From: James Bottomley <jejb@linux.ibm.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Ashish Kalra <ashish.kalra@amd.com>
Cc: devel@edk2.groups.io, dovmurik@linux.vnet.ibm.com,
Dov.Murik1@il.ibm.com, brijesh.singh@amd.com, tobin@ibm.com,
david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com,
frankeh@us.ibm.com
Subject: Re: [PATCH 0/4] SEV Encrypted Boot for Ovmf
Date: Thu, 12 Nov 2020 09:07:11 -0800 [thread overview]
Message-ID: <6285626e5b22fbbf78b15d21dcc17adf9ed0e21e.camel@linux.ibm.com> (raw)
In-Reply-To: <20201112163434.GH2905@work-vm>
On Thu, 2020-11-12 at 16:34 +0000, Dr. David Alan Gilbert wrote:
> * Ashish Kalra (ashish.kalra@amd.com) wrote:
> > On Wed, Nov 11, 2020 at 04:13:12PM -0800, James Bottomley wrote:
> > > From: James Bottomley <James.Bottomley@HansenPartnership.com>
> > >
> > > This patch series is modelled on the structure of the Bhyve
> > > patches for Ovmf, since it does somewhat similar things. This
> > > patch series creates a separate build for an AmdSev OVMF.fd that
> > > does nothing except combine with grub and boot straight through
> > > the internal grub to try to mount an encrypted volume.
> > >
> > > Concept: SEV Secure Encrypted Images
> > > ====================================
> > >
> > > The SEV patches in Linux and OVMF allow for the booting of SEV
> > > VMs in an encrypted state, but don't really show how this could
> > > be done with an encrypted image.
> >
> > A basic question here ... the SEV usage model in which the firmware
> > is encrypted and loaded into VM using LAUNCH_UPDATA_DATA and then
> > measurement is provided and attestation is done with the VM owner
> > and after VM owner verifies measurement, the VM owner encrypts the
> > disk encryption key and sends it to the guest and it is injected
> > into the guest using the LAUNCH_SECRET API, which is then used to
> > decrypt the OS encrypted image, won't this work to start the SEV VM
> > with an encrypted image ?
>
> That's still what James system does, but the problem is maintaining a
> chain of trust from the set of measured binaries to the point at
> which you can use the injected secret.
>
> On the current OVMF world we end up measuring the OVMF binary, but
> not the stored variable flash; but then what? Who would read the
> injected secret? Because SEV/SEV-ES has no way of performing a later
> attestation, or updating the measurements, we have no way of
> following the path from OVMF (possibly via variables) to a boot
> loader, to a filesystem.
Right, the specific problem is our current linux boot sequence goes
OVMF->grub->linux
But OVMF can only execute things on an unencrypted vFAT filesytem, so
if grub is on vFAT there's no way to prevent a cloud admin substituting
the grub binary after attestation is done and the key released if we
only attest OVMF, so the bogus grub binary could simply capture the key
and transmit it to a hacker.
Pulling grub inside OVMF allows us to attest both OVMF and grub as one
entity and also prevents the boot going via the unencrypted vFAT
filesystem, eliminating the potential interception point.
James
next prev parent reply other threads:[~2020-11-12 17:07 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-12 0:13 [PATCH 0/4] SEV Encrypted Boot for Ovmf James Bottomley
2020-11-12 0:13 ` [PATCH 1/4] OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF James Bottomley
2020-11-16 19:11 ` [edk2-devel] " Laszlo Ersek
2020-11-16 20:00 ` James Bottomley
2020-11-12 0:13 ` [PATCH 2/4] OvmfPkg/AmdSev: add Grub Firmware Volume Package James Bottomley
2020-11-16 20:42 ` [edk2-devel] " Laszlo Ersek
2020-11-17 0:05 ` Laszlo Ersek
2020-11-18 23:00 ` James Bottomley
2020-11-19 7:59 ` Laszlo Ersek
2020-11-12 0:13 ` [PATCH 3/4] OvmfPkg: create a SEV secret area in the AmdSev memfd James Bottomley
2020-11-16 22:46 ` [edk2-devel] " Laszlo Ersek
2020-11-18 20:23 ` James Bottomley
2020-11-19 7:50 ` Laszlo Ersek
2020-11-19 19:41 ` Brijesh Singh
2020-11-20 6:29 ` jejb
2020-11-20 10:59 ` Laszlo Ersek
2020-11-18 20:39 ` Lendacky, Thomas
2020-11-19 7:51 ` Laszlo Ersek
2020-11-12 0:13 ` [PATCH 4/4] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table James Bottomley
2020-11-17 0:12 ` [edk2-devel] " Laszlo Ersek
2020-11-12 16:21 ` [PATCH 0/4] SEV Encrypted Boot for Ovmf Ashish Kalra
2020-11-12 16:34 ` Dr. David Alan Gilbert
2020-11-12 17:07 ` James Bottomley [this message]
2020-11-12 17:22 ` Ashish Kalra
2020-11-12 17:32 ` Brijesh Singh
2020-11-12 19:38 ` Dr. David Alan Gilbert
2020-11-12 21:56 ` Brijesh Singh
2020-11-12 22:50 ` James Bottomley
2020-11-15 14:08 ` Brijesh Singh
2020-11-12 19:44 ` James Bottomley
2020-11-13 2:04 ` [edk2-devel] " James Bottomley
2020-11-13 22:41 ` Laszlo Ersek
2020-11-16 18:50 ` Laszlo Ersek
2020-11-16 18:56 ` Laszlo Ersek
2020-11-16 19:55 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6285626e5b22fbbf78b15d21dcc17adf9ed0e21e.camel@linux.ibm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox