From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53319)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1bkAaX-0001T6-Q1
	for qemu-devel@nongnu.org; Wed, 14 Sep 2016 09:51:01 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1bkAaT-0000pi-RU
	for qemu-devel@nongnu.org; Wed, 14 Sep 2016 09:50:57 -0400
Received: from mx1.redhat.com ([209.132.183.28]:44492)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mst@redhat.com>) id 1bkAaT-0000op-JP
	for qemu-devel@nongnu.org; Wed, 14 Sep 2016 09:50:53 -0400
Date: Wed, 14 Sep 2016 16:50:51 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
Message-ID: <20160914164859-mutt-send-email-mst@kernel.org>
References: <147377800565.11859.4411044563640180545.stgit@brijesh-build-machine>
	<147377810767.11859.4668503556528840901.stgit@brijesh-build-machine>
	<20160914052034-mutt-send-email-mst@kernel.org>
	<4f4370ee-bc29-3427-7e6e-a18d50c27ffc@redhat.com>
	<20160914155913-mutt-send-email-mst@kernel.org>
	<0fd3cbb9-9e46-9373-e989-acb45b56e8a9@redhat.com>
	<20160914132314.GR28399@redhat.com>
	<20160914163045-mutt-send-email-mst@kernel.org>
	<20160914133749.GT28399@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160914133749.GT28399@redhat.com>
Subject: Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt
 command
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, Brijesh Singh <brijesh.singh@amd.com>, ehabkost@redhat.com, crosthwaite.peter@gmail.com, p.fedin@samsung.com, qemu-devel@nongnu.org, armbru@redhat.com, lcapitulino@redhat.com, rth@twiddle.net

On Wed, Sep 14, 2016 at 02:37:49PM +0100, Daniel P. Berrange wrote:
> On Wed, Sep 14, 2016 at 04:32:44PM +0300, Michael S. Tsirkin wrote:
> > On Wed, Sep 14, 2016 at 02:23:14PM +0100, Daniel P. Berrange wrote:
> > > On Wed, Sep 14, 2016 at 03:07:58PM +0200, Paolo Bonzini wrote:
> > > > 
> > > > 
> > > > On 14/09/2016 15:05, Michael S. Tsirkin wrote:
> > > > > I assumed that with debug on, memory is still encrypted but the
> > > > > hypervisor can break encryption, and as the cover letter states, the
> > > > > hypervisor is assumed benign. If true I don't see a need to
> > > > > give users more rope.
> > > > 
> > > > The hypervisor is assumed benign but vulnerable.
> > > > 
> > > > So, if somebody breaks the hypervisor, you would like to make it as hard
> > > > as possible for the attacker to do evil stuff to the guests.  If the
> > > > attacker can just ask the secure processor "decrypt some memory for me",
> > > > then the encryption is effectively broken.
> > > 
> > > So there's going to be a tradeoff here between use of SEV and use of
> > > certain other features. eg, it seems that if you're using SEV, then
> > > any concept of creating & analysing guest core dumps from the host
> > > is out.
> > 
> > I don't see why - as long as we don't trigger dumps, there's no leak :)
> 
> If the facility to trigger dumps is available, then the memory
> encryption feature of SEV is as useful as a chocolate teapot,
> as the would be attacker can simply trigger a dump

If attacker can trigger things, IOW execute code in hypervisor,
then encrypting memory is not useful anyway.

> bypassing
> any kind of SEV protection to get unencrypted memory. So if
> SEV is to provide any kind of useful security protection, there
> must be no way for a host admin to initiate core dumps of the
> guest, without first having some kind of explicit guest admin
> action to enable it.

As stated it protects against passive adversaries with read-only
access to hypervisor memory. I don't see how dump ability breaks that.


> > > It seems that SEV on its own is insufficient - there is at least some
> > > interaction with storage. eg merely running a guest with SEV is not
> > > going to guarantee security if the guest OS is able to swap out to a
> > > non-encrypted disk. You could run LUKS inside the guest but that has
> > > a number of downsides. How to provide the decryption key for LUKS
> > > at startup without guest admin interaction. Then there is the issue
> > > that if you take snapshots of the guest disk in the host, this is
> > > weakening the security of LUKS, since you're keeping around copies
> > > of the same logical guest sector with different contents which
> > > allows for improve crytoanalysis. These are reasons for using LUKS
> > > on the host instead of in the guest, but then the decryption kjeys
> > > for LUKS are in the QEMU process in memory which is (IIUC) not going
> > > to be protected by SEV ?  Unles there's a way for QEMU to do allocations
> > > which are SEV protected for its own purposes ?
> 
> Regards,
> Daniel
> -- 
> |: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org              -o-             http://virt-manager.org :|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|