From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web08.3619.1625561715884286735 for ; Tue, 06 Jul 2021 01:55:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=enMlBTVj; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668YZBx182761; Tue, 6 Jul 2021 04:55:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : content-transfer-encoding : mime-version; s=pp1; bh=UwbFKMNGEuwsqANZ8Duru4gkydyKmNorrpgrhjgJeSg=; b=enMlBTVjp/I8749gh4MjNkgmPZubUXPiPNy5N/YleSugZohQJjQJ7dYYsH1qCEOl+wr6 tfLoMW9hfGEo+Svd9M0uD3tU5xWZw2IbJRfOEvg3aawpxSYkV20sFy8+hNfwSjD3aFd+ QU2WucihpI5sohwsEEl8pAUVNstM+9Aq+NheWSyUuvf7wnZkJgga89iUZ4z0L0+7Ck37 NNtI6EePGjo0uPbSS5Vr2SpuHqgBjed9IaAr5rdo3BbsYMPxfbWuCyD8x37J1Z9apmFl 5kV0fhMsKgRNXoJ/f2sofFEOdnEqkaONpBdRb+HsEKFbHZFHUU8S6dHYU2fFi4Etg9OE CA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39m8xspe2x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:10 -0400 Received: from m0098414.ppops.net (m0098414.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668ZDqa184767; Tue, 6 Jul 2021 04:55:10 -0400 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0b-001b2d01.pphosted.com with ESMTP id 39m8xspe1t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:10 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668q4Ig006504; Tue, 6 Jul 2021 08:55:09 GMT Received: from b03cxnp07027.gho.boulder.ibm.com (b03cxnp07027.gho.boulder.ibm.com [9.17.130.14]) by ppma02wdc.us.ibm.com with ESMTP id 39jfhaqugs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:09 +0000 Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp07027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668t73g29164028 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:07 GMT Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5BF7E6A057; Tue, 6 Jul 2021 08:55:07 +0000 (GMT) Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2A4836A077; Tue, 6 Jul 2021 08:55:06 +0000 (GMT) Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:05 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky , Leif Lindholm , Sami Mujawar Subject: [PATCH v2 00/11] Measured SEV boot with kernel/initrd/cmdline Date: Tue, 6 Jul 2021 08:54:50 +0000 Message-Id: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-Mailer: git-send-email 2.25.1 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: FHi0zD7qXmxlAprD7dZhjkQmCff4VXlF X-Proofpoint-GUID: T6UCNP9VDCBmuF_Q2ZnqcKMn63_6Unu- X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-07-06_04:2021-07-02,2021-07-06 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 adultscore=0 malwarescore=0 phishscore=0 priorityscore=1501 spamscore=0 impostorscore=0 mlxlogscore=999 suspectscore=0 lowpriorityscore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107060042 Content-Transfer-Encoding: 8bit BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 Booting with SEV prevented the loading of kernel, initrd, and kernel command-line via QEMU fw_cfg interface because they arrive from the VMM which is untrusted in SEV. However, in some cases the kernel, initrd, and cmdline are not secret but should not be modified by the host. In such a case, we want to verify inside the trusted VM that the kernel, initrd, and cmdline are indeed the ones expected by the Guest Owner, and only if that is the case go on and boot them up (removing the need for grub inside OVMF in that mode). This patch series reserves an area in MEMFD (previously the last 1KB of the launch secret page) which will contain the hashes of these three blobs (kernel, initrd, cmdline), each under its own GUID entry. This tables of hashes is populated by QEMU before launch, and encrypted as part of the initial VM memory; this makes sure theses hashes are part of the SEV measurement (which has to be approved by the Guest Owner for secret injection, for example). Note that this requires QEMU support [1]. OVMF parses the table of hashes populated by QEMU (patch 5), and as it reads the fw_cfg blobs from QEMU, it will verify each one against the expected hash (kernel and initrd verifiers are introduced in patch 6, and command-line verifier is introduced in patches 7+8). This is all done inside the trusted VM context. If all the hashes are correct, boot of the kernel is allowed to continue. Any attempt by QEMU to modify the kernel, initrd, cmdline (including dropping one of them), or to modify the OVMF code that verifies those hashes, will cause the initial SEV measurement to change and therefore will be detectable by the Guest Owner during launch before secret injection. Relevant part of OVMF serial log during boot with AmdSevX86 build and QEMU with -kernel/-initrd/-append: ... SevHashesBlobVerifierLibConstructor: found injected hashes table in secure location Select Item: 0x17 Select Item: 0x8 FetchBlob: loading 7379328 bytes for "kernel" Select Item: 0x18 Select Item: 0x11 VerifyBlob: Found GUID 4DE79437-ABD2-427F-B835-D5B172D2045B in table VerifyBlob: Hash comparison succeeded for entry 'kernel' Select Item: 0xB FetchBlob: loading 12483878 bytes for "initrd" Select Item: 0x12 VerifyBlob: Found GUID 44BAF731-3A2F-4BD7-9AF1-41E29169781D in table VerifyBlob: Hash comparison succeeded for entry 'initrd' Select Item: 0x14 FetchBlob: loading 86 bytes for "cmdline" Select Item: 0x15 VerifyBlob: Found GUID 97D02DD8-BD20-4C94-AA78-E7714D36AB2A in table VerifyBlob: Hash comparison succeeded for entry 'cmdline' ... The patch series is organized as follows: 1: Simple comment fix in adjacent area in the code. 2: Use GenericQemuLoadImageLib to gain one location for fw_cfg blob fetching. 3: Allow the (previously blocked) usage of -kernel in AmdSevX64. 4-7: Add BlobVerifierLib with null implementation and use it in the correct location in QemuKernelLoaderFsDxe. 8-9: Reserve memory for hashes table, declare this area in the reset vector. 10-11: Add the secure implementation SevHashesBlobVerifierLib and use it in AmdSevX64 builds. [1] https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-dovmurik@linux.ibm.com/ Code is at https://github.com/confidential-containers-demo/edk2/tree/sev-hashes-v2 v2 changes: - Use the last 1KB of the existing SEV launch secret page for hashes table (instead of reserving a whole new MEMFD page). - Build on top of commit cf203024745f ("OvmfPkg/GenericQemuLoadImageLib: Read cmdline from QemuKernelLoaderFs", 2021-06-28) to have a single location in which all of kernel/initrd/cmdline are fetched from QEMU. - Use static linking of the two BlobVerifierLib implemenatations. - Reorganize series. v1: https://edk2.groups.io/g/devel/message/75567 Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Cc: Leif Lindholm Cc: Sami Mujawar Dov Murik (8): OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds OvmfPkg: add library class BlobVerifierLib with null implementation OvmfPkg: add NullBlobVerifierLib to DSC ArmVirtPkg: add NullBlobVerifierLib to DSC OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg OvmfPkg/AmdSev/SecretPei: build hob for full page OvmfPkg: add SevHashesBlobVerifierLib OvmfPkg/AmdSev: Enforce hash verification of kernel blobs James Bottomley (3): OvmfPkg/AmdSev/SecretDxe: fix header comment to generic naming OvmfPkg: PlatformBootManagerLibGrub: Allow executing kernel via fw_cfg OvmfPkg/AmdSev: reserve MEMFD space for for firmware config hashes OvmfPkg/OvmfPkg.dec | 9 + ArmVirtPkg/ArmVirtQemu.dsc | 5 +- ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 +- OvmfPkg/AmdSev/AmdSevX64.dsc | 9 +- OvmfPkg/OvmfPkgIa32.dsc | 5 +- OvmfPkg/OvmfPkgIa32X64.dsc | 5 +- OvmfPkg/OvmfPkgX64.dsc | 5 +- OvmfPkg/AmdSev/AmdSevX64.fdf | 5 +- OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf | 27 +++ OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf | 36 ++++ OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf | 2 + OvmfPkg/ResetVector/ResetVector.inf | 2 + OvmfPkg/Include/Library/BlobVerifierLib.h | 38 ++++ OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h | 11 ++ OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 2 +- OvmfPkg/AmdSev/SecretPei/SecretPei.c | 9 +- OvmfPkg/Library/BlobVerifierLib/NullBlobVerifier.c | 34 ++++ OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifier.c | 199 ++++++++++++++++++++ OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c | 5 + OvmfPkg/Library/{PlatformBootManagerLib => PlatformBootManagerLibGrub}/QemuKernel.c | 0 OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 9 + OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 20 ++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 + 23 files changed, 434 insertions(+), 10 deletions(-) create mode 100644 OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf create mode 100644 OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf create mode 100644 OvmfPkg/Include/Library/BlobVerifierLib.h create mode 100644 OvmfPkg/Library/BlobVerifierLib/NullBlobVerifier.c create mode 100644 OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifier.c copy OvmfPkg/Library/{PlatformBootManagerLib => PlatformBootManagerLibGrub}/QemuKernel.c (100%) -- 2.25.1