From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.groups.io with SMTP id smtpd.web10.1978.1610048504445108989 for ; Thu, 07 Jan 2021 11:41:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Qj+5HHUz; spf=pass (domain: redhat.com, ip: 63.128.21.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1610048503; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wAAXMR83/QdxoDybweSmtMe1mA7ZhCMZgHSV2dHB60E=; b=Qj+5HHUzpxASviIJmYoayKX2kI1O0CNU+t3OhHQipJVEP9UyGIFHB59pXeBfV4VhE1+RcF HjNwNhF+5h1b6ZPibBIQIKSuHlPZISJCwiKyCEObziPLyjxKNCX6EOrsTgcB+db0FKss3j /S2h3toKNuFaOeT+oHTIuzNv1PT8rnU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-442-YsU5NROJMxmOF-xVIuFs5Q-1; Thu, 07 Jan 2021 14:41:39 -0500 X-MC-Unique: YsU5NROJMxmOF-xVIuFs5Q-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BD3D2801817; Thu, 7 Jan 2021 19:41:37 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-164.ams2.redhat.com [10.36.112.164]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3E9065C260; Thu, 7 Jan 2021 19:41:35 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v3 00/15] SEV-ES security mitigations To: devel@edk2.groups.io, thomas.lendacky@amd.com Cc: Brijesh Singh , James Bottomley , Ard Biesheuvel , Rebecca Cran , Julien Grall , Peter Grehan , Jordan Justen , Anthony Perard References: From: "Laszlo Ersek" Message-ID: <0c3c91a6-68cb-a0d6-8fee-c85039e328c3@redhat.com> Date: Thu, 7 Jan 2021 20:41:34 +0100 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 01/07/21 19:48, Lendacky, Thomas wrote: > From: Tom Lendacky > > This patch series provides security mitigations for SEV-ES to protect > against some attacks identified in the paper titled "Exploiting Interfaces > of Secure Encrypted Virtual Machines" at: > https://arxiv.org/pdf/2010.07094.pdf > > The mitigations include: > > - Validating the encryption bit position provided by the hypervisor. > Additionally, once validated use the validated value throughout the > code. > > - Validating that SEV-ES has been advertised to the guest if a #VC has > been taken to prevent the hypervisor from pretending that SEV-ES is > not enabled. > > - Validate that MMIO is performed to/from unencrypted memory addresses > to prevent the hypervisor try to inject data or expose secrets within > the guest. > > And a change separate from the above paper: > > - When checking #VC related per-vCPU values, make checks for explicit > values vs non-zero values so that a hypervisor can't write random data > to the location to alter guest processing behavior. > > Also, as part of creating these mitigations: > - MemEncryptSevLib is updated to now be available during SEC > - #VC now supports a single nested invocation > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 > > --- > > These patches are based on commit: > 7785b38ac977 ("ArmPkg: Fix Ecc error 5007 in DefaultExceptionHandlerLib") > > All modified DSC files successfully built. > > Changes since v2: > - Updated source file order in DSC package changes > - Updated two commit subjects > > Changes since v1: > - Added CLI before HLT in the halt loops > - Split the encryption mask retrieval interface patch into three > patches > - Split out some coding style fixes as a pre-patch in order to pass ECC > - Implemented an SEC specific version of the > MemEncryptSevLocateInitialSmramSaveStateMapPagesCreated() interface. > - Clarified/expanded some commit messages and comments > > Cc: Ard Biesheuvel > Cc: Rebecca Cran > Cc: Laszlo Ersek > Cc: Julien Grall > Cc: Peter Grehan > Cc: Jordan Justen > Cc: Anthony Perard > Cc: Brijesh Singh > > Tom Lendacky (15): > Ovmf/ResetVector: Simplify and consolidate the SEV features checks > OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header file > OvmfPkg/ResetVector: Validate the encryption bit position for > SEV/SEV-ES > OvmfPkg/ResetVector: Perform a simple SEV-ES sanity check > OvmfPkg/ResetVector: Save the encryption mask at boot time > OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption > mask > OvmfPkg: Obtain SEV encryption mask with the new MemEncryptSevLib API > OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range > OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value > OvmfPkg/MemEncryptSevLib: Coding style fixes in prep for SEC library > OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC > OvmfPkg/MemEncryptSevLib: Address range encryption state interface > OvmfPkg/VmgExitLib: Support nested #VCs > OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported > OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory > > OvmfPkg/OvmfPkg.dec | 2 + > OvmfPkg/AmdSev/AmdSevX64.dsc | 6 +- > OvmfPkg/Bhyve/BhyveX64.dsc | 4 +- > OvmfPkg/OvmfPkgIa32.dsc | 4 +- > OvmfPkg/OvmfPkgIa32X64.dsc | 4 +- > OvmfPkg/OvmfPkgX64.dsc | 6 +- > OvmfPkg/OvmfXen.dsc | 3 +- > OvmfPkg/AmdSev/AmdSevX64.fdf | 3 + > OvmfPkg/OvmfPkgX64.fdf | 3 + > OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 8 +- > OvmfPkg/Library/BaseMemEncryptSevLib/{BaseMemEncryptSevLib.inf => DxeMemEncryptSevLib.inf} | 16 +- > OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf | 57 ++ > OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf | 51 ++ > OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 45 + > OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 6 +- > OvmfPkg/PlatformPei/PlatformPei.inf | 2 + > OvmfPkg/Include/Library/MemEncryptSevLib.h | 90 +- > OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h | 35 +- > OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.h | 53 ++ > OvmfPkg/AmdSevDxe/AmdSevDxe.c | 20 +- > OvmfPkg/Bhyve/PlatformPei/AmdSev.c | 12 +- > OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 145 +++ > OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c | 31 +- > OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c | 155 ---- > OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c | 63 ++ > OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 159 ++++ > OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 155 ++++ > OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c | 32 +- > OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c | 893 ++++++++++++++++++ > OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c | 100 ++ > OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c | 954 +++----------------- > OvmfPkg/Library/VmgExitLib/PeiDxeVmgExitVcHandler.c | 103 +++ > OvmfPkg/Library/VmgExitLib/SecVmgExitVcHandler.c | 109 +++ > OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 130 ++- > OvmfPkg/PlatformPei/AmdSev.c | 50 +- > OvmfPkg/PlatformPei/MemDetect.c | 5 + > OvmfPkg/Sec/SecMain.c | 6 +- > OvmfPkg/XenPlatformPei/AmdSev.c | 12 +- > OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm | 118 +++ > OvmfPkg/ResetVector/Ia32/PageTables64.asm | 110 ++- > OvmfPkg/ResetVector/ResetVector.nasmb | 5 +- > 41 files changed, 2679 insertions(+), 1086 deletions(-) > rename OvmfPkg/Library/BaseMemEncryptSevLib/{BaseMemEncryptSevLib.inf => DxeMemEncryptSevLib.inf} (63%) > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf > create mode 100644 OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf > create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.h > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c > delete mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c > create mode 100644 OvmfPkg/Library/VmgExitLib/PeiDxeVmgExitVcHandler.c > create mode 100644 OvmfPkg/Library/VmgExitLib/SecVmgExitVcHandler.c > create mode 100644 OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm > Merged as commit range 55ee36b0c490..85b8eac59b8c, via . Thanks Laszlo