Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1876664pxj; Wed, 19 May 2021 16:27:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxIzAGv2dRNgvC3HJtHpeV9aNC2NqTzF8LvvxIEIL7lqb3c7XUWLPOhQ0Vw+78jETdteka/ X-Received: by 2002:aa7:d718:: with SMTP id t24mr1640651edq.259.1621466846792; Wed, 19 May 2021 16:27:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621466846; cv=none; d=google.com; s=arc-20160816; b=qJNSd+NfGQYBcrVdG7Xq75LF9UMtQL0Z4Qf3ziVAQ+yWn+AwLzK7sK2EAUPj35uZ5Y e1UPO/hhitATsXndkDcsp7BuDAo5JZ004dybcGUZDDzmOFmJGU2DQSAlwyOHUrel9d3k y3zTuAsfsd5mWJU9BYJ9YauuuVBDhbbGvKHP4qNM+b9fCW9GkcRyQKGqIj+ii7Kna7FT +9MSpbdV2tdrVe5H8Fu2P3/I87l3fHoQQU8IYcV2YKaqwGCcvtGiDeko9sEH6SlJq5hJ QzLnDf1USzw60OojnZJYPgpSuunEkfU8wuXJa/0Np9IAFjzfHmUWIE/KYxg/6nm8h3qO Z0Bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=9xVQK0qkPOSY6ynWCbjM+3v87WrsktO/Y9PaXnOS+CE=; b=tTmsuvq3bwu9BMYWI37xE8wu7JS4CGJlRsmqnc/mpwYhAlnYQZ84iIdANqYPhvzyMm UcffJBHpKC2tAAIkUs1tE9iltMLUu9MqLYdX+vb9AqOY2JxiQG6cfUZeb+JGSTjqQ7y+ Gjpgxm8qf9oA5CN8wGeT2QhykPBb5yetl6ShreyoozEukYezIwwNoYl1I6iAH1akVs7g 7lqmLRtzeFEPl7YuVToyJMoswoEM6aLwtb1KeIyIIBCn2pruBJJW5H737BLr3+bVmvpM s8dQwSazoaMYV56lKqvk25oMNWWaMJe9A0S1+btoZbKzbu7zW/ganc3dm07XibyMAVDO oA8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=I93to3nt; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bd11si548410edb.491.2021.05.19.16.26.49; Wed, 19 May 2021 16:27:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=I93to3nt; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229982AbhESX1y (ORCPT + 99 others); Wed, 19 May 2021 19:27:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:43780 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229952AbhESX1x (ORCPT ); Wed, 19 May 2021 19:27:53 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 132A560FF0; Wed, 19 May 2021 23:26:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1621466793; bh=hXJA2R+CcUs1BiWvz0yIMkkZ6uMumHTehRLvUfxwIPU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=I93to3nt2GWgRRiSLVXxgzRhJcFbD2FRXHSRekR0E3ZkQ6/0YBq7MlFB4gDkJ+W4j DrU5/8Taonq7U3aotSCWkRPUv9xm19cAoCHpxv8wnsRGjWpjmDl/g4RM1Vv2MCUywO 1d5YNZJZVYy4s5bt1VSrRIUufyU2knXQNn21xuas9RQU9ZSg4Wnqv/49DwRMYAI0vp ah4pG9keJxOu+yaCjNrIsmeZuxljES/j1xR2Exvg1AdcMDIxF22qimc3kew5sADc+u 66n4mf6ppQcWqz0WCvqpsLWHFjNDjI+ez8dWkGI1BkJOMiGWH94dT2L40jLDk/PvwN 0D/Imthf1ripg== Subject: Re: [RFC PATCH v2 00/11] x86: Support Intel Key Locker To: Sean Christopherson Cc: "Bae, Chang Seok" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , X86 ML , Herbert Xu , "Williams, Dan J" , "Hansen, Dave" , "Shankar, Ravi V" , Linux Crypto Mailing List , "linux-kernel@vger.kernel.org" References: <20210514201508.27967-1-chang.seok.bae@intel.com> <9f556d3b-49d3-5b0b-0d92-126294ea082d@kernel.org> <247d9a25-f32f-d01b-61ff-b1966e382907@kernel.org> From: Andy Lutomirski Message-ID: <112f7ceb-d699-fc1e-ea5f-89d505e0d6d8@kernel.org> Date: Wed, 19 May 2021 16:26:32 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 5/18/21 10:52 AM, Sean Christopherson wrote: > On Tue, May 18, 2021, Andy Lutomirski wrote: >> On 5/17/21 11:21 AM, Bae, Chang Seok wrote: >>> First of all, there is an RFC series for KVM [2]. >>> >>> Each CPU has one internal key state so it needs to reload it between guest and >>> host if both are enabled. The proposed approach enables it exclusively; expose >>> it to guests only when disabled in a host. Then, I guess a guest may enable it. >> >> I read that series. This is not a good solution. >> >> I can think of at least a few reasonable ways that a host and a guest >> can cooperate to, potentially, make KL useful. >> >> a) Host knows that the guest will never migrate, and guest delegates >> IWKEY management to the host. The host generates a random key and does >> not permit the guest to use LOADIWKEY. The guest shares the random key >> with the host. Of course, this means that a host key handle that leaks >> to a guest can be used within the guest. > > If the guest and host share a random key, then they also share the key handle. > And that handle+key would also need to be shared across all guests. I doubt this > option is acceptable on the security front. > Indeed. Oddly, SGX has the exact same problem for any scenario in which SGX is used for HSM-like functionality, and people still use SGX. However, I suspect that there will be use cases in which exactly one VM is permitted to use KL. Qubes might want that (any Qubes people around?) > Using multiple random keys is a non-starter because they can't be restored via > LOADIWKEY. > > Using multiple software-defined keys will have moderate overhead because of the > possibility of using KL from soft IRQ context, i.e. KVM would have to do > LOADIWKEY on every VM-Enter _and_ VM-Exit. It sounds like LOADIWKEY has latency > similar to WRMSR, so it's not a deal-breaker, but the added latency on top of the > restrictions on how the host can use KL certainly lessen the appeal. Indeed. This stinks. > >> b) Host may migrate the guest. Guest delegates IWKEY management to the >> host, and the host generates and remembers a key for the guest. On >> migration, the host forwards the key to the new host. The host can >> still internally any type of key, but context switches may be quite slow. > > Migrating is sketchy because the IWKEY has to be exposed to host userspace. > But, I think the migration aspect is a secondary discussion. > >> c) Guest wants to manage its own non-random key. Host lets it and >> context switches it. > > This is essentially a variant of (b). In both cases, the host has full control > over the guest's key. > >> d) Guest does not need KL and leaves CR4.KL clear. Host does whatever >> it wants with no overhead. >> >> All of these have tradeoffs. >> >> My current thought is that, if Linux is going to support Key Locker, >> then this all needs to be explicitly controlled. On initial boot, Linux >> should not initialize Key Locker. Upon explicit administrator request >> (via sysfs?), Linux will initialize Key Locker in the mode requested by >> the administrator. > > Deferring KL usage to post-boot can work, but KVM shouldn't be allowed to expose > KL to a guest until KL has been explicitly configured in the host. If KVM can > spawn KL guests before the host is configured, the sysfs knob would have to deal > with the case where the desired configuration is incompatible with exposing KL > to a guest. There could be a host configuration "guest_only", perhaps. > >> Modes could include: >> >> native_random_key: Use a random key per the ISA. >> >> native_kernel_key_remember: Use a random key but load it as a non-random >> key. Remember the key in kernel memory and use it for S3 resume, etc. > > What would be the motivation for this mode? It largely defeats the value > proposition of KL, no? It lets userspace use KL with some degree of security. > >> native_kernel_key_backup: Use a random key, put it in the backup >> storage, and forget it. Use the backup for resume, etc. >> >> native_kernel_key_norestore: Use a random key. The key is lost on any >> power transition that forgets the key. Backup is not used. >> >> paravirt_any: Ask the hypervisor to handle keying. Any mechanism is >> acceptable. >> >> paravirt_random: Ask the hypervisor for a random key. Only succeeds if >> we get an actual random key. > > AFAIK, there's no way for the guest to verify that it got a truly random key. > Hell, the guest can't even easily verify that KL is even supported. The host > can lie about CPUID and CR4.KL, and intercept all KL instructions via #UD by > running the guest with CR4.KL=0. The guest can use TDX. Oh wait, TDX doesn't support KL. That being said, a host attack on the guest of this sort would be quite slow. > > I also don't see any reason to define a paravirt interface for a truly random > key. Using a random key all but requires a single guest to have exclusive access > to KL, and in that case the host can simply expose KL to only that guest. > >> Does this make sense? > > I really want to use see concrete guest use cases before we start adding paravirt > interfaces. > I want to see concrete guest use cases before we start adding *any* guest support. And this cuts both ways -- I think that, until the guest use cases are at least somewhat worked out, Linux should certainly not initialize KL by default on boot if the CPUID hypervisor bit is set.