| Message ID | 20211101102136.1706421-1-dovmurik@linux.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | SEV: fixes for -kernel launch with incompatible OVMF | expand |
Hi Dov, Overall the patch looks good, only question I have is that now we are enforce qemu to hash the kernel, initrd and cmdline unconditionally for any of the SEV guest launches. This requires anyone wanting to calculating the expected measurement need to account for it. Should we make the hash page build optional ? I am thinking this more for the SEV-SNP guest. As you may be aware that with SEV-SNP the attestation is performed by the guest, and its possible for the launch flow to pass 512-bits of host_data that gets included in the report. If a user wants to do the hash'e checks for the SNP then they can pass a hash of kernel, initrd and cmdline through a launch_finish.ID_BLOCK.host_data and does not require a special hash page. This it will simplify the expected hash calculation. Adding a special page requires a validation of that page. All the prevalidated page need to be excluded by guest BIOS page validation flow to avoid the double validation. The hash page is populated only when we pass -kernel and it will be tricky to communicate this information to the guest BIOS so that it can skip the validation. Thoughts ? thanks On 11/1/21 5:21 AM, Dov Murik wrote: > Tom Lendacky and Brijesh Singh reported two issues with launching SEV > guests with the -kernel QEMU option when an old [1] or wrongly configured [2] > OVMF images are used. > > The fixes in patches 1 and 2 allow such guests to boot by skipping the > kernel/initrd/cmdline hashes addition to the initial guest memory (and > warning the user). > > Patch 3 is a refactoring of parts of the same function > sev_add_kernel_loader_hashes() to calculate all padding sizes at > compile-time. This patch is not required to fix the issues above, but > is suggested as an improvement (no functional change intended). > > Note that launch measurement security is not harmed by these fixes: a > Guest Owner that wants to use measured Linux boot with -kernel, must use > (and measure) an OVMF image that designates a proper hashes table area, > and that verifies those hashes when loading the binaries from QEMU via > fw_cfg. > > The old OVMFs which don't publish the hashes table GUID or don't reserve > a valid area for it in MEMFD cannot support these hashes verification in > any case (for measured boot with -kernel). > > > [1] https://lore.kernel.org/qemu-devel/3b9d10d9-5d9c-da52-f18c-cd93c1931706@amd.com/ > [2] https://lore.kernel.org/qemu-devel/001dd81a-282d-c307-a657-e228480d4af3@amd.com/ > > Dov Murik (3): > sev/i386: Allow launching with -kernel if no OVMF hashes table found > sev/i386: Warn if using -kernel with invalid OVMF hashes table area > sev/i386: Perform padding calculations at compile-time > > target/i386/sev.c | 34 +++++++++++++++++++++++----------- > 1 file changed, 23 insertions(+), 11 deletions(-) > > > base-commit: af531756d25541a1b3b3d9a14e72e7fedd941a2e
On 02/11/2021 12:52, Brijesh Singh wrote: > Hi Dov, > > Overall the patch looks good, only question I have is that now we are > enforce qemu to hash the kernel, initrd and cmdline unconditionally for > any of the SEV guest launches. This requires anyone wanting to > calculating the expected measurement need to account for it. Should we > make the hash page build optional ? > The problem with adding a -enable-add-kernel-hashes QEMU option (or suboption) is yet another complexity for the user. I'd also argue that adding these hashes can lead to a more secure VM boot process, so it makes sense for it to be the default (and maybe introduce a -allow-insecure-unmeasured-kernel-via-fw-cfg option to prevent the measurement from changing due to addition of hashes?). Maybe, on the other hand, OVMF should "report" whether it supports hashes verification. If it does, it should have the GUID in the table (near the reset vector), like the current OvmfPkg/AmdSev edk2 build. If it doesn't support that, then the entry should not appear at all, and then QEMU won't add the hashes (with patch 1 from this series). This means that in edk2 we need to remove the SEV Hash Table block from the ResetVectorVtf0.asm for OvmfPkg, but include it in the AmdSev build. But the problem with this approach is that it prevents the future unification of AmdSev and OvmfPkg, which is a possibility we discussed (at least with Dave Gilbert), though not sure it's a good/feasible goal. > I am thinking this more for the SEV-SNP guest. As you may be aware that > with SEV-SNP the attestation is performed by the guest, and its possible > for the launch flow to pass 512-bits of host_data that gets included in > the report. If a user wants to do the hash'e checks for the SNP then > they can pass a hash of kernel, initrd and cmdline through a > launch_finish.ID_BLOCK.host_data and does not require a special hash > page. This it will simplify the expected hash calculation. That is a new measured boot "protocol" that we can discuss, and see whether it's better/easier than the existing one at hand that works on SEV and SEV-ES. What I don't understand in your suggestion is who performs a SHA256 of the fw_cfg blobs (kernel/initrd/cmdline) so they can later be verified (though ideally earlier is better). Can you describe the details (step-by-step) of an SNP VM boot with -kernel/-initrd/-append and how the measurement/attestation is performed? > Adding a > special page requires a validation of that page. All the prevalidated > page need to be excluded by guest BIOS page validation flow to avoid the > double validation. The hash page is populated only when we pass -kernel > and it will be tricky to communicate this information to the guest BIOS > so that it can skip the validation. So that again comes back to the earlier question of whether we should always fill the hashes page or only sometimes, and how can OVMF tell. How about: QEMU always prevalidates this page (either fills it with zeros or with the hashes table), and the BIOS always excludes it? -Dov > > Thoughts ? > > thanks > > On 11/1/21 5:21 AM, Dov Murik wrote: >> Tom Lendacky and Brijesh Singh reported two issues with launching SEV >> guests with the -kernel QEMU option when an old [1] or wrongly configured [2] >> OVMF images are used. >> >> The fixes in patches 1 and 2 allow such guests to boot by skipping the >> kernel/initrd/cmdline hashes addition to the initial guest memory (and >> warning the user). >> >> Patch 3 is a refactoring of parts of the same function >> sev_add_kernel_loader_hashes() to calculate all padding sizes at >> compile-time. This patch is not required to fix the issues above, but >> is suggested as an improvement (no functional change intended). >> >> Note that launch measurement security is not harmed by these fixes: a >> Guest Owner that wants to use measured Linux boot with -kernel, must use >> (and measure) an OVMF image that designates a proper hashes table area, >> and that verifies those hashes when loading the binaries from QEMU via >> fw_cfg. >> >> The old OVMFs which don't publish the hashes table GUID or don't reserve >> a valid area for it in MEMFD cannot support these hashes verification in >> any case (for measured boot with -kernel). >> >> >> [1] https://lore.kernel.org/qemu-devel/3b9d10d9-5d9c-da52-f18c-cd93c1931706@amd.com/ >> [2] https://lore.kernel.org/qemu-devel/001dd81a-282d-c307-a657-e228480d4af3@amd.com/ >> >> Dov Murik (3): >> sev/i386: Allow launching with -kernel if no OVMF hashes table found >> sev/i386: Warn if using -kernel with invalid OVMF hashes table area >> sev/i386: Perform padding calculations at compile-time >> >> target/i386/sev.c | 34 +++++++++++++++++++++++----------- >> 1 file changed, 23 insertions(+), 11 deletions(-) >> >> >> base-commit: af531756d25541a1b3b3d9a14e72e7fedd941a2e
On 11/2/21 8:22 AM, Dov Murik wrote: > > > On 02/11/2021 12:52, Brijesh Singh wrote: >> Hi Dov, >> >> Overall the patch looks good, only question I have is that now we are >> enforce qemu to hash the kernel, initrd and cmdline unconditionally for >> any of the SEV guest launches. This requires anyone wanting to >> calculating the expected measurement need to account for it. Should we >> make the hash page build optional ? >> > > The problem with adding a -enable-add-kernel-hashes QEMU option (or > suboption) is yet another complexity for the user. I'd also argue that > adding these hashes can lead to a more secure VM boot process, so it > makes sense for it to be the default (and maybe introduce a > -allow-insecure-unmeasured-kernel-via-fw-cfg option to prevent the > measurement from changing due to addition of hashes?). > > Maybe, on the other hand, OVMF should "report" whether it supports > hashes verification. If it does, it should have the GUID in the table > (near the reset vector), like the current OvmfPkg/AmdSev edk2 build. If > it doesn't support that, then the entry should not appear at all, and > then QEMU won't add the hashes (with patch 1 from this series). This > means that in edk2 we need to remove the SEV Hash Table block from the > ResetVectorVtf0.asm for OvmfPkg, but include it in the AmdSev build. > By leaving it ON is conveying a wrong message to the user. The library used for verifying the hash is a NULL library for all the builds of Ovmf except the AmdSev package. In the NULL library case, OVMF does not perform any checks and hash table is useless. I will raise this on concern on your Ovmf patch series. IMHO, if you want to turn it ON by default then make sure all the OVMF package builds supports validating the hash. > But the problem with this approach is that it prevents the future > unification of AmdSev and OvmfPkg, which is a possibility we discussed > (at least with Dave Gilbert), though not sure it's a good/feasible goal. > > This is my exact concern, we are auto enabling the features in Qemu that is supported by AmdSev package only. > >> I am thinking this more for the SEV-SNP guest. As you may be aware that >> with SEV-SNP the attestation is performed by the guest, and its possible >> for the launch flow to pass 512-bits of host_data that gets included in >> the report. If a user wants to do the hash'e checks for the SNP then >> they can pass a hash of kernel, initrd and cmdline through a >> launch_finish.ID_BLOCK.host_data and does not require a special hash >> page. This it will simplify the expected hash calculation. > > That is a new measured boot "protocol" that we can discuss, and see > whether it's better/easier than the existing one at hand that works on > SEV and SEV-ES. > > What I don't understand in your suggestion is who performs a SHA256 of > the fw_cfg blobs (kernel/initrd/cmdline) so they can later be verified > (though ideally earlier is better). Can you describe the details > (step-by-step) of an SNP VM boot with -kernel/-initrd/-append and how > the measurement/attestation is performed? > > There are a multiple ways on how you can do a measured boot with the SNP. 1) VMPL0 (SVSM) can provide a complete vTPM (see the MSFT proposal on SNP mailing list). 2) Use your existing hashing approach with some changes to provide a bit more flexibility. 3) Use your existing hashing approach but zero out the hash page when -kernel is not used. Let me expand #2. While launching the SNP guest, a guest owner can provide a ID block that KVM will pass to the PSP during the guest launch flow. In the ID block there is a field called "host_data". A guest owner can do a hash of kernel/initrd/cmdline and include it in the "host_data" field. During the hash verification, the OVMF can call the SNP_GET_REPORT. The PSP will includes the "host_data" passed in the launch process in the report and OVMF can use it for the verification. Unlike the current implementation, this enables a guest owner to provides the hash without requiring any changes in the Qemu and thus affecting the measurement. One thing to note that both #2 and #3 requires ovmf to connect to guest owner to validate the report before using the "host_data" or "hash page". thanks > >> Adding a >> special page requires a validation of that page. All the prevalidated >> page need to be excluded by guest BIOS page validation flow to avoid the >> double validation. The hash page is populated only when we pass -kernel >> and it will be tricky to communicate this information to the guest BIOS >> so that it can skip the validation. > > So that again comes back to the earlier question of whether we should > always fill the hashes page or only sometimes, and how can OVMF tell. > > How about: QEMU always prevalidates this page (either fills it with > zeros or with the hashes table), and the BIOS always excludes it? > > -Dov > > >> >> Thoughts ? >> >> thanks >> >> On 11/1/21 5:21 AM, Dov Murik wrote: >>> Tom Lendacky and Brijesh Singh reported two issues with launching SEV >>> guests with the -kernel QEMU option when an old [1] or wrongly configured [2] >>> OVMF images are used. >>> >>> The fixes in patches 1 and 2 allow such guests to boot by skipping the >>> kernel/initrd/cmdline hashes addition to the initial guest memory (and >>> warning the user). >>> >>> Patch 3 is a refactoring of parts of the same function >>> sev_add_kernel_loader_hashes() to calculate all padding sizes at >>> compile-time. This patch is not required to fix the issues above, but >>> is suggested as an improvement (no functional change intended). >>> >>> Note that launch measurement security is not harmed by these fixes: a >>> Guest Owner that wants to use measured Linux boot with -kernel, must use >>> (and measure) an OVMF image that designates a proper hashes table area, >>> and that verifies those hashes when loading the binaries from QEMU via >>> fw_cfg. >>> >>> The old OVMFs which don't publish the hashes table GUID or don't reserve >>> a valid area for it in MEMFD cannot support these hashes verification in >>> any case (for measured boot with -kernel). >>> >>> >>> [1] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fqemu-devel%2F3b9d10d9-5d9c-da52-f18c-cd93c1931706%40amd.com%2F&data=04%7C01%7Cbrijesh.singh%40amd.com%7Cffa0a5981860476c3bcc08d99e03d3d7%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637714561554218974%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=591wZvEzQQQ6JBjLDhGnvEM8fxX6iky9yxlWn2pifjI%3D&reserved=0 >>> [2] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fqemu-devel%2F001dd81a-282d-c307-a657-e228480d4af3%40amd.com%2F&data=04%7C01%7Cbrijesh.singh%40amd.com%7Cffa0a5981860476c3bcc08d99e03d3d7%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637714561554218974%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ihwNJjetXq5I0WaLjEFzhtrKMbj%2FaFmOmn1xYlLowjg%3D&reserved=0 >>> >>> Dov Murik (3): >>> sev/i386: Allow launching with -kernel if no OVMF hashes table found >>> sev/i386: Warn if using -kernel with invalid OVMF hashes table area >>> sev/i386: Perform padding calculations at compile-time >>> >>> target/i386/sev.c | 34 +++++++++++++++++++++++----------- >>> 1 file changed, 23 insertions(+), 11 deletions(-) >>> >>> >>> base-commit: af531756d25541a1b3b3d9a14e72e7fedd941a2e
* Brijesh Singh (brijesh.singh@amd.com) wrote: > > > On 11/2/21 8:22 AM, Dov Murik wrote: > > > > > > On 02/11/2021 12:52, Brijesh Singh wrote: > > > Hi Dov, > > > > > > Overall the patch looks good, only question I have is that now we are > > > enforce qemu to hash the kernel, initrd and cmdline unconditionally for > > > any of the SEV guest launches. This requires anyone wanting to > > > calculating the expected measurement need to account for it. Should we > > > make the hash page build optional ? > > > > > > > The problem with adding a -enable-add-kernel-hashes QEMU option (or > > suboption) is yet another complexity for the user. I'd also argue that > > adding these hashes can lead to a more secure VM boot process, so it > > makes sense for it to be the default (and maybe introduce a > > -allow-insecure-unmeasured-kernel-via-fw-cfg option to prevent the > > measurement from changing due to addition of hashes?). > > > > Maybe, on the other hand, OVMF should "report" whether it supports > > hashes verification. If it does, it should have the GUID in the table > > (near the reset vector), like the current OvmfPkg/AmdSev edk2 build. If > > it doesn't support that, then the entry should not appear at all, and > > then QEMU won't add the hashes (with patch 1 from this series). This > > means that in edk2 we need to remove the SEV Hash Table block from the > > ResetVectorVtf0.asm for OvmfPkg, but include it in the AmdSev build. > > > > By leaving it ON is conveying a wrong message to the user. The library used > for verifying the hash is a NULL library for all the builds of Ovmf except > the AmdSev package. In the NULL library case, OVMF does not perform any > checks and hash table is useless. I will raise this on concern on your Ovmf > patch series. > > IMHO, if you want to turn it ON by default then make sure all the OVMF > package builds supports validating the hash. > > > > But the problem with this approach is that it prevents the future > > unification of AmdSev and OvmfPkg, which is a possibility we discussed > > (at least with Dave Gilbert), though not sure it's a good/feasible goal. > > > > > > This is my exact concern, we are auto enabling the features in Qemu that is > supported by AmdSev package only. I'm confused; wouldn't the trick be to only define the GUIDs for the builds that support the validation? Dave > > > > > > I am thinking this more for the SEV-SNP guest. As you may be aware that > > > with SEV-SNP the attestation is performed by the guest, and its possible > > > for the launch flow to pass 512-bits of host_data that gets included in > > > the report. If a user wants to do the hash'e checks for the SNP then > > > they can pass a hash of kernel, initrd and cmdline through a > > > launch_finish.ID_BLOCK.host_data and does not require a special hash > > > page. This it will simplify the expected hash calculation. > > > > That is a new measured boot "protocol" that we can discuss, and see > > whether it's better/easier than the existing one at hand that works on > > SEV and SEV-ES. > > > > What I don't understand in your suggestion is who performs a SHA256 of > > the fw_cfg blobs (kernel/initrd/cmdline) so they can later be verified > > (though ideally earlier is better). Can you describe the details > > (step-by-step) of an SNP VM boot with -kernel/-initrd/-append and how > > the measurement/attestation is performed? > > > > > > There are a multiple ways on how you can do a measured boot with the SNP. > > 1) VMPL0 (SVSM) can provide a complete vTPM (see the MSFT proposal on SNP > mailing list). > > 2) Use your existing hashing approach with some changes to provide a bit > more flexibility. > > 3) Use your existing hashing approach but zero out the hash page when > -kernel is not used. > > Let me expand #2. > > While launching the SNP guest, a guest owner can provide a ID block that KVM > will pass to the PSP during the guest launch flow. In the ID block there is > a field called "host_data". A guest owner can do a hash of > kernel/initrd/cmdline and include it in the "host_data" field. During the > hash verification, the OVMF can call the SNP_GET_REPORT. The PSP will > includes the "host_data" passed in the launch process in the report and OVMF > can use it for the verification. Unlike the current implementation, this > enables a guest owner to provides the hash without requiring any changes in > the Qemu and thus affecting the measurement. > > One thing to note that both #2 and #3 requires ovmf to connect to guest > owner to validate the report before using the "host_data" or "hash page". > > > thanks > > > > > > Adding a > > > special page requires a validation of that page. All the prevalidated > > > page need to be excluded by guest BIOS page validation flow to avoid the > > > double validation. The hash page is populated only when we pass -kernel > > > and it will be tricky to communicate this information to the guest BIOS > > > so that it can skip the validation. > > > > So that again comes back to the earlier question of whether we should > > always fill the hashes page or only sometimes, and how can OVMF tell. > > > > How about: QEMU always prevalidates this page (either fills it with > > zeros or with the hashes table), and the BIOS always excludes it? > > > > -Dov > > > > > > > > > > Thoughts ? > > > > > > thanks > > > > > > On 11/1/21 5:21 AM, Dov Murik wrote: > > > > Tom Lendacky and Brijesh Singh reported two issues with launching SEV > > > > guests with the -kernel QEMU option when an old [1] or wrongly configured [2] > > > > OVMF images are used. > > > > > > > > The fixes in patches 1 and 2 allow such guests to boot by skipping the > > > > kernel/initrd/cmdline hashes addition to the initial guest memory (and > > > > warning the user). > > > > > > > > Patch 3 is a refactoring of parts of the same function > > > > sev_add_kernel_loader_hashes() to calculate all padding sizes at > > > > compile-time. This patch is not required to fix the issues above, but > > > > is suggested as an improvement (no functional change intended). > > > > > > > > Note that launch measurement security is not harmed by these fixes: a > > > > Guest Owner that wants to use measured Linux boot with -kernel, must use > > > > (and measure) an OVMF image that designates a proper hashes table area, > > > > and that verifies those hashes when loading the binaries from QEMU via > > > > fw_cfg. > > > > > > > > The old OVMFs which don't publish the hashes table GUID or don't reserve > > > > a valid area for it in MEMFD cannot support these hashes verification in > > > > any case (for measured boot with -kernel). > > > > > > > > > > > > [1] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fqemu-devel%2F3b9d10d9-5d9c-da52-f18c-cd93c1931706%40amd.com%2F&data=04%7C01%7Cbrijesh.singh%40amd.com%7Cffa0a5981860476c3bcc08d99e03d3d7%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637714561554218974%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=591wZvEzQQQ6JBjLDhGnvEM8fxX6iky9yxlWn2pifjI%3D&reserved=0 > > > > [2] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fqemu-devel%2F001dd81a-282d-c307-a657-e228480d4af3%40amd.com%2F&data=04%7C01%7Cbrijesh.singh%40amd.com%7Cffa0a5981860476c3bcc08d99e03d3d7%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637714561554218974%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ihwNJjetXq5I0WaLjEFzhtrKMbj%2FaFmOmn1xYlLowjg%3D&reserved=0 > > > > > > > > Dov Murik (3): > > > > sev/i386: Allow launching with -kernel if no OVMF hashes table found > > > > sev/i386: Warn if using -kernel with invalid OVMF hashes table area > > > > sev/i386: Perform padding calculations at compile-time > > > > > > > > target/i386/sev.c | 34 +++++++++++++++++++++++----------- > > > > 1 file changed, 23 insertions(+), 11 deletions(-) > > > > > > > > > > > > base-commit: af531756d25541a1b3b3d9a14e72e7fedd941a2e >
On 11/3/21 9:08 AM, Dr. David Alan Gilbert wrote: > * Brijesh Singh (brijesh.singh@amd.com) wrote: >> >> >> On 11/2/21 8:22 AM, Dov Murik wrote: >>> >>> >>> On 02/11/2021 12:52, Brijesh Singh wrote: >>>> Hi Dov, >>>> >>>> Overall the patch looks good, only question I have is that now we are >>>> enforce qemu to hash the kernel, initrd and cmdline unconditionally for >>>> any of the SEV guest launches. This requires anyone wanting to >>>> calculating the expected measurement need to account for it. Should we >>>> make the hash page build optional ? >>>> >>> >>> The problem with adding a -enable-add-kernel-hashes QEMU option (or >>> suboption) is yet another complexity for the user. I'd also argue that >>> adding these hashes can lead to a more secure VM boot process, so it >>> makes sense for it to be the default (and maybe introduce a >>> -allow-insecure-unmeasured-kernel-via-fw-cfg option to prevent the >>> measurement from changing due to addition of hashes?). >>> >>> Maybe, on the other hand, OVMF should "report" whether it supports >>> hashes verification. If it does, it should have the GUID in the table >>> (near the reset vector), like the current OvmfPkg/AmdSev edk2 build. If >>> it doesn't support that, then the entry should not appear at all, and >>> then QEMU won't add the hashes (with patch 1 from this series). This >>> means that in edk2 we need to remove the SEV Hash Table block from the >>> ResetVectorVtf0.asm for OvmfPkg, but include it in the AmdSev build. >>> >> >> By leaving it ON is conveying a wrong message to the user. The library used >> for verifying the hash is a NULL library for all the builds of Ovmf except >> the AmdSev package. In the NULL library case, OVMF does not perform any >> checks and hash table is useless. I will raise this on concern on your Ovmf >> patch series. >> >> IMHO, if you want to turn it ON by default then make sure all the OVMF >> package builds supports validating the hash. >> >> >>> But the problem with this approach is that it prevents the future >>> unification of AmdSev and OvmfPkg, which is a possibility we discussed >>> (at least with Dave Gilbert), though not sure it's a good/feasible goal. >>> >>> >> >> This is my exact concern, we are auto enabling the features in Qemu that is >> supported by AmdSev package only. > > I'm confused; wouldn't the trick be to only define the GUIDs for the > builds that support the validation? > The GUID is hardcoded in the OVMF reset vector asm file, and the file gets included for all the flavor of OVMF builds. In its current form, GUID is defined for all the package. thanks
On Tue, Nov 02, 2021 at 03:22:24PM +0200, Dov Murik wrote: > > > On 02/11/2021 12:52, Brijesh Singh wrote: > > Hi Dov, > > > > Overall the patch looks good, only question I have is that now we are > > enforce qemu to hash the kernel, initrd and cmdline unconditionally for > > any of the SEV guest launches. This requires anyone wanting to > > calculating the expected measurement need to account for it. Should we > > make the hash page build optional ? > > > > The problem with adding a -enable-add-kernel-hashes QEMU option (or > suboption) is yet another complexity for the user. I don't view that as complexity - rather it is the user being explicit about what their requirements are. If they ask for the kernel hashes and we can't honour that, we can now give them a clear error and exit instead of carrying on with a broken setup. If they don't ask for kernel hashes, we can skip the whole bit and not have a problem with bogus warnings or back compatibilty worries. Regards, Daniel
On 03/11/2021 17:44, Brijesh Singh wrote: > > > On 11/3/21 9:08 AM, Dr. David Alan Gilbert wrote: >> * Brijesh Singh (brijesh.singh@amd.com) wrote: >>> >>> >>> On 11/2/21 8:22 AM, Dov Murik wrote: >>>> >>>> >>>> On 02/11/2021 12:52, Brijesh Singh wrote: >>>>> Hi Dov, >>>>> >>>>> Overall the patch looks good, only question I have is that now we are >>>>> enforce qemu to hash the kernel, initrd and cmdline unconditionally >>>>> for >>>>> any of the SEV guest launches. This requires anyone wanting to >>>>> calculating the expected measurement need to account for it. Should we >>>>> make the hash page build optional ? >>>>> >>>> >>>> The problem with adding a -enable-add-kernel-hashes QEMU option (or >>>> suboption) is yet another complexity for the user. I'd also argue that >>>> adding these hashes can lead to a more secure VM boot process, so it >>>> makes sense for it to be the default (and maybe introduce a >>>> -allow-insecure-unmeasured-kernel-via-fw-cfg option to prevent the >>>> measurement from changing due to addition of hashes?). >>>> >>>> Maybe, on the other hand, OVMF should "report" whether it supports >>>> hashes verification. If it does, it should have the GUID in the table >>>> (near the reset vector), like the current OvmfPkg/AmdSev edk2 build. If >>>> it doesn't support that, then the entry should not appear at all, and >>>> then QEMU won't add the hashes (with patch 1 from this series). This >>>> means that in edk2 we need to remove the SEV Hash Table block from the >>>> ResetVectorVtf0.asm for OvmfPkg, but include it in the AmdSev build. >>>> >>> >>> By leaving it ON is conveying a wrong message to the user. The >>> library used >>> for verifying the hash is a NULL library for all the builds of Ovmf >>> except >>> the AmdSev package. In the NULL library case, OVMF does not perform any >>> checks and hash table is useless. I will raise this on concern on >>> your Ovmf >>> patch series. >>> >>> IMHO, if you want to turn it ON by default then make sure all the OVMF >>> package builds supports validating the hash. >>> >>> >>>> But the problem with this approach is that it prevents the future >>>> unification of AmdSev and OvmfPkg, which is a possibility we discussed >>>> (at least with Dave Gilbert), though not sure it's a good/feasible >>>> goal. >>>> >>>> >>> >>> This is my exact concern, we are auto enabling the features in Qemu >>> that is >>> supported by AmdSev package only. >> >> I'm confused; wouldn't the trick be to only define the GUIDs for the >> builds that support the validation? >> > > The GUID is hardcoded in the OVMF reset vector asm file, and the file > gets included for all the flavor of OVMF builds. In its current form, > GUID is defined for all the package. > (We can overcome that by changing to a new GUID and modifying the reset vector asm file to include the SEV hashes GUID only in the AmdSev build. Requires changes both in OVMF and in QEMU.) But some people want to use a non-hash-validating OVMF build with -kernel (that's the "old OVMF" scenario that Tom presented). In that case: 1. QEMU won't find the GUID, and will fail. This is breaking behaviour for existing users. 2. If we just warn (as this patch suggested), then we don't enforce the secure behaviour that some users want. Following Daniel's suggestion, I think I'm going to send another round in which the whole kernel hashes addition will happen only if the user explicitly requested: -object sev_guest,id=sev0,...,kernel_hashes=on With the default being 'off'. (and change the warn_report above to error_report so they are fatal.) This is basically keeping the new functionality for the release under a feature flag, so users that want to use it will enable it explicitly and all other users have the same behaviour as in previous releases. As Daniel mentioned, we can also consider an 'auto' mode in which we add the kernel hashes only if the GUID exists in OVMF, but I actually came to an understanding that this is too confusing in the state of OVMF builds right now. Users that use the tighter OVMF build (AmdSev) will get a boot failure from OVMF if they don't define kernel_hashes=on, so that won't be accidentally missed. -Dov
On 02/11/2021 16:48, Brijesh Singh wrote: > > > On 11/2/21 8:22 AM, Dov Murik wrote: >> >> >> On 02/11/2021 12:52, Brijesh Singh wrote: >>> Hi Dov, >>> >>> Overall the patch looks good, only question I have is that now we are >>> enforce qemu to hash the kernel, initrd and cmdline unconditionally for >>> any of the SEV guest launches. This requires anyone wanting to >>> calculating the expected measurement need to account for it. Should we >>> make the hash page build optional ? >>> >> >> The problem with adding a -enable-add-kernel-hashes QEMU option (or >> suboption) is yet another complexity for the user. I'd also argue that >> adding these hashes can lead to a more secure VM boot process, so it >> makes sense for it to be the default (and maybe introduce a >> -allow-insecure-unmeasured-kernel-via-fw-cfg option to prevent the >> measurement from changing due to addition of hashes?). >> >> Maybe, on the other hand, OVMF should "report" whether it supports >> hashes verification. If it does, it should have the GUID in the table >> (near the reset vector), like the current OvmfPkg/AmdSev edk2 build. If >> it doesn't support that, then the entry should not appear at all, and >> then QEMU won't add the hashes (with patch 1 from this series). This >> means that in edk2 we need to remove the SEV Hash Table block from the >> ResetVectorVtf0.asm for OvmfPkg, but include it in the AmdSev build. >> > > By leaving it ON is conveying a wrong message to the user. The library > used for verifying the hash is a NULL library for all the builds of Ovmf > except the AmdSev package. In the NULL library case, OVMF does not > perform any checks and hash table is useless. I will raise this on > concern on your Ovmf patch series. > > IMHO, if you want to turn it ON by default then make sure all the OVMF > package builds supports validating the hash. > > >> But the problem with this approach is that it prevents the future >> unification of AmdSev and OvmfPkg, which is a possibility we discussed >> (at least with Dave Gilbert), though not sure it's a good/feasible goal. >> >> > > This is my exact concern, we are auto enabling the features in Qemu that > is supported by AmdSev package only. > > >> >>> I am thinking this more for the SEV-SNP guest. As you may be aware that >>> with SEV-SNP the attestation is performed by the guest, and its possible >>> for the launch flow to pass 512-bits of host_data that gets included in >>> the report. If a user wants to do the hash'e checks for the SNP then >>> they can pass a hash of kernel, initrd and cmdline through a >>> launch_finish.ID_BLOCK.host_data and does not require a special hash >>> page. This it will simplify the expected hash calculation. >> >> That is a new measured boot "protocol" that we can discuss, and see >> whether it's better/easier than the existing one at hand that works on >> SEV and SEV-ES. >> >> What I don't understand in your suggestion is who performs a SHA256 of >> the fw_cfg blobs (kernel/initrd/cmdline) so they can later be verified >> (though ideally earlier is better). Can you describe the details >> (step-by-step) of an SNP VM boot with -kernel/-initrd/-append and how >> the measurement/attestation is performed? >> >> > > There are a multiple ways on how you can do a measured boot with the SNP. > > 1) VMPL0 (SVSM) can provide a complete vTPM (see the MSFT proposal on > SNP mailing list). > > 2) Use your existing hashing approach with some changes to provide a bit > more flexibility. > > 3) Use your existing hashing approach but zero out the hash page when > -kernel is not used. > > Let me expand #2. > > While launching the SNP guest, a guest owner can provide a ID block that > KVM will pass to the PSP during the guest launch flow. In the ID block > there is a field called "host_data". A guest owner can do a hash of > kernel/initrd/cmdline and include it in the "host_data" field. During > the hash verification, the OVMF can call the SNP_GET_REPORT. The PSP > will includes the "host_data" passed in the launch process in the report > and OVMF can use it for the verification. Unlike the current > implementation, this enables a guest owner to provides the hash without > requiring any changes in the Qemu and thus affecting the measurement. > Is there a way (in the current NP patches for OVMF) for OVMF to call SNP_GET_REPORT? Or is this something we need to add support for? Will it mess up the sequence numbers that are later going to be used by the kernel as well when managing SNP guest requests? > One thing to note that both #2 and #3 requires ovmf to connect to guest > owner to validate the report before using the "host_data" or "hash page". > For direct boot (with -kernel/-initrd), I don't understand why OVMF needs to contact the GO. If OVMF can fetch the host_data field, and use that to verify the blobs delivered from QEMU via fw_cfg, it should be enough. Later in userspace a user program will contact the GO with the attestation report (which measures host_data and the OVMF memory). If the measurement is not what the GO expects, then it won't release the secret (which should be necessary for the actual meaningful workload performed in the guest). This should mitigate the following attacks: 1. Rogue CSP replaces OVMF with a rogue-OVMF that doesn't actually check the hashes (the GO won't release the secret due to wrong measurement in attestation report). 2. Rogue CSP uses "good" host_data content (kernel hash) but delivers malicious kernel via fw_cfg (stopped by OVMF verifying the hashes). 3. Rogue CSP uses malicious kernel and its hashes in host_data (the GO won't release the secret due to wrong host_data in attestation report). -Dov
On 11/5/21 1:32 PM, Dov Murik wrote: > > > On 02/11/2021 16:48, Brijesh Singh wrote: >> >> >> On 11/2/21 8:22 AM, Dov Murik wrote: >>> >>> >>> On 02/11/2021 12:52, Brijesh Singh wrote: >>>> Hi Dov, >>>> >>>> Overall the patch looks good, only question I have is that now we are >>>> enforce qemu to hash the kernel, initrd and cmdline unconditionally for >>>> any of the SEV guest launches. This requires anyone wanting to >>>> calculating the expected measurement need to account for it. Should we >>>> make the hash page build optional ? >>>> >>> >>> The problem with adding a -enable-add-kernel-hashes QEMU option (or >>> suboption) is yet another complexity for the user. I'd also argue that >>> adding these hashes can lead to a more secure VM boot process, so it >>> makes sense for it to be the default (and maybe introduce a >>> -allow-insecure-unmeasured-kernel-via-fw-cfg option to prevent the >>> measurement from changing due to addition of hashes?). >>> >>> Maybe, on the other hand, OVMF should "report" whether it supports >>> hashes verification. If it does, it should have the GUID in the table >>> (near the reset vector), like the current OvmfPkg/AmdSev edk2 build. If >>> it doesn't support that, then the entry should not appear at all, and >>> then QEMU won't add the hashes (with patch 1 from this series). This >>> means that in edk2 we need to remove the SEV Hash Table block from the >>> ResetVectorVtf0.asm for OvmfPkg, but include it in the AmdSev build. >>> >> >> By leaving it ON is conveying a wrong message to the user. The library >> used for verifying the hash is a NULL library for all the builds of Ovmf >> except the AmdSev package. In the NULL library case, OVMF does not >> perform any checks and hash table is useless. I will raise this on >> concern on your Ovmf patch series. >> >> IMHO, if you want to turn it ON by default then make sure all the OVMF >> package builds supports validating the hash. >> >> >>> But the problem with this approach is that it prevents the future >>> unification of AmdSev and OvmfPkg, which is a possibility we discussed >>> (at least with Dave Gilbert), though not sure it's a good/feasible goal. >>> >>> >> >> This is my exact concern, we are auto enabling the features in Qemu that >> is supported by AmdSev package only. >> >> >>> >>>> I am thinking this more for the SEV-SNP guest. As you may be aware that >>>> with SEV-SNP the attestation is performed by the guest, and its possible >>>> for the launch flow to pass 512-bits of host_data that gets included in >>>> the report. If a user wants to do the hash'e checks for the SNP then >>>> they can pass a hash of kernel, initrd and cmdline through a >>>> launch_finish.ID_BLOCK.host_data and does not require a special hash >>>> page. This it will simplify the expected hash calculation. >>> >>> That is a new measured boot "protocol" that we can discuss, and see >>> whether it's better/easier than the existing one at hand that works on >>> SEV and SEV-ES. >>> >>> What I don't understand in your suggestion is who performs a SHA256 of >>> the fw_cfg blobs (kernel/initrd/cmdline) so they can later be verified >>> (though ideally earlier is better). Can you describe the details >>> (step-by-step) of an SNP VM boot with -kernel/-initrd/-append and how >>> the measurement/attestation is performed? >>> >>> >> >> There are a multiple ways on how you can do a measured boot with the SNP. >> >> 1) VMPL0 (SVSM) can provide a complete vTPM (see the MSFT proposal on >> SNP mailing list). >> >> 2) Use your existing hashing approach with some changes to provide a bit >> more flexibility. >> >> 3) Use your existing hashing approach but zero out the hash page when >> -kernel is not used. >> >> Let me expand #2. >> >> While launching the SNP guest, a guest owner can provide a ID block that >> KVM will pass to the PSP during the guest launch flow. In the ID block >> there is a field called "host_data". A guest owner can do a hash of >> kernel/initrd/cmdline and include it in the "host_data" field. During >> the hash verification, the OVMF can call the SNP_GET_REPORT. The PSP >> will includes the "host_data" passed in the launch process in the report >> and OVMF can use it for the verification. Unlike the current >> implementation, this enables a guest owner to provides the hash without >> requiring any changes in the Qemu and thus affecting the measurement. >> > > Is there a way (in the current NP patches for OVMF) for OVMF to call > SNP_GET_REPORT? Or is this something we need to add support for? Will it > mess up the sequence numbers that are later going to be used by the > kernel as well when managing SNP guest requests? > > The current OVMF patches does not add a library to query the attestation report yet. If required it should be possible to add such a libraries. The VMGEXIT is available to both Guest OS and Guest BIOS. The sequence number should not be an issue. As per the GHCB spec, the guest BIOS will save the sequence number in the secrets page reserved area and guest kernel can picked the next number from that region (its same as the kexec approach). > >> One thing to note that both #2 and #3 requires ovmf to connect to guest >> owner to validate the report before using the "host_data" or "hash page". >> > > For direct boot (with -kernel/-initrd), I don't understand why OVMF > needs to contact the GO. If OVMF can fetch the host_data field, and use > that to verify the blobs delivered from QEMU via fw_cfg, it should be > enough. > Well, I am trying to match with the current model in which the Hash's are provided through the secrets injection for the comparision. In other words, the attestation is completed before OVMF does the hash comparison. So, if you want to have the same security property then you need to perform the attestation before comparing the hash'es because a malicious HV may bypass the guid check. thanks > Later in userspace a user program will contact the GO with the > attestation report (which measures host_data and the OVMF memory). If > the measurement is not what the GO expects, then it won't release the > secret (which should be necessary for the actual meaningful workload > performed in the guest). > > > This should mitigate the following attacks: > > 1. Rogue CSP replaces OVMF with a rogue-OVMF that doesn't actually check > the hashes (the GO won't release the secret due to wrong measurement in > attestation report). > 2. Rogue CSP uses "good" host_data content (kernel hash) but delivers > malicious kernel via fw_cfg (stopped by OVMF verifying the hashes). > 3. Rogue CSP uses malicious kernel and its hashes in host_data (the GO > won't release the secret due to wrong host_data in attestation report). > > > -Dov >
On 08/11/2021 23:22, Brijesh Singh wrote: > > > On 11/5/21 1:32 PM, Dov Murik wrote: >> >> >> On 02/11/2021 16:48, Brijesh Singh wrote: >>> >>> >>> On 11/2/21 8:22 AM, Dov Murik wrote: >>>> >>>> >>>> On 02/11/2021 12:52, Brijesh Singh wrote: >>>>> Hi Dov, >>>>> >>>>> Overall the patch looks good, only question I have is that now we are >>>>> enforce qemu to hash the kernel, initrd and cmdline unconditionally >>>>> for >>>>> any of the SEV guest launches. This requires anyone wanting to >>>>> calculating the expected measurement need to account for it. Should we >>>>> make the hash page build optional ? >>>>> >>>> >>>> The problem with adding a -enable-add-kernel-hashes QEMU option (or >>>> suboption) is yet another complexity for the user. I'd also argue that >>>> adding these hashes can lead to a more secure VM boot process, so it >>>> makes sense for it to be the default (and maybe introduce a >>>> -allow-insecure-unmeasured-kernel-via-fw-cfg option to prevent the >>>> measurement from changing due to addition of hashes?). >>>> >>>> Maybe, on the other hand, OVMF should "report" whether it supports >>>> hashes verification. If it does, it should have the GUID in the table >>>> (near the reset vector), like the current OvmfPkg/AmdSev edk2 build. If >>>> it doesn't support that, then the entry should not appear at all, and >>>> then QEMU won't add the hashes (with patch 1 from this series). This >>>> means that in edk2 we need to remove the SEV Hash Table block from the >>>> ResetVectorVtf0.asm for OvmfPkg, but include it in the AmdSev build. >>>> >>> >>> By leaving it ON is conveying a wrong message to the user. The library >>> used for verifying the hash is a NULL library for all the builds of Ovmf >>> except the AmdSev package. In the NULL library case, OVMF does not >>> perform any checks and hash table is useless. I will raise this on >>> concern on your Ovmf patch series. >>> >>> IMHO, if you want to turn it ON by default then make sure all the OVMF >>> package builds supports validating the hash. >>> >>> >>>> But the problem with this approach is that it prevents the future >>>> unification of AmdSev and OvmfPkg, which is a possibility we discussed >>>> (at least with Dave Gilbert), though not sure it's a good/feasible >>>> goal. >>>> >>>> >>> >>> This is my exact concern, we are auto enabling the features in Qemu that >>> is supported by AmdSev package only. >>> >>> >>>> >>>>> I am thinking this more for the SEV-SNP guest. As you may be aware >>>>> that >>>>> with SEV-SNP the attestation is performed by the guest, and its >>>>> possible >>>>> for the launch flow to pass 512-bits of host_data that gets >>>>> included in >>>>> the report. If a user wants to do the hash'e checks for the SNP then >>>>> they can pass a hash of kernel, initrd and cmdline through a >>>>> launch_finish.ID_BLOCK.host_data and does not require a special hash >>>>> page. This it will simplify the expected hash calculation. >>>> >>>> That is a new measured boot "protocol" that we can discuss, and see >>>> whether it's better/easier than the existing one at hand that works on >>>> SEV and SEV-ES. >>>> >>>> What I don't understand in your suggestion is who performs a SHA256 of >>>> the fw_cfg blobs (kernel/initrd/cmdline) so they can later be verified >>>> (though ideally earlier is better). Can you describe the details >>>> (step-by-step) of an SNP VM boot with -kernel/-initrd/-append and how >>>> the measurement/attestation is performed? >>>> >>>> >>> >>> There are a multiple ways on how you can do a measured boot with the >>> SNP. >>> >>> 1) VMPL0 (SVSM) can provide a complete vTPM (see the MSFT proposal on >>> SNP mailing list). >>> >>> 2) Use your existing hashing approach with some changes to provide a bit >>> more flexibility. >>> >>> 3) Use your existing hashing approach but zero out the hash page when >>> -kernel is not used. >>> >>> Let me expand #2. >>> >>> While launching the SNP guest, a guest owner can provide a ID block that >>> KVM will pass to the PSP during the guest launch flow. In the ID block >>> there is a field called "host_data". A guest owner can do a hash of >>> kernel/initrd/cmdline and include it in the "host_data" field. During >>> the hash verification, the OVMF can call the SNP_GET_REPORT. The PSP >>> will includes the "host_data" passed in the launch process in the report >>> and OVMF can use it for the verification. Unlike the current >>> implementation, this enables a guest owner to provides the hash without >>> requiring any changes in the Qemu and thus affecting the measurement. >>> >> >> Is there a way (in the current NP patches for OVMF) for OVMF to call >> SNP_GET_REPORT? Or is this something we need to add support for? Will it >> mess up the sequence numbers that are later going to be used by the >> kernel as well when managing SNP guest requests? >> >> > > The current OVMF patches does not add a library to query the attestation > report yet. If required it should be possible to add such a libraries. > The VMGEXIT is available to both Guest OS and Guest BIOS. The sequence > number should not be an issue. As per the GHCB spec, the guest BIOS will > save the sequence number in the secrets page reserved area and guest > kernel can picked the next number from that region (its same as the > kexec approach). > OK, good to know. *If* we decide to use the host_data field to store the hashes, then we would have to add the SNP_GET_REPORT functionality to OVMF. >> >>> One thing to note that both #2 and #3 requires ovmf to connect to guest >>> owner to validate the report before using the "host_data" or "hash >>> page". >>> >> >> For direct boot (with -kernel/-initrd), I don't understand why OVMF >> needs to contact the GO. If OVMF can fetch the host_data field, and use >> that to verify the blobs delivered from QEMU via fw_cfg, it should be >> enough. >> > > Well, I am trying to match with the current model in which the Hash's > are provided through the secrets injection for the comparision. In other > words, the attestation is completed before OVMF does the hash > comparison. So, if you want to have the same security property then you > need to perform the attestation before comparing the hash'es because a > malicious HV may bypass the guid check. > In the current model (works for SEV and SEV-ES) the hashes are not provided via secret injection; they are added by QEMU to the designated hashes area in the guest. If we only need the secret later (in userspace) then we can use a similar model. Hashes are either (a) added to the designated page (by QEMU), or (b) passed in host_data (by QEMU). OVMF fetch the hashes: (a) by reading a memory page, or (b) by using SNP_GET_REPORT. It will verify them against the blobs from fw_cfg, and will continue to boot only if they match. and then it continues as I previously wrote: > >> Later in userspace a user program will contact the GO with the >> attestation report (which measures host_data and the OVMF memory). If >> the measurement is not what the GO expects, then it won't release the >> secret (which should be necessary for the actual meaningful workload >> performed in the guest). >> >> >> This should mitigate the following attacks: >> >> 1. Rogue CSP replaces OVMF with a rogue-OVMF that doesn't actually check >> the hashes (the GO won't release the secret due to wrong measurement in >> attestation report). >> 2. Rogue CSP uses "good" host_data content (kernel hash) but delivers >> malicious kernel via fw_cfg (stopped by OVMF verifying the hashes). >> 3. Rogue CSP uses malicious kernel and its hashes in host_data (the GO >> won't release the secret due to wrong host_data in attestation report). >> -Dov