From: Dov Murik <dovmurik@linux.ibm.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
Ashish Kalra <ashish.kalra@amd.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Dov Murik <dovmurik@linux.ibm.com>,
Connor Kuehl <ckuehl@redhat.com>,
Tobin Feldman-Fitzthum <tobin@ibm.com>,
James Bottomley <jejb@linux.ibm.com>,
Richard Henderson <richard.henderson@linaro.org>,
qemu-devel@nongnu.org,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Hubertus Franke <frankeh@us.ibm.com>,
Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
Jim Cadden <jcadden@ibm.com>, Paolo Bonzini <pbonzini@redhat.com>,
Laszlo Ersek <lersek@redhat.com>
Subject: Re: [PATCH] x86: add SEV hashing to fw_cfg for kernel/initrd/cmdline
Date: Sun, 4 Jul 2021 09:16:59 +0300 [thread overview]
Message-ID: <0f36d5a0-c063-4ba7-ceca-f09d8f37fb3e@linux.ibm.com> (raw)
In-Reply-To: <20210703123406-mutt-send-email-mst@kernel.org>
Hi Michael,
[+cc Connor, Dave]
On 03/07/2021 19:42, Michael S. Tsirkin wrote:
> On Tue, May 25, 2021 at 06:59:31AM +0000, Dov Murik wrote:
>> From: James Bottomley <jejb@linux.ibm.com>
>>
>> If the VM is using memory encryption and also specifies a kernel/initrd
>> or appended command line, calculate the hashes and add them to the
>> encrypted data. For this to work, OVMF must support an encrypted area
>> to place the data which is advertised via a special GUID in the OVMF
>> reset table (if the GUID doesn't exist, the user isn't allowed to pass
>> in the kernel/initrd/cmdline via the fw_cfg interface).
>
> Sorry about asking basic questions so late in the game.
No worries. Please noice there's a newer version:
https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-dovmurik@linux.ibm.com/
> I'm a bit curious why this feature makes sense. If someone can play
> with a Linux kernel command line isn't it pretty much game over security
> wise? What protections does Linux have against malicious actors
> manipulating the command line?
>
You're right -- if the host can modify the kernel command-line it's a game over.
This is why this patch (together with the corresponding OVMF patches; still
under review) measures and verifies the content of the kernel blob and
the initrd blob *and* the command-line blob.
Any modification/omission of any of them by the host will make the expected
SEV PSP measurement invalid, which should then indicate to the Guest Owner that
something is wrong with this guest. At that point the Guest Owner should
refuse to inject secrets into the guest (and also complain to the Cloud
Service Provider).
-Dov
next prev parent reply other threads:[~2021-07-04 6:18 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-25 6:59 [PATCH] x86: add SEV hashing to fw_cfg for kernel/initrd/cmdline Dov Murik
2021-05-25 13:10 ` Dov Murik
2021-06-14 7:08 ` Dov Murik
2021-06-15 15:20 ` Eduardo Habkost
2021-06-15 19:53 ` Philippe Mathieu-Daudé
2021-06-17 12:48 ` Dov Murik
2021-06-17 15:48 ` Philippe Mathieu-Daudé
2021-06-21 8:44 ` Thomas Huth
2021-06-21 9:15 ` Philippe Mathieu-Daudé
2021-06-21 9:42 ` Philippe Mathieu-Daudé
2021-06-17 17:22 ` Eduardo Habkost
2021-06-17 19:16 ` Dov Murik
2021-06-17 20:35 ` Eduardo Habkost
2021-06-16 12:04 ` Dov Murik
2021-07-03 16:42 ` Michael S. Tsirkin
2021-07-04 6:16 ` Dov Murik [this message]
2021-07-04 6:29 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0f36d5a0-c063-4ba7-ceca-f09d8f37fb3e@linux.ibm.com \
--to=dovmurik@linux.ibm.com \
--cc=ashish.kalra@amd.com \
--cc=brijesh.singh@amd.com \
--cc=ckuehl@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=frankeh@us.ibm.com \
--cc=jcadden@ibm.com \
--cc=jejb@linux.ibm.com \
--cc=lersek@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
--cc=tobin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).