From: Dov Murik <dovmurik@linux.ibm.com>
To: qemu-devel@nongnu.org
Cc: "Tom Lendacky" <thomas.lendacky@amd.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Brijesh Singh" <brijesh.singh@amd.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Ashish Kalra" <ashish.kalra@amd.com>,
"Eric Blake" <eblake@redhat.com>,
"James Bottomley" <jejb@linux.ibm.com>,
"Marcelo Tosatti" <mtosatti@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Dov Murik" <dovmurik@linux.ibm.com>,
"Tobin Feldman-Fitzthum" <tobin@linux.ibm.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: [PATCH v2 4/6] target/i386/sev: Fail when invalid hashes table area detected
Date: Mon, 8 Nov 2021 13:48:38 +0000 [thread overview]
Message-ID: <20211108134840.2757206-5-dovmurik@linux.ibm.com> (raw)
In-Reply-To: <20211108134840.2757206-1-dovmurik@linux.ibm.com>
Commit cff03145ed3c ("sev/i386: Introduce sev_add_kernel_loader_hashes
for measured linux boot", 2021-09-30) introduced measured direct boot
with -kernel, using an OVMF-designated hashes table which QEMU fills.
However, no checks are performed on the validity of the hashes area
designated by OVMF. Specifically, if OVMF publishes the
SEV_HASH_TABLE_RV_GUID entry but it is filled with zeroes, this will
cause QEMU to write the hashes entries over the first page of the
guest's memory (GPA 0).
Add validity checks to the published area. If the hashes table area's
base address is zero, or its size is too small to fit the aligned hashes
table, display an error and stop the guest launch. In such case, the
following error will be displayed:
qemu-system-x86_64: SEV: guest firmware hashes table area is invalid (base=0x0 size=0x0)
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reported-by: Brijesh Singh <brijesh.singh@amd.com>
---
target/i386/sev.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/target/i386/sev.c b/target/i386/sev.c
index c71d23654f..2588bd623f 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -1221,7 +1221,7 @@ bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp)
uint8_t kernel_hash[HASH_SIZE];
uint8_t *hashp;
size_t hash_len = HASH_SIZE;
- int aligned_len;
+ int aligned_len = ROUND_UP(sizeof(SevHashTable), 16);
/*
* Only add the kernel hashes if the sev-guest configuration explicitly
@@ -1237,6 +1237,11 @@ bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp)
return false;
}
area = (SevHashTableDescriptor *)data;
+ if (!area->base || area->size < aligned_len) {
+ error_setg(errp, "SEV: guest firmware hashes table area is invalid "
+ "(base=0x%x size=0x%x)", area->base, area->size);
+ return false;
+ }
/*
* Calculate hash of kernel command-line with the terminating null byte. If
@@ -1295,7 +1300,6 @@ bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error **errp)
memcpy(ht->kernel.hash, kernel_hash, sizeof(ht->kernel.hash));
/* When calling sev_encrypt_flash, the length has to be 16 byte aligned */
- aligned_len = ROUND_UP(ht->len, 16);
if (aligned_len != ht->len) {
/* zero the excess data so the measurement can be reliably calculated */
memset(ht->padding, 0, aligned_len - ht->len);
--
2.25.1
next prev parent reply other threads:[~2021-11-08 13:51 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-08 13:48 [PATCH v2 0/6] SEV: add kernel-hashes=on for measured -kernel launch Dov Murik
2021-11-08 13:48 ` [PATCH v2 1/6] qapi/qom, target/i386: sev-guest: Introduce kernel-hashes=on|off option Dov Murik
2021-11-08 15:51 ` [PATCH v2 1/6] qapi/qom,target/i386: " Markus Armbruster
2021-11-08 18:20 ` Dov Murik
2021-11-11 9:26 ` Daniel P. Berrangé
2021-11-11 9:38 ` Dov Murik
2021-11-11 9:27 ` Daniel P. Berrangé
2021-11-08 13:48 ` [PATCH v2 2/6] target/i386/sev: Add kernel hashes only if sev-guest.kernel-hashes=on Dov Murik
2021-11-11 9:28 ` Daniel P. Berrangé
2021-11-08 13:48 ` [PATCH v2 3/6] target/i386/sev: Rephrase error message when no hashes table in guest firmware Dov Murik
2021-11-08 13:53 ` Daniel P. Berrangé
2021-11-08 14:51 ` Dov Murik
2021-11-08 13:48 ` Dov Murik [this message]
2021-11-11 9:29 ` [PATCH v2 4/6] target/i386/sev: Fail when invalid hashes table area detected Daniel P. Berrangé
2021-11-08 13:48 ` [PATCH v2 5/6] target/i386/sev: Perform padding calculations at compile-time Dov Murik
2021-11-11 9:30 ` Daniel P. Berrangé
2021-11-08 13:48 ` [PATCH v2 6/6] target/i386/sev: Replace qemu_map_ram_ptr with address_space_map Dov Murik
2021-11-11 9:32 ` Daniel P. Berrangé
2021-11-10 20:18 ` [PATCH v2 0/6] SEV: add kernel-hashes=on for measured -kernel launch Brijesh Singh
2021-11-11 9:39 ` Daniel P. Berrangé
2021-11-11 10:04 ` Dov Murik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211108134840.2757206-5-dovmurik@linux.ibm.com \
--to=dovmurik@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=ashish.kalra@amd.com \
--cc=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=ehabkost@redhat.com \
--cc=jejb@linux.ibm.com \
--cc=kraxel@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thomas.lendacky@amd.com \
--cc=tobin@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).