public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
	Tobin Feldman-Fitzthum <tobin@ibm.com>,
	Jim Cadden <jcadden@ibm.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Hubertus Franke <frankeh@us.ibm.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	"Justen, Jordan L" <jordan.l.justen@intel.com>,
	Ashish Kalra <ashish.kalra@amd.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Erdem Aktas <erdemaktas@google.com>,
	"Xu, Min M" <min.m.xu@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Leif Lindholm <leif@nuviainc.com>,
	Sami Mujawar <sami.mujawar@arm.com>,
	Dov Murik <dovmurik@linux.ibm.com>
Subject: Re: [edk2-devel] [PATCH v4 00/11] Measured SEV boot with kernel/initrd/cmdline
Date: Sun, 25 Jul 2021 10:52:53 +0300	[thread overview]
Message-ID: <711c0ad9-9ebe-0eaa-e04b-28e7e7f69ef4@linux.ibm.com> (raw)
In-Reply-To: <PH0PR11MB4885E442B90DAC367EDD8DC58CE79@PH0PR11MB4885.namprd11.prod.outlook.com>

Hi Jiewen,

On 25/07/2021 5:43, Yao, Jiewen wrote:
> Hi
> I am reviewing this patch series. I am OK with most parts.

Thank you.

> 
> And I do have one question:
> May I know what is criteria to put a SEV module to OvmfPkg\AmdSev or OvmfPkg directly?
> 
> My original understanding is:
> If a module is required by OvmfPkg{Ia32,Ia32X64,X64}.{dsc,fdf}, then it should be OvmfPkg.
> If a module is only required by OvmfPkg\AmdSev\AmdSevX64.{dsc,fdf}, Then it should be in OvmfPkg\AmdSev.
> 
> Am I right?
> 

I actually don't know the criteria.  What you say sounds reasonable.
I'll also let James (who introduced the AmdSevX64 target) say what he
thinks.


If that is indeed the case, then I need to:

1. Modify patch 4: put the code of the null implementation in
OvmfPkf/BlobVerifierLibNull/

2. Modify patches 5+6: use the new path of the BlobVerifierLibNull inf file

3. Modify patches 10+11: put the code of the SevHashes implementation in
OvmfPkg/AmdSev/BlobVerifierLibSevHashes/

Jiewen, is that what you had in mind?



Two other things to consider:

A. The blob verification by hashes just uses initially-measured memory,
and no other features of SEV.  It might be useful for other Confidential
Computing implementations.  But maybe if that need arises then we'll
extract it from the AmdSev folder.

B. There were talks about reducing the number of targets, and maybe
unifying AmdSevX64 into OvmfPkgX64.  If this is indeed the direction
we're going to, then there's no need to separate the code.


Thanks,
-Dov


> Thank you
> Yao Jiewen
> 
> 
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Dov Murik
>> Sent: Thursday, July 22, 2021 4:43 PM
>> To: devel@edk2.groups.io
>> Cc: Dov Murik <dovmurik@linux.ibm.com>; Tobin Feldman-Fitzthum
>> <tobin@linux.ibm.com>; Tobin Feldman-Fitzthum <tobin@ibm.com>; Jim
>> Cadden <jcadden@ibm.com>; James Bottomley <jejb@linux.ibm.com>;
>> Hubertus Franke <frankeh@us.ibm.com>; Ard Biesheuvel
>> <ardb+tianocore@kernel.org>; Justen, Jordan L <jordan.l.justen@intel.com>;
>> Ashish Kalra <ashish.kalra@amd.com>; Brijesh Singh <brijesh.singh@amd.com>;
>> Erdem Aktas <erdemaktas@google.com>; Yao, Jiewen <jiewen.yao@intel.com>;
>> Xu, Min M <min.m.xu@intel.com>; Tom Lendacky
>> <thomas.lendacky@amd.com>; Leif Lindholm <leif@nuviainc.com>; Sami
>> Mujawar <sami.mujawar@arm.com>
>> Subject: [edk2-devel] [PATCH v4 00/11] Measured SEV boot with
>> kernel/initrd/cmdline
>>
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
>>
>> Booting with SEV prevented the loading of kernel, initrd, and kernel
>> command-line via QEMU fw_cfg interface because they arrive from the VMM
>> which is untrusted in SEV.
>>
>> However, in some cases the kernel, initrd, and cmdline are not secret
>> but should not be modified by the host.  In such a case, we want to
>> verify inside the trusted VM that the kernel, initrd, and cmdline are
>> indeed the ones expected by the Guest Owner, and only if that is the
>> case go on and boot them up (removing the need for grub inside OVMF in
>> that mode).
>>
>> This patch series reserves an area in MEMFD (previously the last 1KB of
>> the launch secret page) which will contain the hashes of these three
>> blobs (kernel, initrd, cmdline), each under its own GUID entry.  This
>> tables of hashes is populated by QEMU before launch, and encrypted as
>> part of the initial VM memory; this makes sure these hashes are part of
>> the SEV measurement (which has to be approved by the Guest Owner for
>> secret injection, for example).  Note that populating the hashes table
>> requires QEMU support [1].
>>
>> OVMF parses the table of hashes populated by QEMU (patch 10), and as it
>> reads the fw_cfg blobs from QEMU, it will verify each one against the
>> expected hash.  This is all done inside the trusted VM context.  If all
>> the hashes are correct, boot of the kernel is allowed to continue.
>>
>> Any attempt by QEMU to modify the kernel, initrd, cmdline (including
>> dropping one of them), or to modify the OVMF code that verifies those
>> hashes, will cause the initial SEV measurement to change and therefore
>> will be detectable by the Guest Owner during launch before secret
>> injection.
>>
>> Relevant part of OVMF serial log during boot with AmdSevX86 build and
>> QEMU with -kernel/-initrd/-append:
>>
>>   ...
>>   BlobVerifierLibSevHashesConstructor: Found injected hashes table in secure
>> location
>>   Select Item: 0x17
>>   Select Item: 0x8
>>   FetchBlob: loading 7379328 bytes for "kernel"
>>   Select Item: 0x18
>>   Select Item: 0x11
>>   VerifyBlob: Found GUID 4DE79437-ABD2-427F-B835-D5B172D2045B in table
>>   VerifyBlob: Hash comparison succeeded for "kernel"
>>   Select Item: 0xB
>>   FetchBlob: loading 12483878 bytes for "initrd"
>>   Select Item: 0x12
>>   VerifyBlob: Found GUID 44BAF731-3A2F-4BD7-9AF1-41E29169781D in table
>>   VerifyBlob: Hash comparison succeeded for "initrd"
>>   Select Item: 0x14
>>   FetchBlob: loading 86 bytes for "cmdline"
>>   Select Item: 0x15
>>   VerifyBlob: Found GUID 97D02DD8-BD20-4C94-AA78-E7714D36AB2A in table
>>   VerifyBlob: Hash comparison succeeded for "cmdline"
>>   ...
>>
>> The patch series is organized as follows:
>>
>> 1:     Simple comment fix in adjacent area in the code.
>> 2:     Use GenericQemuLoadImageLib to gain one location for fw_cfg blob
>>        fetching.
>> 3:     Allow the (previously blocked) usage of -kernel in AmdSevX64.
>> 4-7:   Add BlobVerifierLib with null implementation and use it in the correct
>>        location in QemuKernelLoaderFsDxe.
>> 8-9:   Reserve memory for hashes table, declare this area in the reset vector.
>> 10-11: Add the secure implementation BlobVerifierLibSevHashes and use it in
>>        AmdSevX64 builds.
>>
>> [1] https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-
>> dovmurik@linux.ibm.com/
>>
>> Code is at
>> https://github.com/confidential-containers-demo/edk2/tree/sev-hashes-v4
>>
>> v4 changes:
>>  - BlobVerifierSevHashes (patch 10): more comprehensive overflow tests
>>    when parsing the SEV hashes table structure
>>
>> v3: https://edk2.groups.io/g/devel/message/77955
>> v3 changes:
>>  - Rename to BlobVerifierLibNull, use decimal INF_VERSION, remove unused
>>    DebugLib reference, fix doxygen comments, add missing IN attribute
>>  - Rename to BlobVerifierLibSevHashes, use decimal INF_VERSION, fix
>>    doxygen comments, add missing IN attribute,
>>    calculate buffer hash only when the guid is found in hashes table
>>  - SecretPei: use ALIGN_VALUE to round the hob size
>>  - Coding style fixes
>>  - Add missing 'Ref:' in patch 1 commit message
>>  - Fix phrasing and typos in commit messages
>>  - Remove Cc: Laszlo from series
>>
>> v2: https://edk2.groups.io/g/devel/message/77505
>> v2 changes:
>>  - Use the last 1KB of the existing SEV launch secret page for hashes table
>>    (instead of reserving a whole new MEMFD page).
>>  - Build on top of commit cf203024745f ("OvmfPkg/GenericQemuLoadImageLib:
>> Read
>>    cmdline from QemuKernelLoaderFs", 2021-06-28) to have a single location in
>>    which all of kernel/initrd/cmdline are fetched from QEMU.
>>  - Use static linking of the two BlobVerifierLib implemenatations.
>>  - Reorganize series.
>>
>> v1: https://edk2.groups.io/g/devel/message/75567
>>
>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>> Cc: Ashish Kalra <ashish.kalra@amd.com>
>> Cc: Brijesh Singh <brijesh.singh@amd.com>
>> Cc: Erdem Aktas <erdemaktas@google.com>
>> Cc: James Bottomley <jejb@linux.ibm.com>
>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>> Cc: Min Xu <min.m.xu@intel.com>
>> Cc: Tom Lendacky <thomas.lendacky@amd.com>
>> Cc: Leif Lindholm <leif@nuviainc.com>
>> Cc: Sami Mujawar <sami.mujawar@arm.com>
>>
>> ---
>>
>> Ard: please review patch 6 (ArmVirtPkg). Thanks.
>>
>> Tom, Brijesh: I'll also send the diff for patch 10. Thanks.
>>
>> ---
>>
>> Dov Murik (8):
>>   OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds
>>   OvmfPkg: add library class BlobVerifierLib with null implementation
>>   OvmfPkg: add BlobVerifierLibNull to DSC
>>   ArmVirtPkg: add BlobVerifierLibNull to DSC
>>   OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg
>>   OvmfPkg/AmdSev/SecretPei: build hob for full page
>>   OvmfPkg: add BlobVerifierLibSevHashes
>>   OvmfPkg/AmdSev: Enforce hash verification of kernel blobs
>>
>> James Bottomley (3):
>>   OvmfPkg/AmdSev/SecretDxe: fix header comment to generic naming
>>   OvmfPkg: PlatformBootManagerLibGrub: Allow executing kernel via fw_cfg
>>   OvmfPkg/AmdSev: reserve MEMFD space for for firmware config hashes
>>
>>  OvmfPkg/OvmfPkg.dec                                                                 |   9 +
>>  ArmVirtPkg/ArmVirtQemu.dsc                                                          |   5 +-
>>  ArmVirtPkg/ArmVirtQemuKernel.dsc                                                    |   5 +-
>>  OvmfPkg/AmdSev/AmdSevX64.dsc                                                        |   9 +-
>>  OvmfPkg/OvmfPkgIa32.dsc                                                             |   5 +-
>>  OvmfPkg/OvmfPkgIa32X64.dsc                                                          |   5 +-
>>  OvmfPkg/OvmfPkgX64.dsc                                                              |   5 +-
>>  OvmfPkg/AmdSev/AmdSevX64.fdf                                                        |   5 +-
>>  OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf                             |  24
>> +++
>>  OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf                        |  37
>> ++++
>>
>> OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.
>> inf           |   2 +
>>  OvmfPkg/ResetVector/ResetVector.inf                                                 |   2 +
>>  OvmfPkg/Include/Library/BlobVerifierLib.h                                           |  38 ++++
>>  OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h                            |
>> 11 ++
>>  OvmfPkg/AmdSev/SecretDxe/SecretDxe.c                                                |   2 +-
>>  OvmfPkg/AmdSev/SecretPei/SecretPei.c                                                |   3 +-
>>  OvmfPkg/Library/BlobVerifierLib/BlobVerifierNull.c                                  |  33 ++++
>>  OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c                             | 199
>> ++++++++++++++++++++
>>  OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c                            |
>> 5 +
>>  OvmfPkg/Library/{PlatformBootManagerLib =>
>> PlatformBootManagerLibGrub}/QemuKernel.c |   0
>>  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
>> |   9 +
>>  OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm                                        |  20 ++
>>  OvmfPkg/ResetVector/ResetVector.nasmb                                               |   2 +
>>  23 files changed, 425 insertions(+), 10 deletions(-)
>>  create mode 100644 OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
>>  create mode 100644
>> OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf
>>  create mode 100644 OvmfPkg/Include/Library/BlobVerifierLib.h
>>  create mode 100644 OvmfPkg/Library/BlobVerifierLib/BlobVerifierNull.c
>>  create mode 100644 OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c
>>  copy OvmfPkg/Library/{PlatformBootManagerLib =>
>> PlatformBootManagerLibGrub}/QemuKernel.c (100%)
>>
>> --
>> 2.25.1
>>
>>
>>
>> 
>>
> 

  reply	other threads:[~2021-07-25  7:53 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-22  8:42 [PATCH v4 00/11] Measured SEV boot with kernel/initrd/cmdline Dov Murik
2021-07-22  8:42 ` [PATCH v4 01/11] OvmfPkg/AmdSev/SecretDxe: fix header comment to generic naming Dov Murik
2021-07-22  8:42 ` [PATCH v4 02/11] OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds Dov Murik
2021-07-22  8:42 ` [PATCH v4 03/11] OvmfPkg: PlatformBootManagerLibGrub: Allow executing kernel via fw_cfg Dov Murik
2021-07-22  8:43 ` [PATCH v4 04/11] OvmfPkg: add library class BlobVerifierLib with null implementation Dov Murik
2021-07-22  8:43 ` [PATCH v4 05/11] OvmfPkg: add BlobVerifierLibNull to DSC Dov Murik
2021-07-22  8:43 ` [PATCH v4 06/11] ArmVirtPkg: " Dov Murik
2021-07-22  8:43 ` [PATCH v4 07/11] OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg Dov Murik
2021-07-22  8:43 ` [PATCH v4 08/11] OvmfPkg/AmdSev/SecretPei: build hob for full page Dov Murik
2021-07-22  8:43 ` [PATCH v4 09/11] OvmfPkg/AmdSev: reserve MEMFD space for for firmware config hashes Dov Murik
2021-07-22  8:43 ` [PATCH v4 10/11] OvmfPkg: add BlobVerifierLibSevHashes Dov Murik
2021-07-22  8:45   ` Dov Murik
2021-07-25  2:47     ` [edk2-devel] " Yao, Jiewen
2021-07-22  8:43 ` [PATCH v4 11/11] OvmfPkg/AmdSev: Enforce hash verification of kernel blobs Dov Murik
2021-07-25  2:43 ` [edk2-devel] [PATCH v4 00/11] Measured SEV boot with kernel/initrd/cmdline Yao, Jiewen
2021-07-25  7:52   ` Dov Murik [this message]
2021-07-25  8:17     ` Yao, Jiewen
2021-07-25 10:06       ` Dov Murik
2021-07-25 21:10     ` James Bottomley
2021-07-26  0:55       ` Yao, Jiewen
2021-07-26 14:50         ` James Bottomley
2021-07-26 15:31           ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=711c0ad9-9ebe-0eaa-e04b-28e7e7f69ef4@linux.ibm.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox