by the above definition, vanilla SEV and SEV-ES can't be considered CoCo. SEV > >> doesn't provide anything besides increased confidentiality of guest memory, and > >> SEV-ES doesn't provide integrity or validation of physical page assignment. > >> > > > > Same > > > > Personally, I think it's reasonable to mention SEV/SEV-ES in the context of > confidential computing and acknowledge their relevance in this area. > > But there is no mention to SEV or SEV-ES in this draft. And the document we > reference there covers AMD-SNP, which provides integrity. ... > >>> +While the traditional hypervisor has unlimited access to guest data and > >>> +can leverage this access to attack the guest, the CoCo systems mitigate > >>> +such attacks by adding security features like guest data confidentiality > >>> +and integrity protection. This threat model assumes that those features > >>> +are available and intact. > >> > >> Again, if you're claiming integrity is a key tenant, then SEV and SEV-ES can't be > >> considered CoCo. > > Again, nobody mentioned SEV/SEV-ES here. Yes, somebody did. Unless your dictionary has a wildly different definition for "all". : +Overview and terminology : +======================== : + : +Confidential Cloud Computing (CoCo) refers to a set of HW and SW : +virtualization technologies that allow Cloud Service Providers (CSPs) to : +provide stronger security guarantees to their clients (usually referred to : +as tenants) by excluding all the CSP's infrastructure and SW out of the : +tenant's Trusted Computing Base (TCB). : + : +While the concrete implementation details differ between technologies, all ^^^ : +of these mechanisms provide increased confidentiality and integrity of CoCo : +guest memory and execution state (vCPU registers), more tightly controlled : +guest interrupt injection, as well as some additional mechanisms to control : +guest-host page mapping. More details on the x86-specific solutions can be : +found in This document is named confidential-computing.rst, not tdx-and-snp.rst. Not explicitly mentioning SEV doesn't magically warp reality to make descriptions like this one from security/secrets/coco.rst disappear: Introduction ============ Confidential Computing (coco) hardware such as AMD SEV (Secure Encrypted Virtualization) allows guest owners to inject secrets into the VMs memory without the host/hypervisor being able to read them. My complaint about this document being too Intel/AMD centric isn't that it doesn't mention other implementations, it's that the doc describes CoCo purely from the narrow viewpoint of Intel TDX and AMD SNP, and to be blunt, reads like a press release and not an objective overview of CoCo.