From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web09.15808.1605140010674157638 for ; Wed, 11 Nov 2020 16:13:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=h1VkdFNk; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: jejb@linux.ibm.com) Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0AC01TFJ180409; Wed, 11 Nov 2020 19:13:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=pp1; bh=kmz+vKYlBiuRaBYFNboEJEK+YXxLYZCmTRhyXcExyco=; b=h1VkdFNkuMDnkXmbGh5udQNORn3NZBOgroy48oVe2UGDhO5PvEd2rXybUCdPU9YUx3ar mVIXApJtgDywcXDzSCd38JfUJiq/rmn7u+A0DKAam9G7WCi5VajMPlJpgXsv5RTwRvd6 xTArjYyQlX2nny7u+cYRwVG9JtwdFqJpbLO20wgHeuAB08diOugDfYBARGwD2Z7QObEu Fdv/2La9Kgm5mAab9VmIe78FbsY4wkP/i+K0DQEtUrPbHqV8NCKygR1/OUKD20nyau6R WG4jPhoeHqoY7RSce49IgUhB0c+cJe/fuEz0d02cZAZXUZwCdOlvJSbkdVj4iXX7lzog SQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 34rnpa7awm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Nov 2020 19:13:28 -0500 Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 0AC02AYW190467; Wed, 11 Nov 2020 19:13:28 -0500 Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0b-001b2d01.pphosted.com with ESMTP id 34rnpa7awe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Nov 2020 19:13:28 -0500 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0AC07kKv011337; Thu, 12 Nov 2020 00:13:27 GMT Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma03wdc.us.ibm.com with ESMTP id 34nk79wd9n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 12 Nov 2020 00:13:27 +0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 0AC0DOSE11731492 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Nov 2020 00:13:24 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E4C0478068; Thu, 12 Nov 2020 00:13:23 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B55F378060; Thu, 12 Nov 2020 00:13:21 +0000 (GMT) Received: from jarvis.int.hansenpartnership.com (unknown [9.85.162.106]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Thu, 12 Nov 2020 00:13:21 +0000 (GMT) From: James Bottomley To: devel@edk2.groups.io Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com, jejb@linux.ibm.com, frankeh@us.ibm.com, "Dr . David Alan Gilbert" Subject: [PATCH 0/4] SEV Encrypted Boot for Ovmf Date: Wed, 11 Nov 2020 16:13:12 -0800 Message-Id: <20201112001316.11341-1-jejb@linux.ibm.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312,18.0.737 definitions=2020-11-11_12:2020-11-10,2020-11-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 suspectscore=0 adultscore=0 lowpriorityscore=0 mlxscore=0 spamscore=0 impostorscore=0 phishscore=0 clxscore=1015 priorityscore=1501 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2011110136 Content-Transfer-Encoding: 8bit From: James Bottomley This patch series is modelled on the structure of the Bhyve patches for Ovmf, since it does somewhat similar things. This patch series creates a separate build for an AmdSev OVMF.fd that does nothing except combine with grub and boot straight through the internal grub to try to mount an encrypted volume. Concept: SEV Secure Encrypted Images ==================================== The SEV patches in Linux and OVMF allow for the booting of SEV VMs in an encrypted state, but don't really show how this could be done with an encrypted image. Since the key used to decrypt the image must be maintained within the SEV encryption envelope, encrypted QCOW is not an option because the key would then have to be known to QEMU which is outside the encryption envelope. The proposal here is that an encrypted image should be a QCOW image consisting of two partitions, the normal unencrypted EFI partition (Identifying it as an OVMF bootable image) and a luks encrypted root partition. The kernel would be inside the encrypted root in the /boot directory. The secret injected securely through QEMU is extracted by OVMF and passed to grub which uses it to mount the encrypted root and boot the kernel normally. The creator of the secret bundle must be satisfied with the SEV attestation before the secret is constructed. Unfortunately, the SEV attestation can only be on the first QEMU firmware volume and nothing else, so this patch series builds grub itself into a firmware volume and places it inside OVMF so that the entire boot system can be attested. In a normal OVMF KVM system, the variable store is on the second flash volume (which is read/write). Unfortunately, this mutable configuration provided by the variables is outside the attestation envelope and can significantly alter the boot path, possibly leading to secret leak, so encrypted image boot should only be done with the OVMF.fd that combines both the code and variables. the OVMF.fd is constructed so that it becomes impossible to interrupt the boot sequence after attestation and the system will either boot the image or fail. The boot sequence runs the grub.efi embedded in the OVMF firmware volume so the encrypted image owner knows their own version of grub is the only one that will boot before injecting the secret. Note this boot path actually ignores the unencrypted EFI partition. However, as part of this design, the encrypted image may be booted by a standard OVMF KVM boot and in that case, the user will have to type the encryption password. This standard boot will be insecure but it might be used by the constructor of the encrypted images on their own private laptop, for instance. The standard boot path will use the unencrypted EFI partition. Patches Required Outside of OVMF ================================ There is a patch set to grub which allows it to extract the SEV secret area from the configuration table and use the secret as a password to do a luks crypto mount of root (this is the sevsecret grub module). There is also a patch to qemu which allows it to search through the OVMF.fd and find the SEV secret area which is now described inside the Reset Vector using the existing SEV_ES reset block. This area is the place QEMU will inject the encrypted SEV secret bundle. Security of the System ====================== Since Grub is now part of the attested OVMF.fd bundle, the VM owner knows absolutely that it will proceed straight to partition decryption inside the attested code and boot the kernel off the encrypted partition. Even if a different QCOW image is substituted, the boot will fail without revealing the secret because the system is designed to fail hard in that case and because the secret is always contained within the encrypted envelope it should be impossible for the cloud operator to obtain it even if they can pause the boot and examine the machine memory. Putting it All Together ======================= This is somewhat hard. You must first understand how to boot a QEMU system so as to have the VM pause after firmware loading (-S option) and use the qmp port to request an attestation. Only if the attestation corresponds to the expected sha256sum of OVMF.fd should the secret bundle be constructed and injected using qmp. The tools for constructing the secret bundle are in https://github.com/AMDESE/sev-tool/ James --- James Bottomley (4): OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF OvmfPkg/AmdSev: add Grub Firmware Volume Package OvmfPkg: create a SEV secret area in the AmdSev memfd OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table OvmfPkg/OvmfPkg.dec | 6 + OvmfPkg/AmdSev/AmdSevX64.dsc | 1035 +++++++++++ OvmfPkg/AmdSev/AmdSevX64.fdf | 515 ++++++ OvmfPkg/AmdSev/Grub/Grub.inf | 37 + .../SevLaunchSecret/SecretDxe/SecretDxe.inf | 38 + .../SevLaunchSecret/SecretPei/SecretPei.inf | 46 + .../PlatformBootManagerLibGrub.inf | 84 + OvmfPkg/ResetVector/ResetVector.inf | 4 + .../PlatformBootManagerLibGrub/BdsPlatform.h | 179 ++ .../SevLaunchSecret/SecretDxe/SecretDxe.c | 29 + .../SevLaunchSecret/SecretPei/SecretPei.c | 26 + .../PlatformBootManagerLibGrub/BdsPlatform.c | 1538 +++++++++++++++++ .../PlatformBootManagerLibGrub/PlatformData.c | 213 +++ OvmfPkg/AmdSev/Grub/.gitignore | 1 + OvmfPkg/AmdSev/Grub/grub.cfg | 35 + OvmfPkg/AmdSev/Grub/grub.sh | 54 + OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 4 + OvmfPkg/ResetVector/ResetVector.nasmb | 2 + 18 files changed, 3846 insertions(+) create mode 100644 OvmfPkg/AmdSev/AmdSevX64.dsc create mode 100644 OvmfPkg/AmdSev/AmdSevX64.fdf create mode 100644 OvmfPkg/AmdSev/Grub/Grub.inf create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformData.c create mode 100644 OvmfPkg/AmdSev/Grub/.gitignore create mode 100644 OvmfPkg/AmdSev/Grub/grub.cfg create mode 100644 OvmfPkg/AmdSev/Grub/grub.sh -- 2.26.2