From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (NAM04-BN8-obe.outbound.protection.outlook.com [40.107.100.75]) by mx.groups.io with SMTP id smtpd.web12.49.1621957721925342818 for ; Tue, 25 May 2021 08:48:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=VKrZ36kL; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.100.75, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q+tOgWC7Ij8xsPS7/lNTZ5gB+21WvG+dMYrRmAOYOTZeuhbHycMGs5e7CIyDBIh+tQCg7RfUOw15HgrKELzGNCVWGe6669YWzRqzAeZF3iy44EllBg+tGGnnvphShqByWDK5PIUMCyqyC0b/35boZMMexjdqXFjo9YYM5S5TMuk2aABluyMbC2wwOAuwIMWQ/dbV2DqCGZn0c5Z3Vx9GqcfVCBmnWoEuyNWQkZjszB4/Bwv4EpbwG/o2e3bOaCvguiS6hPLyluA9Mkk7jh08cdmsZdVAk525SF70BfTuo/cizRyvgSCZ0eOERJG09VEmHqRGWF7BtRKsNKdnsqaksw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9NK3COssbumeFdQovXK3sh2P64kIY9e8cH3XucoLHL4=; b=ewMMldKYbehoO2jnNzt3wXnAiLFp8/dIBMbbFHAxy02VNJX922o6Vknr2NGajThutA8dyWt7C6qY3D3cf4MHToqY/Rf55i0F0Jmm0YvKEcXH56SvH9nVLaCZvmkpqf/swj3UGIx0ZMN4uv2yANPNXjfJYHSMwEevoSpkdLGp5PmWQu2xNrpvsbqJ7ahoIr0tPInVId8cUkjQ0g67hSG/TjbQeoMnGQrgN+A8R2oQp4Lti02o7zgxSeDWO68XWrdzjoRdlwcgzMBg1AeryqjEcYAkPxJETQhUOWOtpLaGj5VYLVb934+CSSOTUWGjfPQcvSeqrmtLju8aurhdA/4XBA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9NK3COssbumeFdQovXK3sh2P64kIY9e8cH3XucoLHL4=; b=VKrZ36kLktI0ZvCoEZETOLt4VIjDRTrvQx6POP8XNx7jVy5CUvBIKv799buPRMY5b+rBwW4bTOKpGpuNxd3hHH+mghkbjEVxtjarnfUEamusmeKHBXwtSWCXZcpbRleIdJAz+Cj96Cnr17SEyJNbxg20P/cpBhnWxXveem+/mEE= Authentication-Results: amd.com; dkim=none (message not signed) header.d=none;amd.com; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2511.namprd12.prod.outlook.com (2603:10b6:802:23::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.26; Tue, 25 May 2021 15:48:39 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94%6]) with mapi id 15.20.4150.023; Tue, 25 May 2021 15:48:39 +0000 Cc: brijesh.singh@amd.com, Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: Re: [PATCH v1 0/8] Measured SEV boot with kernel/initrd/cmdline To: Dov Murik , devel@edk2.groups.io References: <20210525053116.1533673-1-dovmurik@linux.ibm.com> From: "Brijesh Singh" Message-ID: <8b966d52-f207-b747-96a7-2ed6f29aa432@amd.com> Date: Tue, 25 May 2021 10:48:36 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 In-Reply-To: <20210525053116.1533673-1-dovmurik@linux.ibm.com> X-Originating-IP: [70.112.153.56] X-ClientProxiedBy: SN7P220CA0026.NAMP220.PROD.OUTLOOK.COM (2603:10b6:806:123::31) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from Brijeshs-MacBook-Pro.local (70.112.153.56) by SN7P220CA0026.NAMP220.PROD.OUTLOOK.COM (2603:10b6:806:123::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.26 via Frontend Transport; Tue, 25 May 2021 15:48:37 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c8f93e85-0550-4476-da0e-08d91f949086 X-MS-TrafficTypeDiagnostic: SN1PR12MB2511: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: fKst6KVGIMnjSDcVCOZzEhdCocvm2H24Cbz3JN9fWs7t1o+VbjpBQfFPzVk7NzQ7otltCsUqEWC/7Kds9TTZLwYXcYgevhVz89zJ5WSpOweTHMa2KgLgROxkflNhJzklmp/4YRh7+uTYbtPlPSgJy9ITlJA527i+8NnGvYB4TtI+DWmpy8eKexfoc9/LrbBhK+snSXcNg4WG/8dxhbhZQ88Jd38vEuAS15CfXDe58NnIT1jK0eKydWOyLWVrKjTj1dYQ75hfB6pKlKXOKOjHS+QHUUUF/rlsPNajljrCYhkviZCMDys5Eq6IxSKLANteM9sQB9Fr3uX/amwUWjNTn5M63WOQu25Lpw4XgYEr4w9B4oql8ueDowhE+Ukwy7KGZesRdN6zpmlJecUOyIJMJCkwrpNCzWoiQgXIt4VZv57b7VAtTJo6LgAUOonTFGqdPC5PyZOKRHx6DnSfYG5jpjcLxYFhk7LgpOYUoCaAho1HEFQvvvtPt+IbZtWnljJsjj7kgI5wFItMsSNS0ibo2YL21DOAMdo/+qIGPHFzHG+zJYGTfQ4EjrRuqSeLj72JcZGWge5BbTt3mHrNxXHdv4+KqHhIqdxD9wZ6l1hMiH53qeIAArkahdGH6DoBgTGXDPKIjqNb1NqUgR7ItHdQCTHfI4tzXNx+Po5Q8EGreMbTXrcZLu++SnoBzMctLzbrvFjF22IJwH2ftmmPjm0gZseTZ4XdlQ4HXZGNyezQQSs= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(366004)(136003)(39860400002)(376002)(346002)(31686004)(86362001)(16526019)(956004)(7416002)(26005)(2906002)(6486002)(8676002)(4326008)(8936002)(83380400001)(186003)(6512007)(66946007)(19627235002)(44832011)(36756003)(38350700002)(38100700002)(53546011)(66476007)(52116002)(2616005)(54906003)(66556008)(31696002)(5660300002)(316002)(478600001)(6506007)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?bk0yeGRxY1RqRk5jamZFa2lqRjh0aFlXZTFwbURKMFF1ckIxMWs4bW82dnNH?= =?utf-8?B?bHpoTjFCbnNWYlpvay96ajRGbTJoemFXVjNlb0ZCQkFrdDBDbCtaOUtDTWo0?= =?utf-8?B?bzBqOHRFbWl1WlIrZ0lKcEQyUTJVTHlhODRFdUJOZkc1dmE5czNEekVWc1RC?= =?utf-8?B?dFJQZkJzZndybW90aEhNa2dydlhNSHdzQmMrVTZMbXIxT2pMandXaHl0b3Ji?= =?utf-8?B?WEVBUm1NcGVSODMwUGwrZGFDME0yazZ1N3kwbllFQkFXODE5WGorZ0d6Z1NZ?= =?utf-8?B?UkYxTk1YZkorU3lTbnZ4MnhxR05HQjZoZC9McWNZWW5yRWc1SGxUeHlSd2FH?= =?utf-8?B?VFFjY0ZUTTQxcEhWbE9wZGJobmV3ZlVnNEVPK1RiZzRsL1pXanlBVFg0UlM0?= =?utf-8?B?Y21SYmJaSWZkcWJyVEQySmRaV2hTekROWGM4Y25ZR3ljdjc3MGR3TXBVN1Fs?= =?utf-8?B?SG1KaEdnOTJSUTZPNUJIUEpwL3pWUThISkVXbGR1MXRIRWtXNXRqYzBCNGdi?= =?utf-8?B?eFhTRU4rRTJEVEt0Y2U2aTQ1SnZBeFpMam9OcktpaVlCUEs2OExnY1B4cSsv?= =?utf-8?B?NU5ieXl6VUZOWU5yekx3MG1FWEp2QzdUK3YvMGNzU1ZZNFAvdDlwS2pmdnIy?= =?utf-8?B?RXF1V05JL082bjdGV2RyNjIyVDQ0S21qRHkyTlEybzVTRVNHQ3IrY1loeFJW?= =?utf-8?B?Q1ZmbFFyL21vUXAvU2ZIOVRDWCtqMWVLdkZDZGw2cHR0UTd6Z0xKbFVrYm1a?= =?utf-8?B?SHcxaG8vM1djNCtMbjhGYi9OOTdJNGFpdVBPSy9ZemN5TXBHYUJ3VWg0NEVr?= =?utf-8?B?RU9pakUrdHh5cWhWUkR3QTdDZGdXeWxkdUQ4ZXJkZlVGZFdZSGNNcENaNjdi?= =?utf-8?B?NzZEZmNvVk8xZllWU045eUhEMy8zQjhJcWRFN3hEdCtOYlVCdll5RHpLM3Uv?= =?utf-8?B?M1NrN1VGSThNcEhGV2xhNVhmSFFFWjFjSFE5Uk9qa2hWanhLKzhRRHdXWURy?= =?utf-8?B?N2IvUko3Q1VvTVZGaUhjSFE4Z2p2c3A0Qy9ocnIrbjU1YmpoODNPUXpDZkVF?= =?utf-8?B?S0NGSERjaTJrU0xDb0tmSWFoYUJrK21zVDZWd0RQMnpwNlFWZGZDRTZJREJ3?= =?utf-8?B?QUZTbGNxZnVvN1RDNzRkakc1WDNoSENDZ3pUbzhvVTdLM1VwdHlGeDZVUEw3?= =?utf-8?B?QTVXNDB6c04vYjBYaS9ibkxiTXNjU2ovMTdIaWNpdW8rZFFDNmVUSlB4NWR4?= =?utf-8?B?ZTI5cjBJcXdkbTlMc2FDekszbjhvTUljK2FHUGVGWTZYK3l6UTFOTXFHMzdq?= =?utf-8?B?cWI5MGdxUmkxeTh3citkMGM2UVBFdTNZZjBjUVBZR0V3RnRkdWtQNFBKSGNW?= =?utf-8?B?ZStMTUEyd1l5TWpMTUtuYitYSGQ3SFdOMDYrV01jbE9kd0R6bWZSakNMWmFv?= =?utf-8?B?SkxwTS92L1c5Y1phMGZCbnlDdlZhYURkRlhQWllYMW1GWTVKQUc2cVNONjhk?= =?utf-8?B?dW5YZ0ZtSWtCc3RoOVo0Q3lCN3l3NXJrdzN6RkdDdm5HYXNFSkx6ZmVlNjFG?= =?utf-8?B?YzM2TXhGbzM3SGVsNUJnQTc2S1RVNmdTT1FJZVFhVVlFOG8xSm1pNHRkZzRr?= =?utf-8?B?SzdFYXVuRG8rQ09mYzAyVHNVTHJKeVpMWFRMVC9vWjk5b0k2aEhzRzNEVHkv?= =?utf-8?B?L0F6UlVCL0laTHNKWGZEY0JUb2h2Y0NLUklDcGFiTG5iRXZaZHdFRUlTTXVT?= =?utf-8?Q?TLCsRkb/a/+Qpoj7SDs0quZt8BP1KoQqhv3ugUM?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: c8f93e85-0550-4476-da0e-08d91f949086 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2021 15:48:39.1662 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: WWPxYewwfXYRiTeNZYsMSfNuxxwB1HZ4PPgDeHe9yfA15L5VoIfZ9+8egsZL9GAilOUuW2cBokRsjBfAXq6jYg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2511 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US On 5/25/21 12:31 AM, Dov Murik wrote: > Booting with SEV prevented the loading of kernel, initrd, and kernel > command-line via QEMU fw_cfg interface because they arrive from the VMM > which is untrusted in SEV. > > However, in some cases the kernel, initrd, and cmdline are not secret > but should not be modified by the host. In such a case, we want to > verify inside the trusted VM that the kernel, initrd, and cmdline are > indeed the ones expected by the Guest Owner, and only if that is the > case go on and boot them up (removing the need for grub inside OVMF in > that mode). > > This patch series declares a new page in MEMFD which will contain the > hashes of these three blobs (kernel, initrd, cmdline), each under its > own GUID entry. This tables of hashes is populated by QEMU before > launch, and encrypted as part of the initial VM memory; this makes sure > theses hashes are part of the SEV measurement (which has to be approved > by the Guest Owner for secret injection, for example). Note that this > requires a new QEMU patch which will be submitted soon. I have not looked at the patches, but trying to brainstorm if we can avoid reserving a new page in the MEMFD and use the existing EDK2 infrastructure to verify the blobs (kernel, initrd) loaded through the FW_CFG interface in the guest memory. If I understand correctly, then in your proposed approach, guest owner wants to ensure that the hypevisor passing its preferred kernel, initrd and cmdline. The guest owner basically knows the hashes of these components in advance. So, can we do something like this: - The secret blob provided by the guest owner should contains the hashes (sha384) of these components. - Use openssl API available in the edk2 to calculate the hash while loading the kernel, initrd and cmdline. - Before booting the kernel, compare the calculated hash with the one listed in the secret page. If they don't match then fail otherwise continue. Did I miss something ? -Brijesh > OVMF parses the table of hashes populated by QEMU (patch 5), and as it > reads the fw_cfg blobs from QEMU, it will verify each one against the > expected hash (kernel and initrd verifiers are introduced in patch 6, > and command-line verifier is introduced in patches 7+8). This is all > done inside the trusted VM context. If all the hashes are correct, boot > of the kernel is allowed to continue. > > Any attempt by QEMU to modify the kernel, initrd, cmdline (including > dropping one of them), or to modify the OVMF code that verifies those > hashes, will cause the initial SEV measurement to change and therefore > will be detectable by the Guest Owner during launch before secret > injection. > > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Ashish Kalra > Cc: Brijesh Singh > Cc: Erdem Aktas > Cc: James Bottomley > Cc: Jiewen Yao > Cc: Min Xu > Cc: Tom Lendacky > > James Bottomley (8): > OvmfPkg/AmdSev/SecretDxe: fix header comment to generic naming > OvmfPkg: PlatformBootManagerLibGrub: Allow executing kernel via fw_cfg > OvmfPkg/AmdSev: add a page to the MEMFD for firmware config hashes > OvmfPkg/QemuKernelLoaderFsDxe: Add ability to verify loaded items > OvmfPkg/AmdSev: Add library to find encrypted hashes for the FwCfg > device > OvmfPkg/AmdSev: Add firmware file plugin to verifier > OvmfPkg: GenericQemuLoadImageLib: Allow verifying fw_cfg command line > OvmfPkg/AmdSev: add SevQemuLoadImageLib > > OvmfPkg/OvmfPkg.dec | 10 ++ > OvmfPkg/AmdSev/AmdSevX64.dsc | 9 +- > OvmfPkg/AmdSev/AmdSevX64.fdf | 3 + > OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf | 30 +++++ > OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.inf | 34 ++++++ > OvmfPkg/AmdSev/Library/SevQemuLoadImageLib/SevQemuLoadImageLib.inf | 30 +++++ > OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf | 2 + > OvmfPkg/ResetVector/ResetVector.inf | 2 + > OvmfPkg/AmdSev/Include/Library/SevHashFinderLib.h | 47 ++++++++ > OvmfPkg/Include/Library/QemuFwCfgLib.h | 35 ++++++ > OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h | 11 ++ > OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.c | 60 ++++++++++ > OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.c | 126 ++++++++++++++++++++ > OvmfPkg/AmdSev/Library/SevQemuLoadImageLib/SevQemuLoadImageLib.c | 52 ++++++++ > OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 2 +- > OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c | 29 +++++ > OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c | 5 + > OvmfPkg/Library/PlatformBootManagerLibGrub/QemuKernel.c | 50 ++++++++ > OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 31 +++++ > OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 20 ++++ > OvmfPkg/ResetVector/ResetVector.nasmb | 2 + > 21 files changed, 587 insertions(+), 3 deletions(-) > create mode 100644 OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf > create mode 100644 OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.inf > create mode 100644 OvmfPkg/AmdSev/Library/SevQemuLoadImageLib/SevQemuLoadImageLib.inf > create mode 100644 OvmfPkg/AmdSev/Include/Library/SevHashFinderLib.h > create mode 100644 OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.c > create mode 100644 OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.c > create mode 100644 OvmfPkg/AmdSev/Library/SevQemuLoadImageLib/SevQemuLoadImageLib.c > create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/QemuKernel.c >