[PATCH -v3 10/11] virt/coco/sev-guest: Double-buffer messages

linux-coco.lists.linux.dev archive mirror
 help / color / mirror / Atom feed

From: Borislav Petkov <bp@alien8.de>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Dionna Glaze <dionnaglaze@google.com>,
	Joerg Roedel <jroedel@suse.de>,
	Michael Roth <michael.roth@amd.com>,
	Nikunj A Dadhania <nikunj@amd.com>,
	Peter Gonda <pgonda@google.com>,
	Tom Lendacky <Thomas.Lendacky@amd.com>,
	linux-coco@lists.linux.dev, x86@kernel.org
Subject: [PATCH -v3 10/11] virt/coco/sev-guest: Double-buffer messages
Date: Tue,  7 Mar 2023 20:24:48 +0100	[thread overview]
Message-ID: <20230307192449.24732-11-bp@alien8.de> (raw)
In-Reply-To: <20230307192449.24732-1-bp@alien8.de>

From: Dionna Glaze <dionnaglaze@google.com>

The encryption algorithms read and write directly to shared unencrypted
memory, which may leak information as well as permit the host to tamper
with the message integrity. Instead, copy whole messages in or out as
needed before doing any computation on them.

Fixes: d5af44dde546 ("x86/sev: Provide support for SNP guest request NAEs")
Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20230214164638.1189804-3-dionnaglaze@google.com
---
 drivers/virt/coco/sev-guest/sev-guest.c | 27 +++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c
index 46f1a8d558b0..0c7b47acba2a 100644
--- a/drivers/virt/coco/sev-guest/sev-guest.c
+++ b/drivers/virt/coco/sev-guest/sev-guest.c
@@ -46,7 +46,15 @@ struct snp_guest_dev {
 
 	void *certs_data;
 	struct snp_guest_crypto *crypto;
+	/* request and response are in unencrypted memory */
 	struct snp_guest_msg *request, *response;
+
+	/*
+	 * Avoid information leakage by double-buffering shared messages
+	 * in fields that are in regular encrypted memory.
+	 */
+	struct snp_guest_msg secret_request, secret_response;
+
 	struct snp_secrets_page_layout *layout;
 	struct snp_req_data input;
 	u32 *os_area_msg_seqno;
@@ -266,14 +274,17 @@ static int dec_payload(struct snp_guest_dev *snp_dev, struct snp_guest_msg *msg,
 static int verify_and_dec_payload(struct snp_guest_dev *snp_dev, void *payload, u32 sz)
 {
 	struct snp_guest_crypto *crypto = snp_dev->crypto;
-	struct snp_guest_msg *resp = snp_dev->response;
-	struct snp_guest_msg *req = snp_dev->request;
+	struct snp_guest_msg *resp = &snp_dev->secret_response;
+	struct snp_guest_msg *req = &snp_dev->secret_request;
 	struct snp_guest_msg_hdr *req_hdr = &req->hdr;
 	struct snp_guest_msg_hdr *resp_hdr = &resp->hdr;
 
 	dev_dbg(snp_dev->dev, "response [seqno %lld type %d version %d sz %d]\n",
 		resp_hdr->msg_seqno, resp_hdr->msg_type, resp_hdr->msg_version, resp_hdr->msg_sz);
 
+	/* Copy response from shared memory to encrypted memory. */
+	memcpy(resp, snp_dev->response, sizeof(*resp));
+
 	/* Verify that the sequence counter is incremented by 1 */
 	if (unlikely(resp_hdr->msg_seqno != (req_hdr->msg_seqno + 1)))
 		return -EBADMSG;
@@ -297,7 +308,7 @@ static int verify_and_dec_payload(struct snp_guest_dev *snp_dev, void *payload,
 static int enc_payload(struct snp_guest_dev *snp_dev, u64 seqno, int version, u8 type,
 			void *payload, size_t sz)
 {
-	struct snp_guest_msg *req = snp_dev->request;
+	struct snp_guest_msg *req = &snp_dev->secret_request;
 	struct snp_guest_msg_hdr *hdr = &req->hdr;
 
 	memset(req, 0, sizeof(*req));
@@ -417,13 +428,21 @@ static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, in
 	if (!seqno)
 		return -EIO;
 
+	/* Clear shared memory's response for the host to populate. */
 	memset(snp_dev->response, 0, sizeof(struct snp_guest_msg));
 
-	/* Encrypt the userspace provided payload */
+	/* Encrypt the userspace provided payload in snp_dev->secret_request. */
 	rc = enc_payload(snp_dev, seqno, msg_ver, type, req_buf, req_sz);
 	if (rc)
 		return rc;
 
+	/*
+	 * Write the fully encrypted request to the shared unencrypted
+	 * request page.
+	 */
+	memcpy(snp_dev->request, &snp_dev->secret_request,
+	       sizeof(snp_dev->secret_request));
+
 	rc = __handle_guest_request(snp_dev, exit_code, fw_err);
 	if (rc) {
 		if (rc == -EIO && *fw_err == SNP_GUEST_REQ_INVALID_LEN)
-- 
2.35.1

next prev parent reply	other threads:[~2023-03-07 19:25 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-07 19:24 [PATCH -v3 00/11] SEV: Cleanup sev-guest a bit and add throttling Borislav Petkov
2023-03-07 19:24 ` [PATCH -v3 01/11] crypto: ccp - Name -1 return value as SEV_RET_NO_FW_CALL Borislav Petkov
2023-03-07 19:24 ` [PATCH -v3 02/11] virt/coco/sev-guest: Check SEV_SNP attribute at probe time Borislav Petkov
2023-03-07 19:24 ` [PATCH -v3 03/11] virt/coco/sev-guest: Simplify extended guest request handling Borislav Petkov
2023-03-07 19:24 ` [PATCH -v3 04/11] virt/coco/sev-guest: Remove the disable_vmpck label in handle_guest_request() Borislav Petkov
2023-03-07 19:24 ` [PATCH -v3 05/11] virt/coco/sev-guest: Carve out the request issuing logic into a helper Borislav Petkov
2023-03-07 19:24 ` [PATCH -v3 06/11] virt/coco/sev-guest: Do some code style cleanups Borislav Petkov
2023-03-07 19:24 ` [PATCH -v3 07/11] virt/coco/sev-guest: Convert the sw_exit_info_2 checking to a switch-case Borislav Petkov
2023-03-07 19:24 ` [PATCH -v3 08/11] crypto: ccp: Get rid of __sev_platform_init_locked()'s local function pointer Borislav Petkov
2023-03-07 19:24 ` [PATCH -v3 09/11] virt/coco/sev-guest: Add throttling awareness Borislav Petkov
2023-03-07 20:27   ` Dionna Amalie Glaze
2023-03-07 19:24 ` Borislav Petkov [this message]
2023-03-07 19:24 ` [PATCH -v3 11/11] x86/sev: Change snp_guest_issue_request()'s fw_err argument Borislav Petkov
2023-03-08 20:33 ` [PATCH -v3 00/11] SEV: Cleanup sev-guest a bit and add throttling Tom Lendacky
2023-03-09 12:12   ` Borislav Petkov

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:46f1a8d558b dfblob:0c7b47acba2 )
 OR (
bs:"[PATCH -v3 10/11] virt/coco/sev-guest: Double-buffer messages" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230307192449.24732-11-bp@alien8.de \
    --to=bp@alien8.de \
    --cc=Thomas.Lendacky@amd.com \
    --cc=dionnaglaze@google.com \
    --cc=jroedel@suse.de \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-kernel@vger.kernel.org \
    --cc=michael.roth@amd.com \
    --cc=nikunj@amd.com \
    --cc=pgonda@google.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).