From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.1909.1626859768273508035 for ; Wed, 21 Jul 2021 02:29:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=LKSMMPzJ; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16L945hL102330; Wed, 21 Jul 2021 05:29:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=date : from : to : cc : subject : message-id : references : content-type : in-reply-to : mime-version; s=pp1; bh=3K5EwCmoSN6N7CEqaF1lZvbY4EcbYh6a3sGlgl9jVuc=; b=LKSMMPzJgUj86zrUABRP9UYg9MtAXir7bQqzh555oAEZBLfhS5jjEVzRkpCeOYOQEtzX e1uXWw9b8Oj0IhVSt3+nAauT94o0M0n7j+JA5fNgDwOTyiZSRORDyHLXnvscbNe/3Fiy UzI+lMl8D1FXC8Lq+F5naDzp9MxhCqOm3TKk+oNWDpbNFT7FSRXyz8U9faiTOTEjGXu4 weN7uLfs0Jrh9WUjmGeBLtqkW3lGrI4ACKjExVVuR7lthuXlngd5oPNGmTMfGI2Z4DCl VymezUs57er17Gdyhf+5zRmVT4v9zqbkMYNj4nRSyzLT1jY76RMNNNlj44unqdkBXK9U Hg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39xen03se3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 21 Jul 2021 05:29:26 -0400 Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16L9CapE148003; Wed, 21 Jul 2021 05:29:26 -0400 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 39xen03sdw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 21 Jul 2021 05:29:26 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16L9GUBN025578; Wed, 21 Jul 2021 09:29:25 GMT Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by ppma01dal.us.ibm.com with ESMTP id 39upud5qdb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 21 Jul 2021 09:29:25 +0000 Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16L9TMZY15729008 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 21 Jul 2021 09:29:22 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 667A528071; Wed, 21 Jul 2021 09:29:22 +0000 (GMT) Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 18AFF2806F; Wed, 21 Jul 2021 09:29:22 +0000 (GMT) Received: from amdrome3 (unknown [9.2.130.16]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTPS; Wed, 21 Jul 2021 09:29:22 +0000 (GMT) Date: Wed, 21 Jul 2021 09:29:15 +0000 From: "Dov Murik" To: Dov Murik , Tom Lendacky , Brijesh Singh , Ard Biesheuvel Cc: devel@edk2.groups.io, Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: Re: [PATCH v3 10/11] OvmfPkg: add BlobVerifierLibSevHashes Message-ID: <20210721092915.GA1219115@amdrome3> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> <20210720080401.3662854-11-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-11-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: btb-PATTb3soR61NKPqQC3TSLYb5n__- X-Proofpoint-GUID: 07Bwab5Hv_kaZyYk7ABAZygirAi-PQhJ X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-07-21_04:2021-07-21,2021-07-21 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1015 priorityscore=1501 impostorscore=0 spamscore=0 malwarescore=0 lowpriorityscore=0 bulkscore=0 suspectscore=0 mlxscore=0 adultscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107210050 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Tom, Brijesh, Ard, I think I found a bug in this patch. I used libfuzzer to test the VerifyBlob implementation here, and it immediately found a few "read memory out of range" issues. See details below in VerifyBlob. If the Guest Owner properly validates the measurement (which includes the expected well-formatted hashes table), then QEMU cannot modify it by including problematic length fields, etc. So I this bug is not a security issue - it doesn't allow QEMU to circumvent the kernel/initrd/cmdline measurement check. That said, I think that OVMF should not access memory ranges it's not supposed to, and that's why I think hardening this parsing function is a good idea. I'll submit another version with added validity checks of the hashes table structure. I'll also add the INT32 explanation comment per Tom's suggestion. On Tue, Jul 20, 2021 at 08:04:00AM +0000, Dov Murik wrote: > Add an implementation for BlobVerifierLib that locates the SEV hashes > table and verifies that the calculated hashes of the kernel, initrd, and > cmdline blobs indeed match the expected hashes stated in the hashes > table. > > If there's a missing hash or a hash mismatch then EFI_ACCESS_DENIED is > returned which will cause a failure to load a kernel image. > > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Ashish Kalra > Cc: Brijesh Singh > Cc: Erdem Aktas > Cc: James Bottomley > Cc: Jiewen Yao > Cc: Min Xu > Cc: Tom Lendacky > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 > Co-developed-by: James Bottomley > Signed-off-by: James Bottomley > Signed-off-by: Dov Murik > --- > OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf | 37 ++++ > OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c | 200 ++++++++++++++++++++ > 2 files changed, 237 insertions(+) > > diff --git a/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf > new file mode 100644 > index 000000000000..76ca0b8154ce > --- /dev/null > +++ b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf > @@ -0,0 +1,37 @@ > +## @file > +# > +# Blob verifier library that uses SEV hashes table. The hashes table holds the > +# allowed hashes of the kernel, initrd, and cmdline blobs. > +# > +# Copyright (C) 2021, IBM Corp > +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION = 1.29 > + BASE_NAME = BlobVerifierLibSevHashes > + FILE_GUID = 59e713b5-eff3-46a7-8d8b-46f4c004ad7b > + MODULE_TYPE = BASE > + VERSION_STRING = 1.0 > + LIBRARY_CLASS = BlobVerifierLib > + CONSTRUCTOR = BlobVerifierLibSevHashesConstructor > + > +[Sources] > + BlobVerifierSevHashes.c > + > +[Packages] > + CryptoPkg/CryptoPkg.dec > + MdePkg/MdePkg.dec > + OvmfPkg/OvmfPkg.dec > + > +[LibraryClasses] > + BaseCryptLib > + BaseMemoryLib > + DebugLib > + PcdLib > + > +[FixedPcd] > + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase > + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize > diff --git a/OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c > new file mode 100644 > index 000000000000..797d63d18067 > --- /dev/null > +++ b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c > @@ -0,0 +1,200 @@ > +/** @file > + > + Blob verifier library that uses SEV hashes table. The hashes table holds the > + allowed hashes of the kernel, initrd, and cmdline blobs. > + > + Copyright (C) 2021, IBM Corporation > + > + SPDX-License-Identifier: BSD-2-Clause-Patent > +**/ > + > +#include > +#include > +#include > +#include > +#include > + > +/** > + The SEV Hashes table must be in encrypted memory and has the table > + and its entries described by > + > + |UINT16 | > + > + With the whole table GUID being 9438d606-4f22-4cc9-b479-a793d411fd21 > + > + The current possible table entries are for the kernel, the initrd > + and the cmdline: > + > + 4de79437-abd2-427f-b835-d5b172d2045b kernel > + 44baf731-3a2f-4bd7-9af1-41e29169781d initrd > + 97d02dd8-bd20-4c94-aa78-e7714d36ab2a cmdline > + > + The size of the entry is used to identify the hash, but the > + expectation is that it will be 32 bytes of SHA-256. > +**/ > + > +#define SEV_HASH_TABLE_GUID \ > + (GUID) { 0x9438d606, 0x4f22, 0x4cc9, { 0xb4, 0x79, 0xa7, 0x93, 0xd4, 0x11, 0xfd, 0x21 } } > +#define SEV_KERNEL_HASH_GUID \ > + (GUID) { 0x4de79437, 0xabd2, 0x427f, { 0xb8, 0x35, 0xd5, 0xb1, 0x72, 0xd2, 0x04, 0x5b } } > +#define SEV_INITRD_HASH_GUID \ > + (GUID) { 0x44baf731, 0x3a2f, 0x4bd7, { 0x9a, 0xf1, 0x41, 0xe2, 0x91, 0x69, 0x78, 0x1d } } > +#define SEV_CMDLINE_HASH_GUID \ > + (GUID) { 0x97d02dd8, 0xbd20, 0x4c94, { 0xaa, 0x78, 0xe7, 0x71, 0x4d, 0x36, 0xab, 0x2a } } > + > +STATIC CONST EFI_GUID mSevKernelHashGuid = SEV_KERNEL_HASH_GUID; > +STATIC CONST EFI_GUID mSevInitrdHashGuid = SEV_INITRD_HASH_GUID; > +STATIC CONST EFI_GUID mSevCmdlineHashGuid = SEV_CMDLINE_HASH_GUID; > + > +#pragma pack (1) > +typedef struct { > + GUID Guid; > + UINT16 Len; > + UINT8 Data[]; > +} HASH_TABLE; > +#pragma pack () > + > +STATIC HASH_TABLE *mHashesTable; > +STATIC UINT16 mHashesTableSize; > + > +STATIC > +CONST GUID* > +FindBlobEntryGuid ( > + IN CONST CHAR16 *BlobName > + ) > +{ > + if (StrCmp (BlobName, L"kernel") == 0) { > + return &mSevKernelHashGuid; > + } else if (StrCmp (BlobName, L"initrd") == 0) { > + return &mSevInitrdHashGuid; > + } else if (StrCmp (BlobName, L"cmdline") == 0) { > + return &mSevCmdlineHashGuid; > + } else { > + return NULL; > + } > +} > + > +/** > + Verify blob from an external source. > + > + @param[in] BlobName The name of the blob > + @param[in] Buf The data of the blob > + @param[in] BufSize The size of the blob in bytes > + > + @retval EFI_SUCCESS The blob was verified successfully. > + @retval EFI_ACCESS_DENIED The blob could not be verified, and therefore > + should be considered non-secure. > +**/ > +EFI_STATUS > +EFIAPI > +VerifyBlob ( > + IN CONST CHAR16 *BlobName, > + IN CONST VOID *Buf, > + IN UINT32 BufSize > + ) > +{ > + CONST GUID *Guid; > + INT32 Len; > + HASH_TABLE *Entry; > + > + if (mHashesTable == NULL || mHashesTableSize == 0) { > + DEBUG ((DEBUG_ERROR, > + "%a: Verifier called but no hashes table discoverd in MEMFD\n", > + __FUNCTION__)); > + return EFI_ACCESS_DENIED; > + } > + > + Guid = FindBlobEntryGuid (BlobName); > + if (Guid == NULL) { > + DEBUG ((DEBUG_ERROR, "%a: Unknown blob name \"%s\"\n", __FUNCTION__, > + BlobName)); > + return EFI_ACCESS_DENIED; > + } > + > + for (Entry = mHashesTable, Len = 0; > + Len < (INT32)mHashesTableSize; > + Len += Entry->Len, > + Entry = (HASH_TABLE *)((UINT8 *)Entry + Entry->Len)) { > + UINTN EntrySize; > + EFI_STATUS Status; > + UINT8 Hash[SHA256_DIGEST_SIZE]; > + > + if (!CompareGuid (&Entry->Guid, Guid)) { Bug: This can access memory above the mHashTableSize limit. Consider mHashTableSize == 1. We enter the for loop but CompareGuid will "read" 16 bytes of Entry->Guid, which is past the limit. > + continue; > + } > + > + DEBUG ((DEBUG_INFO, "%a: Found GUID %g in table\n", __FUNCTION__, Guid)); > + > + EntrySize = Entry->Len - sizeof (Entry->Guid) - sizeof (Entry->Len); Bug: This can access memory above the mHashTableSize limit. Consider mHashTableSize == 16. CompareGuid is OK but Entry->Len accesses the 2 bytes at offset 16, which is after the limit. > + if (EntrySize != SHA256_DIGEST_SIZE) { > + DEBUG ((DEBUG_ERROR, "%a: Hash has the wrong size %d != %d\n", > + __FUNCTION__, EntrySize, SHA256_DIGEST_SIZE)); > + return EFI_ACCESS_DENIED; > + } > + > + // > + // Calculate the buffer's hash and verify that it is identical to the > + // expected hash table entry > + // > + Sha256HashAll (Buf, BufSize, Hash); > + > + if (CompareMem (Entry->Data, Hash, EntrySize) == 0) { Bug: This can access memory above the mHashTableSize limit. Consider mHashTableSize == 21. CompareGuid is OK and Entry->Len == 50 as expected (18 bytes header and 32 bytes for SHA256). But CompareMem will try to read the 32 bytes when it's only allowed to read 3 bytes (21 - 18). -Dov > + Status = EFI_SUCCESS; > + DEBUG ((DEBUG_INFO, "%a: Hash comparison succeeded for \"%s\"\n", > + __FUNCTION__, BlobName)); > + } else { > + Status = EFI_ACCESS_DENIED; > + DEBUG ((DEBUG_ERROR, "%a: Hash comparison failed for \"%s\"\n", > + __FUNCTION__, BlobName)); > + } > + return Status; > + } > + > + DEBUG ((DEBUG_ERROR, "%a: Hash GUID %g not found in table\n", __FUNCTION__, > + Guid)); > + return EFI_ACCESS_DENIED; > +} > + > +/** > + Locate the SEV hashes table. > + > + This function always returns success, even if the table can't be found. The > + subsequent VerifyBlob calls will fail if no table was found. > + > + @retval RETURN_SUCCESS The verifier tables were set up correctly > +**/ > +RETURN_STATUS > +EFIAPI > +BlobVerifierLibSevHashesConstructor ( > + VOID > + ) > +{ > + HASH_TABLE *Ptr = (void *)(UINTN)FixedPcdGet64 (PcdQemuHashTableBase); > + UINT32 Size = FixedPcdGet32 (PcdQemuHashTableSize); > + > + mHashesTable = NULL; > + mHashesTableSize = 0; > + > + if (Ptr == NULL || Size == 0) { > + return RETURN_SUCCESS; > + } > + > + if (!CompareGuid (&Ptr->Guid, &SEV_HASH_TABLE_GUID)) { > + return RETURN_SUCCESS; > + } > + > + if (Ptr->Len < (sizeof Ptr->Guid + sizeof Ptr->Len)) { > + return RETURN_SUCCESS; > + } > + > + DEBUG ((DEBUG_INFO, "%a: Found injected hashes table in secure location\n", > + __FUNCTION__)); > + > + mHashesTable = (HASH_TABLE *)Ptr->Data; > + mHashesTableSize = Ptr->Len - sizeof Ptr->Guid - sizeof Ptr->Len; > + > + DEBUG ((DEBUG_VERBOSE, "%a: mHashesTable=0x%p, Size=%u\n", __FUNCTION__, > + mHashesTable, mHashesTableSize)); > + > + return RETURN_SUCCESS; > +} > -- > 2.25.1 >