public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Brijesh Singh <brijesh.singh@amd.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: brijesh.singh@amd.com, James Bottomley <jejb@linux.ibm.com>,
	devel@edk2.groups.io, dovmurik@linux.vnet.ibm.com,
	Dov.Murik1@il.ibm.com, ashish.kalra@amd.com, tobin@ibm.com,
	david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com,
	frankeh@us.ibm.com
Subject: Re: [PATCH 0/4] SEV Encrypted Boot for Ovmf
Date: Thu, 12 Nov 2020 15:56:47 -0600	[thread overview]
Message-ID: <5890c3a4-a480-0ca7-55fd-550a91d8ecb1@amd.com> (raw)
In-Reply-To: <20201112193804.GJ2905@work-vm>


On 11/12/20 1:38 PM, Dr. David Alan Gilbert wrote:
> * Brijesh Singh (brijesh.singh@amd.com) wrote:
>> Hi James,
>>
>> Thanks for series, I glanced at it, the changes looks okay to me. I have
>> one questions.
>>
>> How does the grub locate the disk decryption key ? Am I correct in
>> assuming that the gurb is iterating through a configuration table
>> entries and comparing the Secret GUID to locate the secret key. As per
>> the SEV spec, its possible that a guest owner can call the secret
>> injection more than once. I don't see the patch consider that case,
>> should we support this or limit to one inject?  Maybe Qemu can enforce
>> this property.
> That's interesting, I hadn't realised that was possible - however,
> I can't see a way to use it - for it to be useful, you would have to
> have a way for the guest to communicate to the owner that it had
> finished with the first injection and would like the next; but if you
> already have a way to communicate from the guest to the owner to request
> stuff, then you could pass a new secret by that comms route?


The main reason for its existence was to allow guest owner to inject
multiple blocks of the data if they need to do so, e.g IIRC, Enarx folks
use this to inject the keep which is much bigger than 128K. I am not
sure if we really need it for the VM boot flow but we probably need to
define the secret page layout such that it contains multiple entries in
it. In our case the Secret can't be more than a page, so, we can define
a secret page layout such that it can contain more than one disk key. I
was thinking about something like this

typedef enum {

   DISK_KEY_AES_128,

   SSH_PRIVATE_KEY,

   ...

} data_type;

struct secret_data {

   u8 entries;

   struct {

      data_type type;

      u16 len;

      u8 name[16];

      u8 data[];

   } entry[];

}

This should allow us to package multiple secrets in one inject.

>
>> Do you see any need for the Linux kernel needing to access the secret?
>> Since the secret blob is available through configuration table, I
>> believe we can have a platform driver that can read the configuration
>> table and retrieve the secret blob.
> I guess it depends if you get the Grub to pass the fs secret down to the
> kernel or let it pick it up itself from the same place.


I guess the main reason why I was asking this is, what if guest owner
provides more than one disk keys in the secret injection blob. Grub can
use the boot disk key to access the Linux images and other disk keys may
later be used by Linux.

> Dave
>
>> thanks
>>
>> On 11/11/20 6:13 PM, James Bottomley wrote:
>>> From: James Bottomley <James.Bottomley@HansenPartnership.com>
>>>
>>> This patch series is modelled on the structure of the Bhyve patches
>>> for Ovmf, since it does somewhat similar things.  This patch series
>>> creates a separate build for an AmdSev OVMF.fd that does nothing
>>> except combine with grub and boot straight through the internal grub
>>> to try to mount an encrypted volume.
>>>
>>> Concept: SEV Secure Encrypted Images
>>> ====================================
>>>
>>> The SEV patches in Linux and OVMF allow for the booting of SEV VMs in
>>> an encrypted state, but don't really show how this could be done with
>>> an encrypted image.  Since the key used to decrypt the image must be
>>> maintained within the SEV encryption envelope, encrypted QCOW is not
>>> an option because the key would then have to be known to QEMU which is
>>> outside the encryption envelope.  The proposal here is that an
>>> encrypted image should be a QCOW image consisting of two partitions,
>>> the normal unencrypted EFI partition (Identifying it as an OVMF
>>> bootable image) and a luks encrypted root partition.  The kernel would
>>> be inside the encrypted root in the /boot directory.  The secret
>>> injected securely through QEMU is extracted by OVMF and passed to grub
>>> which uses it to mount the encrypted root and boot the kernel
>>> normally.  The creator of the secret bundle must be satisfied with the
>>> SEV attestation before the secret is constructed.  Unfortunately, the
>>> SEV attestation can only be on the first QEMU firmware volume and
>>> nothing else, so this patch series builds grub itself into a firmware
>>> volume and places it inside OVMF so that the entire boot system can be
>>> attested.  In a normal OVMF KVM system, the variable store is on the
>>> second flash volume (which is read/write).  Unfortunately, this
>>> mutable configuration provided by the variables is outside the
>>> attestation envelope and can significantly alter the boot path,
>>> possibly leading to secret leak, so encrypted image boot should only
>>> be done with the OVMF.fd that combines both the code and variables.
>>> the OVMF.fd is constructed so that it becomes impossible to interrupt
>>> the boot sequence after attestation and the system will either boot
>>> the image or fail. The boot sequence runs the grub.efi embedded in the
>>> OVMF firmware volume so the encrypted image owner knows their own
>>> version of grub is the only one that will boot before injecting the
>>> secret.  Note this boot path actually ignores the unencrypted EFI
>>> partition.  However, as part of this design, the encrypted image may be
>>> booted by a standard OVMF KVM boot and in that case, the user will
>>> have to type the encryption password.  This standard boot will be
>>> insecure but it might be used by the constructor of the encrypted
>>> images on their own private laptop, for instance.  The standard boot
>>> path will use the unencrypted EFI partition.
>>>
>>> Patches Required Outside of OVMF
>>> ================================
>>>
>>> There is a patch set to grub which allows it to extract the SEV secret
>>> area from the configuration table and use the secret as a password to
>>> do a luks crypto mount of root (this is the sevsecret grub module).
>>>
>>> There is also a patch to qemu which allows it to search through the
>>> OVMF.fd and find the SEV secret area which is now described inside the
>>> Reset Vector using the existing SEV_ES reset block.  This area is the
>>> place QEMU will inject the encrypted SEV secret bundle.
>>>
>>> Security of the System
>>> ======================
>>>
>>> Since Grub is now part of the attested OVMF.fd bundle, the VM owner
>>> knows absolutely that it will proceed straight to partition decryption
>>> inside the attested code and boot the kernel off the encrypted
>>> partition.  Even if a different QCOW image is substituted, the boot
>>> will fail without revealing the secret because the system is designed
>>> to fail hard in that case and because the secret is always contained
>>> within the encrypted envelope it should be impossible for the cloud
>>> operator to obtain it even if they can pause the boot and examine the
>>> machine memory.
>>>
>>> Putting it All Together
>>> =======================
>>>
>>> This is somewhat hard.  You must first understand how to boot a QEMU
>>> system so as to have the VM pause after firmware loading (-S option)
>>> and use the qmp port to request an attestation.  Only if the
>>> attestation corresponds to the expected sha256sum of OVMF.fd should
>>> the secret bundle be constructed and injected using qmp.  The tools
>>> for constructing the secret bundle are in
>>>
>>> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAMDESE%2Fsev-tool%2F&amp;data=04%7C01%7Cbrijesh.singh%40amd.com%7Cc5b99bba03c74eb5bc2308d887428054%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637408066981024287%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=SSmQZgDWx4P5a2hOJZRnhrM0n5ExpqzjLGolv0f0CC8%3D&amp;reserved=0
>>
>> Where you able to use the sev-tool as-is to generate a secret blob that
>> can be injected through the Qemu QMP interface? The reason why I am
>> asking this is because the last time when I looked at the sev-tool I
>> found that it did not generated the blob which was in the correct format.
>>
>>
>>> James
>>>
>>> ---
>>>
>>> James Bottomley (4):
>>>   OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF
>>>   OvmfPkg/AmdSev: add Grub Firmware Volume Package
>>>   OvmfPkg: create a SEV secret area in the AmdSev memfd
>>>   OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table
>>>
>>>  OvmfPkg/OvmfPkg.dec                           |    6 +
>>>  OvmfPkg/AmdSev/AmdSevX64.dsc                  | 1035 +++++++++++
>>>  OvmfPkg/AmdSev/AmdSevX64.fdf                  |  515 ++++++
>>>  OvmfPkg/AmdSev/Grub/Grub.inf                  |   37 +
>>>  .../SevLaunchSecret/SecretDxe/SecretDxe.inf   |   38 +
>>>  .../SevLaunchSecret/SecretPei/SecretPei.inf   |   46 +
>>>  .../PlatformBootManagerLibGrub.inf            |   84 +
>>>  OvmfPkg/ResetVector/ResetVector.inf           |    4 +
>>>  .../PlatformBootManagerLibGrub/BdsPlatform.h  |  179 ++
>>>  .../SevLaunchSecret/SecretDxe/SecretDxe.c     |   29 +
>>>  .../SevLaunchSecret/SecretPei/SecretPei.c     |   26 +
>>>  .../PlatformBootManagerLibGrub/BdsPlatform.c  | 1538 +++++++++++++++++
>>>  .../PlatformBootManagerLibGrub/PlatformData.c |  213 +++
>>>  OvmfPkg/AmdSev/Grub/.gitignore                |    1 +
>>>  OvmfPkg/AmdSev/Grub/grub.cfg                  |   35 +
>>>  OvmfPkg/AmdSev/Grub/grub.sh                   |   54 +
>>>  OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm  |    4 +
>>>  OvmfPkg/ResetVector/ResetVector.nasmb         |    2 +
>>>  18 files changed, 3846 insertions(+)
>>>  create mode 100644 OvmfPkg/AmdSev/AmdSevX64.dsc
>>>  create mode 100644 OvmfPkg/AmdSev/AmdSevX64.fdf
>>>  create mode 100644 OvmfPkg/AmdSev/Grub/Grub.inf
>>>  create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf
>>>  create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf
>>>  create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf
>>>  create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h
>>>  create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c
>>>  create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c
>>>  create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
>>>  create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformData.c
>>>  create mode 100644 OvmfPkg/AmdSev/Grub/.gitignore
>>>  create mode 100644 OvmfPkg/AmdSev/Grub/grub.cfg
>>>  create mode 100644 OvmfPkg/AmdSev/Grub/grub.sh
>>>

  reply	other threads:[~2020-11-12 21:56 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-12  0:13 [PATCH 0/4] SEV Encrypted Boot for Ovmf James Bottomley
2020-11-12  0:13 ` [PATCH 1/4] OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF James Bottomley
2020-11-16 19:11   ` [edk2-devel] " Laszlo Ersek
2020-11-16 20:00     ` James Bottomley
2020-11-12  0:13 ` [PATCH 2/4] OvmfPkg/AmdSev: add Grub Firmware Volume Package James Bottomley
2020-11-16 20:42   ` [edk2-devel] " Laszlo Ersek
2020-11-17  0:05     ` Laszlo Ersek
2020-11-18 23:00     ` James Bottomley
2020-11-19  7:59       ` Laszlo Ersek
2020-11-12  0:13 ` [PATCH 3/4] OvmfPkg: create a SEV secret area in the AmdSev memfd James Bottomley
2020-11-16 22:46   ` [edk2-devel] " Laszlo Ersek
2020-11-18 20:23     ` James Bottomley
2020-11-19  7:50       ` Laszlo Ersek
2020-11-19 19:41         ` Brijesh Singh
2020-11-20  6:29           ` jejb
2020-11-20 10:59             ` Laszlo Ersek
2020-11-18 20:39     ` Lendacky, Thomas
2020-11-19  7:51       ` Laszlo Ersek
2020-11-12  0:13 ` [PATCH 4/4] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table James Bottomley
2020-11-17  0:12   ` [edk2-devel] " Laszlo Ersek
2020-11-12 16:21 ` [PATCH 0/4] SEV Encrypted Boot for Ovmf Ashish Kalra
2020-11-12 16:34   ` Dr. David Alan Gilbert
2020-11-12 17:07     ` James Bottomley
2020-11-12 17:22       ` Ashish Kalra
2020-11-12 17:32 ` Brijesh Singh
2020-11-12 19:38   ` Dr. David Alan Gilbert
2020-11-12 21:56     ` Brijesh Singh [this message]
2020-11-12 22:50       ` James Bottomley
2020-11-15 14:08         ` Brijesh Singh
2020-11-12 19:44   ` James Bottomley
2020-11-13  2:04 ` [edk2-devel] " James Bottomley
2020-11-13 22:41 ` Laszlo Ersek
2020-11-16 18:50 ` Laszlo Ersek
2020-11-16 18:56   ` Laszlo Ersek
2020-11-16 19:55   ` James Bottomley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5890c3a4-a480-0ca7-55fd-550a91d8ecb1@amd.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox