From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web09.1966.1626721944272044899 for ; Mon, 19 Jul 2021 12:12:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=bj06w2xr; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16JJ2t1M163844; Mon, 19 Jul 2021 15:12:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=R13oK600ZUV4PC6ZxeGlTRo9XEcRDiJyR4wZnLgvsdg=; b=bj06w2xr809XzwtZH+uRTLWjXuwHIFQ7aj4J8q0UjKbagh7U+aznk+K6ujTj6TO7zRLb TM01+XYVvGGoiBiKxrRxOMdfOZFer6F3MuKxXNVIHPbj1SXyiaLqjuH03zDSko4vx/bw BqL90pLY7Y5aNkMlIdk4+kiFIHCBveulhFOU65DtzfFlS+4YgavYkV5bNT+WhOfYE4vE fk9TllVY5DT9fY66bnD3hq6QVoasNPtLkV5J6o73LH5sZtC37sS54toN/nBVZFfpQ3fX BiLejvP05q0xe/5UF3Mh5zwCr5L6X1Ioef4A39F/eglQDYf0S/u27jBGRZYh26Kzb4Cy Jg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wcy5vj97-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 Jul 2021 15:12:18 -0400 Received: from m0098399.ppops.net (m0098399.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16JJ3IAm165396; Mon, 19 Jul 2021 15:12:18 -0400 Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wcy5vj8s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 Jul 2021 15:12:18 -0400 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16JJ8wpZ027773; Mon, 19 Jul 2021 19:12:17 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma03dal.us.ibm.com with ESMTP id 39upubqvvj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 Jul 2021 19:12:17 +0000 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16JJCGt443909572 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 19 Jul 2021 19:12:16 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E3C79124054; Mon, 19 Jul 2021 19:12:15 +0000 (GMT) Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 866C4124066; Mon, 19 Jul 2021 19:12:11 +0000 (GMT) Received: from [9.65.195.237] (unknown [9.65.195.237]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 19 Jul 2021 19:12:11 +0000 (GMT) Subject: Re: [PATCH v2 00/11] Measured SEV boot with kernel/initrd/cmdline To: Tom Lendacky , devel@edk2.groups.io Cc: Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Leif Lindholm , Sami Mujawar , Dov Murik References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> From: "Dov Murik" Message-ID: <40e7799e-df93-ff46-05f5-31d24ad0751e@linux.ibm.com> Date: Mon, 19 Jul 2021 22:12:09 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 In-Reply-To: X-TM-AS-GCONF: 00 X-Proofpoint-GUID: sio1Jq_xGGSDOC5jzH6dP-yc98M2E2ds X-Proofpoint-ORIG-GUID: r3cZVbj7b7gTku1gt0FMIDBsR-6BNUvu X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-07-19_09:2021-07-19,2021-07-19 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 phishscore=0 clxscore=1015 spamscore=0 lowpriorityscore=0 suspectscore=0 malwarescore=0 adultscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107190109 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 19/07/2021 18:14, Tom Lendacky wrote: > On 7/6/21 3:54 AM, Dov Murik wrote: >> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 > > This BZ link should be part of all the commit messages in the series. > Oh I missed a few. I'll fix. Thanks. > Thanks, > Tom > >> >> Booting with SEV prevented the loading of kernel, initrd, and kernel >> command-line via QEMU fw_cfg interface because they arrive from the VMM >> which is untrusted in SEV. >> >> However, in some cases the kernel, initrd, and cmdline are not secret >> but should not be modified by the host. In such a case, we want to >> verify inside the trusted VM that the kernel, initrd, and cmdline are >> indeed the ones expected by the Guest Owner, and only if that is the >> case go on and boot them up (removing the need for grub inside OVMF in >> that mode). >> >> This patch series reserves an area in MEMFD (previously the last 1KB of >> the launch secret page) which will contain the >> hashes of these three blobs (kernel, initrd, cmdline), each under its >> own GUID entry. This tables of hashes is populated by QEMU before >> launch, and encrypted as part of the initial VM memory; this makes sure >> theses hashes are part of the SEV measurement (which has to be approved >> by the Guest Owner for secret injection, for example). Note that this >> requires QEMU support [1]. >> >> OVMF parses the table of hashes populated by QEMU (patch 5), and as it >> reads the fw_cfg blobs from QEMU, it will verify each one against the >> expected hash (kernel and initrd verifiers are introduced in patch 6, >> and command-line verifier is introduced in patches 7+8). This is all >> done inside the trusted VM context. If all the hashes are correct, boot >> of the kernel is allowed to continue. >> >> Any attempt by QEMU to modify the kernel, initrd, cmdline (including >> dropping one of them), or to modify the OVMF code that verifies those >> hashes, will cause the initial SEV measurement to change and therefore >> will be detectable by the Guest Owner during launch before secret >> injection. >> >> Relevant part of OVMF serial log during boot with AmdSevX86 build and QEMU with >> -kernel/-initrd/-append: >> >> ... >> SevHashesBlobVerifierLibConstructor: found injected hashes table in secure location >> Select Item: 0x17 >> Select Item: 0x8 >> FetchBlob: loading 7379328 bytes for "kernel" >> Select Item: 0x18 >> Select Item: 0x11 >> VerifyBlob: Found GUID 4DE79437-ABD2-427F-B835-D5B172D2045B in table >> VerifyBlob: Hash comparison succeeded for entry 'kernel' >> Select Item: 0xB >> FetchBlob: loading 12483878 bytes for "initrd" >> Select Item: 0x12 >> VerifyBlob: Found GUID 44BAF731-3A2F-4BD7-9AF1-41E29169781D in table >> VerifyBlob: Hash comparison succeeded for entry 'initrd' >> Select Item: 0x14 >> FetchBlob: loading 86 bytes for "cmdline" >> Select Item: 0x15 >> VerifyBlob: Found GUID 97D02DD8-BD20-4C94-AA78-E7714D36AB2A in table >> VerifyBlob: Hash comparison succeeded for entry 'cmdline' >> ... >> >> The patch series is organized as follows: >> >> 1: Simple comment fix in adjacent area in the code. >> 2: Use GenericQemuLoadImageLib to gain one location for fw_cfg blob >> fetching. >> 3: Allow the (previously blocked) usage of -kernel in AmdSevX64. >> 4-7: Add BlobVerifierLib with null implementation and use it in the correct >> location in QemuKernelLoaderFsDxe. >> 8-9: Reserve memory for hashes table, declare this area in the reset vector. >> 10-11: Add the secure implementation SevHashesBlobVerifierLib and use it in >> AmdSevX64 builds. >> >> [1] https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-dovmurik@linux.ibm.com/ >> >> Code is at >> https://github.com/confidential-containers-demo/edk2/tree/sev-hashes-v2 >> >> v2 changes: >> - Use the last 1KB of the existing SEV launch secret page for hashes table >> (instead of reserving a whole new MEMFD page). >> - Build on top of commit cf203024745f ("OvmfPkg/GenericQemuLoadImageLib: Read >> cmdline from QemuKernelLoaderFs", 2021-06-28) to have a single location in >> which all of kernel/initrd/cmdline are fetched from QEMU. >> - Use static linking of the two BlobVerifierLib implemenatations. >> - Reorganize series. >> >> v1: https://edk2.groups.io/g/devel/message/75567 >> >> Cc: Laszlo Ersek >> Cc: Ard Biesheuvel >> Cc: Jordan Justen >> Cc: Ashish Kalra >> Cc: Brijesh Singh >> Cc: Erdem Aktas >> Cc: James Bottomley >> Cc: Jiewen Yao >> Cc: Min Xu >> Cc: Tom Lendacky >> Cc: Leif Lindholm >> Cc: Sami Mujawar >> >> Dov Murik (8): >> OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds >> OvmfPkg: add library class BlobVerifierLib with null implementation >> OvmfPkg: add NullBlobVerifierLib to DSC >> ArmVirtPkg: add NullBlobVerifierLib to DSC >> OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg >> OvmfPkg/AmdSev/SecretPei: build hob for full page >> OvmfPkg: add SevHashesBlobVerifierLib >> OvmfPkg/AmdSev: Enforce hash verification of kernel blobs >> >> James Bottomley (3): >> OvmfPkg/AmdSev/SecretDxe: fix header comment to generic naming >> OvmfPkg: PlatformBootManagerLibGrub: Allow executing kernel via fw_cfg >> OvmfPkg/AmdSev: reserve MEMFD space for for firmware config hashes >> >> OvmfPkg/OvmfPkg.dec | 9 + >> ArmVirtPkg/ArmVirtQemu.dsc | 5 +- >> ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 +- >> OvmfPkg/AmdSev/AmdSevX64.dsc | 9 +- >> OvmfPkg/OvmfPkgIa32.dsc | 5 +- >> OvmfPkg/OvmfPkgIa32X64.dsc | 5 +- >> OvmfPkg/OvmfPkgX64.dsc | 5 +- >> OvmfPkg/AmdSev/AmdSevX64.fdf | 5 +- >> OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf | 27 +++ >> OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf | 36 ++++ >> OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf | 2 + >> OvmfPkg/ResetVector/ResetVector.inf | 2 + >> OvmfPkg/Include/Library/BlobVerifierLib.h | 38 ++++ >> OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h | 11 ++ >> OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 2 +- >> OvmfPkg/AmdSev/SecretPei/SecretPei.c | 9 +- >> OvmfPkg/Library/BlobVerifierLib/NullBlobVerifier.c | 34 ++++ >> OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifier.c | 199 ++++++++++++++++++++ >> OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c | 5 + >> OvmfPkg/Library/{PlatformBootManagerLib => PlatformBootManagerLibGrub}/QemuKernel.c | 0 >> OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 9 + >> OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 20 ++ >> OvmfPkg/ResetVector/ResetVector.nasmb | 2 + >> 23 files changed, 434 insertions(+), 10 deletions(-) >> create mode 100644 OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf >> create mode 100644 OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf >> create mode 100644 OvmfPkg/Include/Library/BlobVerifierLib.h >> create mode 100644 OvmfPkg/Library/BlobVerifierLib/NullBlobVerifier.c >> create mode 100644 OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifier.c >> copy OvmfPkg/Library/{PlatformBootManagerLib => PlatformBootManagerLibGrub}/QemuKernel.c (100%) >>