From: Dan Williams <dan.j.williams@intel.com>
To: Peter Gonda <pgonda@google.com>, Dan Williams <dan.j.williams@intel.com>
Cc: <dhowells@redhat.com>, Borislav Petkov <bp@alien8.de>,
Tom Lendacky <thomas.lendacky@amd.com>,
Dionna Glaze <dionnaglaze@google.com>,
"Brijesh Singh" <brijesh.singh@amd.com>, <peterz@infradead.org>,
<linux-coco@lists.linux.dev>, <keyrings@vger.kernel.org>,
<x86@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 4/4] virt: sevguest: Add TSM key support for SNP_{GET, GET_EXT}_REPORT
Date: Mon, 31 Jul 2023 11:05:17 -0700 [thread overview]
Message-ID: <64c7f7ddd777c_51ad029436@dwillia2-xfh.jf.intel.com.notmuch> (raw)
In-Reply-To: <CAMkAt6r=r_utT6sd_LD-2rO-GpH4zd1D04p04P8WF51BKX-JMg@mail.gmail.com>
Peter Gonda wrote:
> On Fri, Jul 28, 2023 at 1:31 PM Dan Williams <dan.j.williams@intel.com> wrote:
> >
> > The sevguest driver was a first mover in the confidential computing
> > space. As a first mover that afforded some leeway to build the driver
> > without concern for common infrastructure.
> >
> > Now that sevguest is no longer a singleton [1] the common operation of
> > building and transmitting attestation report blobs can / should be made
> > common. In this model the so called "TSM-provider" implementations can
> > share a common envelope ABI even if the contents of that envelope remain
> > vendor-specific. When / if the industry agrees on an attestation record
> > format, that definition can also fit in the same ABI. In the meantime
> > the kernel's maintenance burden is reduced and collaboration on the
> > commons is increased.
> >
> > Convert sevguest to use TSM keys to retrieve the blobs that the
> > SNP_{GET,GET_EXT}_REPORT ioctls produce. The flow for retrieving the
> > SNP_GET_REPORT blob via the keyctl utility would be:
> >
> > dd if=/dev/urandom of=pubkey bs=1 count=64
> > keyctl add tsm tsm_test "auth $(xxd -p -c 0 < pubkey) privlevel=2" @u
> > keyctl print $key_id | awk '{ print $3 }' | xxd -p -c 0 -r | hexdump -C
> >
> > ...while the SNP_GET_EXT_REPORT flow adds the "format=extended" option
> > to the request flow:
> >
> > keyctl add tsm tsm_test "auth $(xxd -p -c 0 < pubkey) privlevel=2 format=extended" @u
> >
> > The output format from 'keyctl print' is:
> >
> > <pubkey blob> <auth blob desc[:format]> <auth blob>
> >
> > ...where the blobs are hex encoded and the descriptor string is either
> > "sev" or "sev:extended" in this case.
> >
> > Note, the Keys subsystem frontend for the functionality that
> > SNP_GET_DERIVED_KEY represents is saved for follow-on work that likely
> > needs to become a new trusted-keys type. The old ioctls can be lazily
> > deprecated, the main motivation of this effort is to stop the
> > proliferation of new ioctls, and to increase cross-vendor colloboration.
>
> collaboration
got it.
>
> >
> > Note, only compile-tested.
> >
> > Link: http://lore.kernel.org/r/64961c3baf8ce_142af829436@dwillia2-xfh.jf.intel.com.notmuch [1]
> > Cc: Borislav Petkov <bp@alien8.de>
> > Cc: Tom Lendacky <thomas.lendacky@amd.com>
> > Cc: Dionna Glaze <dionnaglaze@google.com>
> > Cc: Brijesh Singh <brijesh.singh@amd.com>
> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > ---
> > drivers/virt/coco/sev-guest/Kconfig | 2 +
> > drivers/virt/coco/sev-guest/sev-guest.c | 87 +++++++++++++++++++++++++++++++
> > 2 files changed, 89 insertions(+)
> >
> > diff --git a/drivers/virt/coco/sev-guest/Kconfig b/drivers/virt/coco/sev-guest/Kconfig
> > index da2d7ca531f0..bce43d4639ce 100644
> > --- a/drivers/virt/coco/sev-guest/Kconfig
> > +++ b/drivers/virt/coco/sev-guest/Kconfig
> > @@ -2,9 +2,11 @@ config SEV_GUEST
> > tristate "AMD SEV Guest driver"
> > default m
> > depends on AMD_MEM_ENCRYPT
> > + depends on KEYS
> > select CRYPTO
> > select CRYPTO_AEAD2
> > select CRYPTO_GCM
> > + select TSM_KEYS
> > help
> > SEV-SNP firmware provides the guest a mechanism to communicate with
> > the PSP without risk from a malicious hypervisor who wishes to read,
> > diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c
> > index f48c4764a7a2..2bdca268272d 100644
> > --- a/drivers/virt/coco/sev-guest/sev-guest.c
> > +++ b/drivers/virt/coco/sev-guest/sev-guest.c
> > @@ -21,6 +21,7 @@
> > #include <linux/psp-sev.h>
> > #include <uapi/linux/sev-guest.h>
> > #include <uapi/linux/psp-sev.h>
> > +#include <keys/tsm.h>
> >
> > #include <asm/svm.h>
> > #include <asm/sev.h>
> > @@ -769,6 +770,84 @@ static u8 *get_vmpck(int id, struct snp_secrets_page_layout *layout, u32 **seqno
> > return key;
> > }
> >
> > +static int sev_auth_new(struct tsm_key_payload *t, void *provider_data)
> > +{
> > + struct snp_guest_dev *snp_dev = provider_data;
> > + const int report_size = SZ_16K;
> > + const int ext_size =
> > + PAGE_ALIGN_DOWN(TSM_DATA_MAX - report_size - sizeof(*t));
> > + int ret;
> > +
> > + if (t->pubkey_len != 64)
> > + return -EINVAL;
>
> Magic number?
>
> We only support asymmetric keys with public keys exactly equal to 64
> bytes? Is that only p256? SNP uses p384 can we atleast allow that
> curve too? But why not let userspace what key type they want to use?
The kernel has no control here. See Table 20 MSG_REPORT_REQ Message
Structure (https://www.amd.com/system/files/TechDocs/56860.pdf)
...only 64-byte payloads are accepted. I assume one could specify less
than 64-bytes and zero-fill the rest, but that's a contract between the
requester and the attester.
>
> > +
> > + if (t->auth_blob_format[0] &&
> > + strcmp(t->auth_blob_format, "extended") != 0)
> > + return -EINVAL;
> > +
> > + if (t->auth_blob_format[0]) {
> > + u8 *buf __free(kvfree) =
> > + kvzalloc(report_size + ext_size, GFP_KERNEL);
> > +
> > + struct snp_ext_report_req req = {
> > + .data = { .vmpl = t->privlevel },
> > + .certs_address = (__u64)buf + report_size,
> > + .certs_len = ext_size,
> > + };
> > + memcpy(&req.data.user_data, t->pubkey, 64);
>
> Again without any freshness from the remote party, of what use is this
> attestation report?
This interface is just marshaling the same data that could be retrieved
via SNP_GET_REPORT ioctl on the sevguest chardev today. So I would point
you back to vendor documentation for how this report is used. See "VM
Launch and Attestation" here:
https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf
I am just here to stanch the proliferation of new chardevs and new
ioctls for this TSM-common operation. This effort was started when TDX
patches showed up to take a 64-byte input payload and wrap it in a
attestation report with its own chardev and ioctls.
>
> > +
> > + struct snp_guest_request_ioctl input = {
> > + .msg_version = 1,
> > + .req_data = (__u64) &req,
> > + .resp_data = (__u64) buf,
> > + };
> > +
> > + ret = get_ext_report(snp_dev, &input, SNP_KARG);
> > + if (ret)
> > + return ret;
> > +
> > + no_free_ptr(buf);
> > + t->auth_blob = buf;
> > + t->auth_blob_len = report_size + ext_size;
> > + t->auth_blob_desc = "sev";
> > + } else {
> > + u8 *buf __free(kvfree) = kvzalloc(report_size, GFP_KERNEL);
> > +
> > + struct snp_report_req req = {
> > + .vmpl = t->privlevel,
> > + };
> > + memcpy(&req.user_data, t->pubkey, 64);
> > +
> > + struct snp_guest_request_ioctl input = {
> > + .msg_version = 1,
> > + .req_data = (__u64) &req,
> > + .resp_data = (__u64) buf,
> > + };
> > +
> > + ret = get_report(snp_dev, &input, SNP_KARG);
> > + if (ret)
> > + return ret;
> > +
> > + no_free_ptr(buf);
> > + t->auth_blob = buf;
> > + t->auth_blob_len = report_size;
> > + t->auth_blob_desc = "sev";
> > + }
>
> Can we reduce the code duplication between the branches here?
I'll take a look.
next prev parent reply other threads:[~2023-07-31 18:05 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 19:30 [PATCH 0/4] keys: Introduce a keys frontend for attestation reports Dan Williams
2023-07-28 19:30 ` [PATCH 1/4] keys: Introduce tsm keys Dan Williams
2023-07-28 19:40 ` Jarkko Sakkinen
2023-07-31 16:33 ` Peter Gonda
2023-07-31 17:48 ` Dan Williams
2023-07-31 18:14 ` Peter Gonda
2023-07-31 18:41 ` Dan Williams
2023-07-31 19:09 ` Dionna Amalie Glaze
2023-07-31 20:10 ` Dan Williams
2023-08-04 16:34 ` Peter Gonda
2023-08-04 22:24 ` Dan Williams
2023-08-05 5:11 ` Dan Williams
2023-08-01 18:01 ` Jarkko Sakkinen
2023-08-04 2:40 ` Dan Williams
2023-08-04 16:37 ` Dionna Amalie Glaze
2023-08-04 16:46 ` James Bottomley
2023-08-04 17:07 ` Dionna Amalie Glaze
2023-08-04 17:12 ` James Bottomley
2023-07-28 19:31 ` [PATCH 2/4] virt: sevguest: Prep for kernel internal {get, get_ext}_report() Dan Williams
2023-07-28 19:31 ` [PATCH 3/4] mm/slab: Add __free() support for kvfree Dan Williams
2023-07-28 19:31 ` [PATCH 4/4] virt: sevguest: Add TSM key support for SNP_{GET, GET_EXT}_REPORT Dan Williams
2023-07-31 16:45 ` Peter Gonda
2023-07-31 18:05 ` Dan Williams [this message]
2023-07-31 18:28 ` Peter Gonda
2023-07-28 19:34 ` [PATCH 0/4] keys: Introduce a keys frontend for attestation reports Jarkko Sakkinen
2023-07-28 19:44 ` Dan Williams
2023-07-31 10:09 ` Jarkko Sakkinen
2023-07-31 17:33 ` Dan Williams
2023-07-31 22:41 ` Huang, Kai
2023-08-01 18:48 ` Jarkko Sakkinen
2023-07-29 18:17 ` James Bottomley
2023-07-30 4:56 ` Dan Williams
2023-07-30 12:59 ` James Bottomley
2023-07-31 17:24 ` Dan Williams
2023-08-01 11:45 ` Huang, Kai
2023-08-01 12:03 ` James Bottomley
2023-08-01 12:30 ` James Bottomley
2023-08-02 0:10 ` Huang, Kai
2023-08-02 12:41 ` James Bottomley
2023-08-02 23:13 ` Huang, Kai
2023-08-04 3:53 ` Dan Williams
2023-08-04 2:22 ` Dan Williams
2023-08-04 16:19 ` Daniel P. Berrangé
2023-08-04 21:49 ` Huang, Kai
2023-08-05 11:05 ` James Bottomley
2023-08-05 2:37 ` Dan Williams
2023-08-05 13:30 ` James Bottomley
2023-08-07 23:33 ` Dan Williams
2023-08-08 14:19 ` James Bottomley
2023-08-08 14:53 ` Peter Gonda
2023-08-08 14:54 ` Sathyanarayanan Kuppuswamy
2023-08-08 15:48 ` Dan Williams
2023-08-08 16:07 ` Dionna Amalie Glaze
2023-08-08 16:43 ` Dan Williams
2023-08-08 17:21 ` Dionna Amalie Glaze
2023-08-08 18:17 ` Dan Williams
2023-08-08 23:32 ` Huang, Kai
2023-08-09 3:27 ` Dan Williams
2023-08-09 16:14 ` Peter Gonda
2023-08-08 18:16 ` James Bottomley
2023-08-08 18:48 ` Dionna Amalie Glaze
2023-08-08 19:37 ` James Bottomley
2023-08-08 20:04 ` Dionna Amalie Glaze
2023-08-08 21:46 ` James Bottomley
2023-08-08 22:33 ` Dionna Amalie Glaze
2023-08-08 15:14 ` Dan Williams
2023-08-10 14:50 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64c7f7ddd777c_51ad029436@dwillia2-xfh.jf.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=dhowells@redhat.com \
--cc=dionnaglaze@google.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=pgonda@google.com \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).