From: Sean Christopherson <seanjc@google.com>
To: Martin Radev <martin.b.radev@gmail.com>
Cc: Joerg Roedel <joro@8bytes.org>,
x86@kernel.org, Joerg Roedel <jroedel@suse.de>,
hpa@zytor.com, Andy Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Jiri Slaby <jslaby@suse.cz>,
Dan Williams <dan.j.williams@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Juergen Gross <jgross@suse.com>,
Kees Cook <keescook@chromium.org>,
David Rientjes <rientjes@google.com>,
Cfir Cohen <cfir@google.com>, Erdem Aktas <erdemaktas@google.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Mike Stunes <mstunes@vmware.com>,
Arvind Sankar <nivedita@alum.mit.edu>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
virtualization@lists.linux-foundation.org
Subject: Re: [PATCH v2 5/7] x86/boot/compressed/64: Add CPUID sanity check to 32-bit boot-path
Date: Wed, 10 Mar 2021 09:51:48 -0800 [thread overview]
Message-ID: <YEkHNDgmybNI+Ptt@google.com> (raw)
In-Reply-To: <YEkBU9em9SQZ25vA@martin-ThinkPad-T440p>
On Wed, Mar 10, 2021, Martin Radev wrote:
> On Wed, Mar 10, 2021 at 08:08:37AM -0800, Sean Christopherson wrote:
> > On Wed, Mar 10, 2021, Joerg Roedel wrote:
> > > + /*
> > > + * Sanity check CPUID results from the Hypervisor. See comment in
> > > + * do_vc_no_ghcb() for more details on why this is necessary.
> > > + */
> > > +
> > > + /* Fail if Hypervisor bit not set in CPUID[1].ECX[31] */
> >
> > This check is flawed, as is the existing check in 64-bit boot. Or I guess more
> > accurately, the check in get_sev_encryption_bit() is flawed. AIUI, SEV-ES
> > doesn't require the hypervisor to intercept CPUID. A malicious hypervisor can
> > temporarily pass-through CPUID to bypass the CPUID[1].ECX[31] check.
>
> If erroneous information is provided, either through interception or without, there's
> this check which is performed every time a new page table is set in the early linux stages:
> https://elixir.bootlin.com/linux/v5.12-rc2/source/arch/x86/kernel/sev_verify_cbit.S#L22
>
> This should lead to a halt if corruption is detected, unless I'm overlooking something.
> Please share more info.
That check is predicated on sme_me_mask != 0, sme_me_mask is set based on the
result of get_sev_encryption_bit(), and that returns '0' if CPUID[1].ECX[31] is
'0'.
sme_enable() also appears to have the same issue, as CPUID[1].ECX[31]=0 would
cause it to check for SME instead of SEV, and the hypervisor can simply return
0 for a VMGEXIT to get MSR_K8_SYSCFG.
I've no idea if the guest would actually survive with a bogus sme_me_mask, but
relying on CPUID[1] to #VC is flawed.
Since MSR_AMD64_SEV is non-interceptable, that seems like it should be the
canonical way to detect SEV/SEV-ES. The only complication seems to be handling
#GP faults on the RDMSR in early boot.
> > The hypervisor likely has access to the guest firmware source, so it
> > wouldn't be difficult for the hypervisor to disable CPUID interception once
> > it detects that firmware is handing over control to the kernel.
> >
>
> You probably don't even need to know the firmware for that. There the option
> to set CR* changes to cause #AE which probably gives away enough information.
next prev parent reply other threads:[~2021-03-10 17:52 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-10 8:43 [PATCH v2 0/7] x86/seves: Support 32-bit boot path and other updates Joerg Roedel
2021-03-10 8:43 ` Joerg Roedel
2021-03-10 8:43 ` [PATCH v2 1/7] x86/boot/compressed/64: Cleanup exception handling before booting kernel Joerg Roedel
2021-03-10 8:43 ` Joerg Roedel
2021-03-10 8:43 ` [PATCH v2 2/7] x86/boot/compressed/64: Reload CS in startup_32 Joerg Roedel
2021-03-10 8:43 ` Joerg Roedel
2021-03-10 8:43 ` [PATCH v2 3/7] x86/boot/compressed/64: Setup IDT in startup_32 boot path Joerg Roedel
2021-03-10 8:43 ` Joerg Roedel
2021-03-10 8:43 ` [PATCH v2 4/7] x86/boot/compressed/64: Add 32-bit boot #VC handler Joerg Roedel
2021-03-10 8:43 ` Joerg Roedel
2021-03-10 8:43 ` [PATCH v2 5/7] x86/boot/compressed/64: Add CPUID sanity check to 32-bit boot-path Joerg Roedel
2021-03-10 8:43 ` Joerg Roedel
2021-03-10 16:08 ` Sean Christopherson
2021-03-10 17:26 ` Martin Radev
2021-03-10 17:51 ` Sean Christopherson [this message]
2021-03-10 18:10 ` Martin Radev
2021-03-10 8:43 ` [PATCH v2 6/7] x86/boot/compressed/64: Check SEV encryption in " Joerg Roedel
2021-03-10 8:43 ` Joerg Roedel
2021-03-10 8:43 ` [PATCH v2 7/7] x86/sev-es: Replace open-coded hlt-loops with sev_es_terminate() Joerg Roedel
2021-03-10 8:43 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YEkHNDgmybNI+Ptt@google.com \
--to=seanjc@google.com \
--cc=cfir@google.com \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=erdemaktas@google.com \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=joro@8bytes.org \
--cc=jroedel@suse.de \
--cc=jslaby@suse.cz \
--cc=keescook@chromium.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=martin.b.radev@gmail.com \
--cc=mhiramat@kernel.org \
--cc=mstunes@vmware.com \
--cc=nivedita@alum.mit.edu \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=thomas.lendacky@amd.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.