From: James Bottomley <jejb@linux.ibm.com>
To: Brijesh Singh <brijesh.singh@amd.com>, devel@edk2.groups.io
Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com,
ashish.kalra@amd.com, tobin@ibm.com, david.kaplan@amd.com,
jon.grimm@amd.com, thomas.lendacky@amd.com, frankeh@us.ibm.com,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [PATCH 0/4] SEV Encrypted Boot for Ovmf
Date: Thu, 12 Nov 2020 11:44:44 -0800 [thread overview]
Message-ID: <a4a99113ca31d919c7cca58f40fc03daf9c2c97b.camel@linux.ibm.com> (raw)
In-Reply-To: <5cb9e43e-b22f-0ffc-3b02-1b173454de9f@amd.com>
On Thu, 2020-11-12 at 11:32 -0600, Brijesh Singh wrote:
> Hi James,
>
> Thanks for series, I glanced at it, the changes looks okay to me. I
> have
> one questions.
>
> How does the grub locate the disk decryption key ? Am I correct in
> assuming that the gurb is iterating through a configuration table
> entries and comparing the Secret GUID to locate the secret key. As
> per the SEV spec, its possible that a guest owner can call the secret
> injection more than once. I don't see the patch consider that case,
> should we support this or limit to one inject? Maybe Qemu can
> enforce this property.
Well in the original patch, grub recognized the secret in the area by
the prefix "PASSWORD:". I think that's a bit fragile, so I was
planning to rework the grub patch to do everything by guid, so the
secrets table itself would have its own guid which would be followed by
the entire table length. Then the entries in the table would have the
format
|guid|len|data|
So every consumer first of all validates the table by the initial guid
and gets the total length then iterates over the entries to see if its
interested in any of them. The format of |data| would be up to the
consumer.
> Do you see any need for the Linux kernel needing to access the
> secret? Since the secret blob is available through configuration
> table, I believe we can have a platform driver that can read the
> configuration table and retrieve the secret blob.
I've only been really concentrating on the grub use case. However, as
you saw in my reply about migration, we likely also need an entry so
that the migration helper can pick up its ECDH identity. The scheme
would definitely cover passing a secret to the kernel as well. The one
caveat there is that the HOB that covers the secret is boot time, so
the secret would have to be extracted in the kernel EFI stub before
ExitBootServices() is called. I suppose nothing really prevent the HOB
from becoming runtime except the security maxim that you want all
secret lifetimes to be as short as possible.
James
next prev parent reply other threads:[~2020-11-12 19:44 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-12 0:13 [PATCH 0/4] SEV Encrypted Boot for Ovmf James Bottomley
2020-11-12 0:13 ` [PATCH 1/4] OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF James Bottomley
2020-11-16 19:11 ` [edk2-devel] " Laszlo Ersek
2020-11-16 20:00 ` James Bottomley
2020-11-12 0:13 ` [PATCH 2/4] OvmfPkg/AmdSev: add Grub Firmware Volume Package James Bottomley
2020-11-16 20:42 ` [edk2-devel] " Laszlo Ersek
2020-11-17 0:05 ` Laszlo Ersek
2020-11-18 23:00 ` James Bottomley
2020-11-19 7:59 ` Laszlo Ersek
2020-11-12 0:13 ` [PATCH 3/4] OvmfPkg: create a SEV secret area in the AmdSev memfd James Bottomley
2020-11-16 22:46 ` [edk2-devel] " Laszlo Ersek
2020-11-18 20:23 ` James Bottomley
2020-11-19 7:50 ` Laszlo Ersek
2020-11-19 19:41 ` Brijesh Singh
2020-11-20 6:29 ` jejb
2020-11-20 10:59 ` Laszlo Ersek
2020-11-18 20:39 ` Lendacky, Thomas
2020-11-19 7:51 ` Laszlo Ersek
2020-11-12 0:13 ` [PATCH 4/4] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table James Bottomley
2020-11-17 0:12 ` [edk2-devel] " Laszlo Ersek
2020-11-12 16:21 ` [PATCH 0/4] SEV Encrypted Boot for Ovmf Ashish Kalra
2020-11-12 16:34 ` Dr. David Alan Gilbert
2020-11-12 17:07 ` James Bottomley
2020-11-12 17:22 ` Ashish Kalra
2020-11-12 17:32 ` Brijesh Singh
2020-11-12 19:38 ` Dr. David Alan Gilbert
2020-11-12 21:56 ` Brijesh Singh
2020-11-12 22:50 ` James Bottomley
2020-11-15 14:08 ` Brijesh Singh
2020-11-12 19:44 ` James Bottomley [this message]
2020-11-13 2:04 ` [edk2-devel] " James Bottomley
2020-11-13 22:41 ` Laszlo Ersek
2020-11-16 18:50 ` Laszlo Ersek
2020-11-16 18:56 ` Laszlo Ersek
2020-11-16 19:55 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a4a99113ca31d919c7cca58f40fc03daf9c2c97b.camel@linux.ibm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox