public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Laszlo Ersek" <lersek@redhat.com>
To: Tom Lendacky <thomas.lendacky@amd.com>, devel@edk2.groups.io
Cc: Brijesh Singh <brijesh.singh@amd.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Ard Biesheuvel <ard.biesheuvel@arm.com>
Subject: Re: [edk2-devel] [PATCH v2 15/15] OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory
Date: Thu, 7 Jan 2021 18:48:44 +0100	[thread overview]
Message-ID: <90fd1a1a-56cc-f9b1-4982-164334f5ab11@redhat.com> (raw)
In-Reply-To: <57b8a37f-9a61-3bb3-c87b-104d1d3b3d89@amd.com>

On 01/07/21 18:33, Tom Lendacky wrote:
> On 1/7/21 11:27 AM, Laszlo Ersek via groups.io wrote:
>> On 01/06/21 22:21, Lendacky, Thomas wrote:
>>> From: Tom Lendacky <thomas.lendacky@amd.com>
>>>
>>> BZ:
>>> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3108&amp;data=04%7C01%7Cthomas.lendacky%40amd.com%7Cbb067ba9ec7d47a785b108d8b33192f1%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637456372789618447%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=4gBvuWLwJxtPwahzl%2BjC6sNb%2FEgb0WmGscSwSdKBPOQ%3D&amp;reserved=0
>>>
>>>
>>> When SEV-ES is active, and MMIO operation will trigger a #VC and the
>>> VmgExitLib exception handler will process this MMIO operation.
>>>
>>> A malicious hypervisor could try to extract information from encrypted
>>> memory by setting a reserved bit in the guests nested page tables for
>>> a non-MMIO area. This can result in the encrypted data being copied into
>>> the GHCB shared buffer area and accessed by the hypervisor.
>>>
>>> Prevent this by ensuring that the MMIO source/destination is
>>> un-encrypted
>>> memory. For the APIC register space, access is allowed in general.
>>>
>>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
>>> Cc: Brijesh Singh <brijesh.singh@amd.com>
>>> Acked-by: Laszlo Ersek <lersek@redhat.com>
>>> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
>>> ---
>>>   OvmfPkg/AmdSev/AmdSevX64.dsc                                 |  1 +
>>>   OvmfPkg/OvmfPkgX64.dsc                                       |  1 +
>>>   OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf |  2 +-
>>>   OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf                 |  2 +
>>>   OvmfPkg/Library/VmgExitLib/VmgExitLib.inf                    |  2 +
>>>   OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c                | 81
>>> ++++++++++++++++++++
>>>   6 files changed, 88 insertions(+), 1 deletion(-)
>>
>> Looks OK, thanks.
> 
> Thanks for the review, Laszlo! I've applied all of your comments for
> this series should a v3 need to be submitted.

Actually, I'd prefer that, if you have v3 handy already! If you post v3
at once, I might be able to merge it today.

Thanks
Laszlo


  reply	other threads:[~2021-01-07 17:48 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-06 21:21 [PATCH v2 00/15] SEV-ES security mitigations Lendacky, Thomas
2021-01-06 21:21 ` [PATCH v2 01/15] Ovmf/ResetVector: Simplify and consolidate the SEV features checks Lendacky, Thomas
2021-01-06 21:21 ` [PATCH v2 02/15] OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header file Lendacky, Thomas
2021-01-06 21:21 ` [PATCH v2 03/15] OvmfPkg/ResetVector: Validate the encryption bit position for SEV/SEV-ES Lendacky, Thomas
2021-01-07 14:43   ` [edk2-devel] " Laszlo Ersek
2021-01-06 21:21 ` [PATCH v2 04/15] OvmfPkg/ResetVector: Perform a simple SEV-ES sanity check Lendacky, Thomas
2021-01-07 14:44   ` [edk2-devel] " Laszlo Ersek
2021-01-06 21:21 ` [PATCH v2 05/15] OvmfPkg/MemEncryptSevLib: Save the encryption mask at boot time Lendacky, Thomas
2021-01-07 14:52   ` [edk2-devel] " Laszlo Ersek
2021-01-06 21:21 ` [PATCH v2 06/15] OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask Lendacky, Thomas
2021-01-07 15:50   ` [edk2-devel] " Laszlo Ersek
2021-01-06 21:21 ` [PATCH v2 07/15] OvmfPkg/MemEncryptSevLib: Obtain encryption mask using the new interface Lendacky, Thomas
2021-01-07 15:56   ` [edk2-devel] " Laszlo Ersek
2021-01-06 21:21 ` [PATCH v2 08/15] OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range Lendacky, Thomas
2021-01-07 17:11   ` [edk2-devel] " Laszlo Ersek
2021-01-06 21:21 ` [PATCH v2 09/15] OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value Lendacky, Thomas
2021-01-06 21:21 ` [PATCH v2 10/15] OvmfPkg/MemEncryptSevLib: Coding style fixes in prep for SEC library Lendacky, Thomas
2021-01-07 17:12   ` [edk2-devel] " Laszlo Ersek
2021-01-06 21:21 ` [PATCH v2 11/15] OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC Lendacky, Thomas
2021-01-07 17:22   ` [edk2-devel] " Laszlo Ersek
2021-01-06 21:21 ` [PATCH v2 12/15] OvmfPkg/MemEncryptSevLib: Address range encryption state interface Lendacky, Thomas
2021-01-06 21:21 ` [PATCH v2 13/15] OvmfPkg/VmgExitLib: Support nested #VCs Lendacky, Thomas
2021-01-06 21:21 ` [PATCH v2 14/15] OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported Lendacky, Thomas
2021-01-07 17:25   ` [edk2-devel] " Laszlo Ersek
2021-01-06 21:21 ` [PATCH v2 15/15] OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory Lendacky, Thomas
2021-01-07 17:27   ` [edk2-devel] " Laszlo Ersek
2021-01-07 17:33     ` Lendacky, Thomas
2021-01-07 17:48       ` Laszlo Ersek [this message]
2021-01-07 18:37         ` Lendacky, Thomas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=90fd1a1a-56cc-f9b1-4982-164334f5ab11@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox