From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37979) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bkEit-0003wN-QE for qemu-devel@nongnu.org; Wed, 14 Sep 2016 14:15:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bkEio-0006UU-OQ for qemu-devel@nongnu.org; Wed, 14 Sep 2016 14:15:50 -0400 Received: from mx1.redhat.com ([209.132.183.28]:41868) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bkEio-0006UM-I1 for qemu-devel@nongnu.org; Wed, 14 Sep 2016 14:15:46 -0400 Date: Wed, 14 Sep 2016 21:15:43 +0300 From: "Michael S. Tsirkin" Message-ID: <20160914200533-mutt-send-email-mst@kernel.org> References: <147377800565.11859.4411044563640180545.stgit@brijesh-build-machine> <147377810767.11859.4668503556528840901.stgit@brijesh-build-machine> <20160914052034-mutt-send-email-mst@kernel.org> <4bf6d983-3ecf-9350-3791-74022c06aa51@amd.com> <20160914163827-mutt-send-email-mst@kernel.org> <7a50db8e-2a3e-d7e2-6742-fcb88f8368ab@redhat.com> <20160914150213.krwad4qk3ktz5qnh@redhat.com> <6a123514-3748-eba6-e562-20183b934425@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6a123514-3748-eba6-e562-20183b934425@redhat.com> Subject: Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt command List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini Cc: Brijesh Singh , ehabkost@redhat.com, crosthwaite.peter@gmail.com, armbru@redhat.com, p.fedin@samsung.com, qemu-devel@nongnu.org, lcapitulino@redhat.com, rth@twiddle.net On Wed, Sep 14, 2016 at 06:53:22PM +0200, Paolo Bonzini wrote: > > > On 14/09/2016 17:02, Michael S. Tsirkin wrote: > > If you believe there are attackers that have access to the > > monitor and nothing else, then a feature to disable debugging > > is a generally useful one. But once we merge sev patchset then of course > > sev people disappear and it will be up to others to make it > > work on non-amd CPUs. > > > > Another is to help merge other parts faster. E.g. looking at what > > Daniel writes, the feature might have been over-sold so people will > > disable debugging thinking this will prevent all active attacks. Thus we > > now need to add good documentation so people know what they can actually > > expect to get from QEMU in return for disabling debugging. Why not merge > > the simple "encrypt memory part" while this documentation work is going > > on? > > Encrypting memory makes no sense if anyone can ask to decrypt it. It's not useless since the attack model here is a passive adversary that can not ask anything. > And > I'm not even sure how force-enabling debug r/w, which is literally a > single bit set in the feature register, would make the patchset simpler. It will make the *interface* simpler. > If anything, as I said already, it would make the patchset simpler to > force-*disable* it, since you don't need to introduce debug hooks that > go through the secure processor. > > Paolo My suggestion is to add a processor independent hook that disables debugging. Arguably this improves security in case attacker only has access to the monitor. -- MST