From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.52]) by mx.groups.io with SMTP id smtpd.web10.7800.1605201760862233651 for ; Thu, 12 Nov 2020 09:22:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=mF+/KKvW; spf=none, err=SPF record not found (domain: amd.com, ip: 40.107.237.52, mailfrom: ashish.kalra@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bQfMAGI2PtEuMJd1wRkCh5dApd5V77kOWEMRLOMlePSzwpus04uFRBD5pMFlLEzlPVD+Xc8apWb3pUR41tta7OX0y8+sp0oYGfm541IsF5Rn0rSdNzAEM/SOuT8cefGasdGeNEg4Xj7yyKhb5YV1vpbuSe+8BJlLm/q9+IVZCr5KmE0cobqQqLHQuPnJuvs4YGCjLJ7xge5Kd6fePe08AzLQ6uUmK8AsXpkyFtL0/oa42Ev/WNXhddwvReeTgE+2C+p9/mDHTVp6PJslVwIl0e2AkLn8LcVkVlNCkqVdcpP1XZ65TV0pjz6G8Xmz9P34Zz/DgRMwGucIoQlMGNjW9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lWZs727rA3+yg3Pp/RroSkYwj42H5D3iGQiFliW/VSQ=; b=NOLElJB8ivd3jxHFmzXBMhSmP/eenOOcaxL8KUHORYcRrWMlDNPNopLJz+AOjPXdrQJ86qz+0yBrzfL4Xj5dmen7uxIGzeHnSRXGa5nRobrDxpkRCmFeYXMOcAQD7m17bPhXDH3y0jhkgCc4cQvxYOansCE5PxsWwMGjkxYfa3UZBLjuEoSX2OK5XR2GCu5gtpNomMRrWrJK3L4QlxLPovtxB3ADRLg5uKA9uA7/RbC+5jkfBZ2OoLrcX2mFOuJB9OnN/ennfTphdgREttdUcuing0QWTQQJ/9NGDh21QJirXqHoHGuPNtzBChlazl1BfR+nVodHMsSIPCScfP0dDA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lWZs727rA3+yg3Pp/RroSkYwj42H5D3iGQiFliW/VSQ=; b=mF+/KKvWOlttc+op72jwfScE0c4mXexgOSFRxXgM7LnT4BtvfBFG4bpr1MOhRt7655Ij8vwRbebck6mqJGsXNCvVWklcInSUR5z0ASW6BKNkXD/pDVos/xOiKGQu2JLcWP+JrMFp7YnVB03vV7LW/6Krl6Isjkfza/CtJU8I8lo= Authentication-Results: linux.ibm.com; dkim=none (message not signed) header.d=none;linux.ibm.com; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2767.namprd12.prod.outlook.com (2603:10b6:805:75::23) by SA0PR12MB4557.namprd12.prod.outlook.com (2603:10b6:806:9d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.25; Thu, 12 Nov 2020 17:22:39 +0000 Received: from SN6PR12MB2767.namprd12.prod.outlook.com ([fe80::d8f2:fde4:5e1d:afec]) by SN6PR12MB2767.namprd12.prod.outlook.com ([fe80::d8f2:fde4:5e1d:afec%3]) with mapi id 15.20.3541.025; Thu, 12 Nov 2020 17:22:39 +0000 Date: Thu, 12 Nov 2020 17:22:31 +0000 From: Ashish Kalra To: James Bottomley Cc: "Dr. David Alan Gilbert" , devel@edk2.groups.io, dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com, frankeh@us.ibm.com Subject: Re: [PATCH 0/4] SEV Encrypted Boot for Ovmf Message-ID: <20201112172231.GA3274@ashkalra_ubuntu_server> References: <20201112001316.11341-1-jejb@linux.ibm.com> <20201112162117.GA3223@ashkalra_ubuntu_server> <20201112163434.GH2905@work-vm> <6285626e5b22fbbf78b15d21dcc17adf9ed0e21e.camel@linux.ibm.com> In-Reply-To: <6285626e5b22fbbf78b15d21dcc17adf9ed0e21e.camel@linux.ibm.com> User-Agent: Mutt/1.9.4 (2018-02-28) X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SN4PR0501CA0137.namprd05.prod.outlook.com (2603:10b6:803:2c::15) To SN6PR12MB2767.namprd12.prod.outlook.com (2603:10b6:805:75::23) Return-Path: ashish.kalra@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from ashkalra_ubuntu_server (165.204.77.1) by SN4PR0501CA0137.namprd05.prod.outlook.com (2603:10b6:803:2c::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3564.13 via Frontend Transport; Thu, 12 Nov 2020 17:22:37 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: a113c561-7a2d-47fb-3cb3-08d8872f8d2f X-MS-TrafficTypeDiagnostic: SA0PR12MB4557: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DrsGVHeij4UTjDMSsS4pc6ptJApVw5Nd9rGRiqSur6gWBFBLMuJnes8xjJhIUd0aYw3/hoWJd7qpFFqvVtyv/ujKdcU8NVhkqKP4GgvG5oJsIZx8cnQtCYprWH4OV65OKeYrLIF4ALVbiLK/kNZUiS7sh57xZZtBqE6+EK5S/T6rrO2FgWB9OHKc7VvPDVB8OIWiiu/jAafRM/TIABq0mWDK6gzG0oGMz2KGjfPTgU34rrExf3pn7WK90sQ0VpfgVARs0Usesw6Q2MkPHn45ndsee7e3LDl1wmsui/IcfSVh9QcOHF0u0RN1hA2M3MHa+/obV+sKUx1CChKHepLvGQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2767.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(396003)(346002)(376002)(136003)(366004)(33716001)(316002)(26005)(44832011)(83380400001)(6496006)(52116002)(16526019)(5660300002)(2906002)(33656002)(66946007)(66556008)(6666004)(4326008)(66476007)(1076003)(956004)(8936002)(8676002)(478600001)(86362001)(6916009)(55016002)(4001150100001)(9686003)(186003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: 9NDa5W0Fd/KTuACfxVgL7P3mwIFGTVtP+M82/6hd2RTYrd/7eDlBDVImJi27B6wh65ibw+94rYDS7n94ajwtC7sadSzLHZNmAevM6pBX0sTL/GGHsBWkErFwh3LhCR60WPNWr/TddP2vp69cZsWwChB1wlgRIZJf5Abc/qlnI3x2/XfCjUvOnv9pYVwi5EZCTNWkXWzwXKRIWfe9rZ9AtbqZ9Dk2lu4Z2lE84L5u+FLEAsYwd/ANZCAGGQRybqFqQGMgyCMpismJLhSAStEEoA3+Gv3aDhTaqXZbWIK2fubIFU5ApDRI9SgVeB2C9odoEKuhQoblK+5tSvhQOZX5SpehbkFGAydv98GrS+SNwp4NL9Zsdkd2viB4kB9dpANq/rGOp9UcB8nYN9xXxJQhxU+CE/7FnimYyRSvm2MtRnZCSuK2A9fVpPszJ5osMDQ7XKMUTJBZ1qv0EmblVATixEyRJOh1t4BwY20Xtg4Rqyw1lhOCQe4CeBz1cPLV6t3YD2lJ28NJ1URZ/rLazLeNpHOE85mu9Rhgcd2xwk7nuzqQ9jMstxtTzlsdAh1StIIdFLzdRT1cTkgjJLHwsL5LqqiLbDlrqgqKGBB6jcZ2y82ZTl7M7sW9OCW/abJqmHBWswcn68HzyhrHao70oU/kp1M2Ef3ma7gFiWbep8lT3WPjK8RudGelsiRXbFwFWvypcCrhGwWnzqpWz9V0H0n0noBkK+JEuR/ntQStiJVaIin2ZDKp+af+zj/DsmI737/dAC+q6c57vMt6T4CNjQUTis5O3sZVktEemxFoaXZ77UM22adE2aP59ko7JMbdzR1Wf7u9MV2gB0MekHb6e6yl4Al6H1lIwob77dy4JEgYhOXcdHh9X/WbdbNYZ7ip1UQPXBqBchSTX5gaotBnNipAiA== X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: a113c561-7a2d-47fb-3cb3-08d8872f8d2f X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2767.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Nov 2020 17:22:38.4125 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6CveiH7lQ9NwdiGO76UdOVL+FW1Rrz1TO3qAwrVLLStBxl8aGeNhkBpzV0nGtJt9tWumICXvaafvlij8KEP85A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4557 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 12, 2020 at 09:07:11AM -0800, James Bottomley wrote: > On Thu, 2020-11-12 at 16:34 +0000, Dr. David Alan Gilbert wrote: > > * Ashish Kalra (ashish.kalra@amd.com) wrote: > > > On Wed, Nov 11, 2020 at 04:13:12PM -0800, James Bottomley wrote: > > > > From: James Bottomley > > > > > > > > This patch series is modelled on the structure of the Bhyve > > > > patches for Ovmf, since it does somewhat similar things. This > > > > patch series creates a separate build for an AmdSev OVMF.fd that > > > > does nothing except combine with grub and boot straight through > > > > the internal grub to try to mount an encrypted volume. > > > > > > > > Concept: SEV Secure Encrypted Images > > > > ==================================== > > > > > > > > The SEV patches in Linux and OVMF allow for the booting of SEV > > > > VMs in an encrypted state, but don't really show how this could > > > > be done with an encrypted image. > > > > > > A basic question here ... the SEV usage model in which the firmware > > > is encrypted and loaded into VM using LAUNCH_UPDATA_DATA and then > > > measurement is provided and attestation is done with the VM owner > > > and after VM owner verifies measurement, the VM owner encrypts the > > > disk encryption key and sends it to the guest and it is injected > > > into the guest using the LAUNCH_SECRET API, which is then used to > > > decrypt the OS encrypted image, won't this work to start the SEV VM > > > with an encrypted image ? > > > > That's still what James system does, but the problem is maintaining a > > chain of trust from the set of measured binaries to the point at > > which you can use the injected secret. > > > > On the current OVMF world we end up measuring the OVMF binary, but > > not the stored variable flash; but then what? Who would read the > > injected secret? Because SEV/SEV-ES has no way of performing a later > > attestation, or updating the measurements, we have no way of > > following the path from OVMF (possibly via variables) to a boot > > loader, to a filesystem. > > Right, the specific problem is our current linux boot sequence goes > > OVMF->grub->linux > > But OVMF can only execute things on an unencrypted vFAT filesytem, so > if grub is on vFAT there's no way to prevent a cloud admin substituting > the grub binary after attestation is done and the key released if we > only attest OVMF, so the bogus grub binary could simply capture the key > and transmit it to a hacker. > > Pulling grub inside OVMF allows us to attest both OVMF and grub as one > entity and also prevents the boot going via the unencrypted vFAT > filesystem, eliminating the potential interception point. > > James > > Thanks James and Dave for the detailed explanations, i get the picture. Also after discussion with Brijesh, i understand that this is fixing a known gap in the SEV s/w stack. Ashish