From: Dmytro Maluka <dmy@semihalf.com>
To: Sean Christopherson <seanjc@google.com>
Cc: Carlos Bilbao <carlos.bilbao@amd.com>,
corbet@lwn.net, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, ardb@kernel.org, kraxel@redhat.com,
dovmurik@linux.ibm.com, elena.reshetova@intel.com,
dave.hansen@linux.intel.com, Dhaval.Giani@amd.com,
michael.day@amd.com, pavankumar.paluri@amd.com,
David.Kaplan@amd.com, Reshma.Lal@amd.com, Jeremy.Powell@amd.com,
sathyanarayanan.kuppuswamy@linux.intel.com,
alexander.shishkin@linux.intel.com, thomas.lendacky@amd.com,
tglx@linutronix.de, dgilbert@redhat.com,
gregkh@linuxfoundation.org, dinechin@redhat.com,
linux-coco@lists.linux.dev, berrange@redhat.com, mst@redhat.com,
tytso@mit.edu, jikos@kernel.org, joro@8bytes.org,
leon@kernel.org, richard.weinberger@gmail.com, lukas@wunner.de,
jejb@linux.ibm.com, cdupontd@redhat.com, jasowang@redhat.com,
sameo@rivosinc.com, bp@alien8.de, security@kernel.org,
Larry Dewey <larry.dewey@amd.com>,
android-kvm@google.com, Dmitry Torokhov <dtor@google.com>,
Allen Webb <allenwebb@google.com>,
Tomasz Nowicki <tn@semihalf.com>,
Grzegorz Jaszczyk <jaz@semihalf.com>,
Patryk Duda <pdk@semihalf.com>
Subject: Re: [PATCH v2] docs: security: Confidential computing intro and threat model for x86 virtualization
Date: Fri, 16 Jun 2023 17:36:23 +0200 [thread overview]
Message-ID: <ae75c890-4389-6aac-8c3d-bc9fd1df1f6b@semihalf.com> (raw)
In-Reply-To: <ZIxvl4sMH6N8TrAL@google.com>
On 6/16/23 16:20, Sean Christopherson wrote:
> On Fri, Jun 16, 2023, Dmytro Maluka wrote:
>> On 6/13/23 19:03, Sean Christopherson wrote:
>>> On Mon, Jun 12, 2023, Carlos Bilbao wrote:
>>>> +well as CoCo technology specific hypercalls, if present. Additionally, the
>>>> +host in a CoCo system typically controls the process of creating a CoCo
>>>> +guest: it has a method to load into a guest the firmware and bootloader
>>>> +images, the kernel image together with the kernel command line. All of this
>>>> +data should also be considered untrusted until its integrity and
>>>> +authenticity is established via attestation.
>>>
>>> Attestation is SNP and TDX specific. AIUI, none of SEV, SEV-ES, or pKVM (which
>>> doesn't even really exist on x86 yet), have attestation of their own, e.g. the
>>> proposed pKVM support would rely on Secure Boot of the original "full" host kernel.
>>
>> Seems to be a bit of misunderstanding here. Secure Boot verifies the
>> host kernel, which is indeed also important, since the pKVM hypervisor
>> is a part of the host kernel image. But when it comes to verifying the
>> guests, it's a different story: a protected pKVM guest is started by the
>> (untrusted) host at an arbitrary moment in time, not before the early
>> kernel deprivileging when the host is still considered trusted.
>> (Moreover, in practice the guest is started by a userspace VMM, i.e. not
>> exactly the most trusted part of the host stack.) So the host can
>> maliciously or mistakenly load a wrong guest image for running as a
>> protected guest, so we do need attestation for protected guests.
>>
>> This attestation is not implemented in pKVM on x86 yet (you are right
>> that pKVM on x86 is little more than a proposal at this point). But in
>> pKVM on ARM it is afaik already working, it is software based (ensured
>> by pKVM hypervisor + a tiny generic guest bootloader which verifies the
>> guest image before jumping to the guest) and architecture-independent,
>> so it should be possible to adopt it for x86 as is.
>
> Sorry, instead of "Attestation is SNP and TDX specific", I should have said, "The
> form of attestation described here is SNP and TDX specific".
>
> pKVM's "attestation", effectively has its root of trust in the pKVM hypervisor,
> which is in turn attested via Secure Boot. I.e. the guest payload is verified
> *before* it is launched.
Got it, fair point. Yep, I think this understanding is fully correct.
> That is different from SNP and TDX where guest code and data is controlled by the
> *untrusted* host. The initial payload is measured by trusted firmware, but it is
> not verified, and so that measurement must be attested after the guest boots,
> before any sensitive data is provisioned to the guest.
>
> Specifically, with "untrusted" inserted by me for clarification, my understanding
> is that this doesn't hold true for pKVM when splitting hairs:
>
> Additionally, the **untrusted** host in a CoCo system typically controls the
> process of creating a CoCo guest: it has a method to load into a guest the
> firmware and bootloader images, the kernel image together with the kernel
> command line. All of this data should also be considered untrusted until its
> integrity and authenticity is established via attestation.
>
> because the guest firmware comes from a trusted entity, not the untrusted host.
next prev parent reply other threads:[~2023-06-16 15:37 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 16:47 [PATCH v2] docs: security: Confidential computing intro and threat model for x86 virtualization Carlos Bilbao
2023-06-12 22:43 ` Randy Dunlap
2023-06-14 13:55 ` Carlos Bilbao
2023-06-14 15:06 ` Randy Dunlap
2023-06-13 17:03 ` Sean Christopherson
2023-06-14 7:37 ` Reshetova, Elena
2023-06-14 14:15 ` Sean Christopherson
2023-06-16 12:36 ` Dmytro Maluka
2023-06-16 13:56 ` Sean Christopherson
2023-06-16 14:09 ` Allen Webb
2023-06-16 14:42 ` Sean Christopherson
2023-06-16 15:16 ` Allen Webb
2023-06-17 18:15 ` Dmytro Maluka
2023-06-16 15:31 ` Dmytro Maluka
2023-06-16 18:07 ` Sean Christopherson
2023-06-17 17:43 ` Dmytro Maluka
2023-06-19 11:23 ` Reshetova, Elena
2023-06-19 15:03 ` Dmytro Maluka
2023-06-16 12:24 ` Dmytro Maluka
2023-06-16 14:20 ` Sean Christopherson
2023-06-16 15:36 ` Dmytro Maluka [this message]
2023-06-22 14:32 ` Carlos Bilbao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae75c890-4389-6aac-8c3d-bc9fd1df1f6b@semihalf.com \
--to=dmy@semihalf.com \
--cc=David.Kaplan@amd.com \
--cc=Dhaval.Giani@amd.com \
--cc=Jeremy.Powell@amd.com \
--cc=Reshma.Lal@amd.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=allenwebb@google.com \
--cc=android-kvm@google.com \
--cc=ardb@kernel.org \
--cc=berrange@redhat.com \
--cc=bp@alien8.de \
--cc=carlos.bilbao@amd.com \
--cc=cdupontd@redhat.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dgilbert@redhat.com \
--cc=dinechin@redhat.com \
--cc=dovmurik@linux.ibm.com \
--cc=dtor@google.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=jaz@semihalf.com \
--cc=jejb@linux.ibm.com \
--cc=jikos@kernel.org \
--cc=joro@8bytes.org \
--cc=kraxel@redhat.com \
--cc=larry.dewey@amd.com \
--cc=leon@kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=michael.day@amd.com \
--cc=mst@redhat.com \
--cc=pavankumar.paluri@amd.com \
--cc=pdk@semihalf.com \
--cc=richard.weinberger@gmail.com \
--cc=sameo@rivosinc.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=security@kernel.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tn@semihalf.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).