From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:32893)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1bkGKH-0005hb-Lm
	for qemu-devel@nongnu.org; Wed, 14 Sep 2016 15:58:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1bkGKF-0002Zn-UY
	for qemu-devel@nongnu.org; Wed, 14 Sep 2016 15:58:32 -0400
Received: from mx1.redhat.com ([209.132.183.28]:47288)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1bkGKF-0002Zj-Op
	for qemu-devel@nongnu.org; Wed, 14 Sep 2016 15:58:31 -0400
References: <147377800565.11859.4411044563640180545.stgit@brijesh-build-machine>
	<147377810767.11859.4668503556528840901.stgit@brijesh-build-machine>
	<20160914052034-mutt-send-email-mst@kernel.org>
	<4bf6d983-3ecf-9350-3791-74022c06aa51@amd.com>
	<20160914163827-mutt-send-email-mst@kernel.org>
	<7a50db8e-2a3e-d7e2-6742-fcb88f8368ab@redhat.com>
	<20160914150213.krwad4qk3ktz5qnh@redhat.com>
	<6a123514-3748-eba6-e562-20183b934425@redhat.com>
	<20160914200533-mutt-send-email-mst@kernel.org>
	<5debb3c6-269b-dc76-fc81-1dd6124d2ae7@redhat.com>
	<20160914221147-mutt-send-email-mst@kernel.org>
From: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <2a08aa96-8b4b-19a4-e902-54d25f54d268@redhat.com>
Date: Wed, 14 Sep 2016 21:58:25 +0200
MIME-Version: 1.0
In-Reply-To: <20160914221147-mutt-send-email-mst@kernel.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt
 command
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>, ehabkost@redhat.com, crosthwaite.peter@gmail.com, armbru@redhat.com, p.fedin@samsung.com, qemu-devel@nongnu.org, lcapitulino@redhat.com, rth@twiddle.net



On 14/09/2016 21:24, Michael S. Tsirkin wrote:
> Well limited protection is of a limited use :) Seriously, the point of
> mitigation should be blocking classes of vulenrabilities not making
> things more complex.

No, not at all.  The point of _mitigation_ is to _mitigate_ the danger
from classes of vulnerabilities, i.e. make the attack harder though
perhaps not ultimately impossible.

>> If the adversary is passive and cannot ask anything is it even an
>> adversary?  Why do you need encryption at all if you can't even ptrace QEMU?
> 
> The cover letter mentioned a read everything adversary.
> How do you read everything? Well, you probably don't but
> there could be attacks that cause kernel to leak
> contents of random memory to an attacker.

Ok, it doesn't seem too useful.

> On the software side, we should try to
> push for enabling features independently, this way more
> hardware can benefit.

We can have an "unencrypted" sev-policy that only has limited
functionality such as disabling debug.  So you could disable debug with

 -object sev-policy-unencrypted,debug=false,id=mypolicy \
 -machine ...,sev-policy=mypolicy

Paolo