Re: SVSM initiated early attestation / guest secrets injection

["Jörg Rödel" <jroedel@suse.de>]

Hi Daniel,

On Thu, Jan 12, 2023 at 02:39:24PM +0000, Daniel P. Berrangé wrote:
>  4. SVSM requests an attestation report from SEV-SNP firmware, embedding a
>     hash of the attestation server public key and its own public key.
> 
>  5. SVSM transmits the attestation report and the two public keys on the ISA
>     serial port

This basically emulates the secret injection mechanism that was
implemented for SEV and SEV-ES by the firmware, right?

I see a problem here which allows a potential host owner to steal
the secrets from the attestation server. Maybe I am wrong, but I think
the following is possible with the above sequence:

	1. Host owner sets up a CVM like the guest owner would do, with
	   the same SVSM and Firmware binaries, same initial state and
	   so on, so that the initial measurement is the same as if the
	   VM was setup by the guest owner.

	2. Host owner attaches a different disk image with malicious
	   content, e.g. a boot loader that sends the secrets to the host
	   owner.

	3. SVSM and attestation server have no way of detecting this,
	   because the disk image is not part of the initial measurement
	   from the SNP firmware. So above sequence would complete and
	   SVSM gets the secrets from the attestation server.

	4. The malicious software loaded from the disk image gets access
	   to the secrets and sends them to the host owner.

	4. Host owner can use the guest owners secrets to steal data
	   from the encrypted disk image the guest owner provided.

To prevent this it is necessary that the measurement sent to the
attestation server includes all software and data which is
executed/loaded from unencrypted storage. For example, in a common boot
flow it needs to include the Grub binary and Grub configuration.

But these parts are not included in the initial measurement that the
SVSM gets from the SNP firmware.

Regards,

	Joerg