From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com [40.107.244.56]) by mx.groups.io with SMTP id smtpd.web11.29055.1626707685208130312 for ; Mon, 19 Jul 2021 08:14:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=Rz8VU8Bg; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.244.56, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VIPaK4qcDBniIv4450BCtSjLqk+ov+hfeGnMegANRCYP1v2rccP3OWXzI4aRXk63TLF/Lyq63kYLM1d9xukNseHaccR4gETkr07AttD4oCqHQe1A20sDx/YF3fi+xQ8ObtI5SGyP3wUTpQeHS2XwMBf7GdkDTiz1poV2F4rp8vg9cD4g7YSp13x1ZSO1aw1lbeMUIzYTXipAiYVLjwoEbpFz1YRopCbmTEva7cuRW/3apCrFJeArtri5se0hfBpA5k4A7tj38bprm8Dl9nJ/ULUcsr2rfif2AqzNwoVPGRUKN7BhASi2pgovGw4GCyFHTXOvmkJxYlI58larFg+arA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Lyyh0+1QWRoKj1T3x+YCBEY1dXbzlbVzQQB7uE2Bhso=; b=kMp7U1ggL8r7ApVXmlavfzTrP92fNvnCZXE70+Q/6diO9E/KokPJn9YvJXZerGHkUR2u4CjE0FEfduj7cfBxad/wKOObFVaOzw0tO/9c1fh8Hjx8+pt1f4TSGxGzPaqfNlbWSCxHCmcpzDpM9JLlAxXE8A1GPVZ+xYGTY6lcaPiBF4gV/jAOUN69eQijnmXc+rhpYjxMd4l00I9JNJXVPmu9CS3uzH3oiMTa4pPoHBQARmla0R6IU7dnFBO2dsJRU3s/3ek2gtEZmQE3BCmjIjv66a0yzSjEUprOgDw0yis0YejDFLDXFqxFkbLBbUTb4ywkvWz6B1/7jjjlTDjKIw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Lyyh0+1QWRoKj1T3x+YCBEY1dXbzlbVzQQB7uE2Bhso=; b=Rz8VU8Bg3abybRDNOMYXLD0LNfCOjQa9pTiNeietXPd1dabONpnHpPUOEunw2DWFwujL4U4/afaxyZif0jGcY0SUWpV6Zbe0sXcOt/7koXNXp/qN7iNuZghlu7QnprldsgBN1TxQgRfafFvzkeqCc13o4Jg+7sGJOghLX9rshfI= Authentication-Results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by DM4PR12MB5296.namprd12.prod.outlook.com (2603:10b6:5:39d::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.22; Mon, 19 Jul 2021 15:14:42 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208%3]) with mapi id 15.20.4331.032; Mon, 19 Jul 2021 15:14:42 +0000 Subject: Re: [PATCH v2 00/11] Measured SEV boot with kernel/initrd/cmdline To: Dov Murik , devel@edk2.groups.io Cc: Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Leif Lindholm , Sami Mujawar References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> From: "Lendacky, Thomas" Message-ID: Date: Mon, 19 Jul 2021 10:14:40 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-ClientProxiedBy: SN7PR04CA0067.namprd04.prod.outlook.com (2603:10b6:806:121::12) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [10.236.30.241] (165.204.77.1) by SN7PR04CA0067.namprd04.prod.outlook.com (2603:10b6:806:121::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.22 via Frontend Transport; Mon, 19 Jul 2021 15:14:41 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8b98a266-f002-4410-aeb2-08d94ac7ef3c X-MS-TrafficTypeDiagnostic: DM4PR12MB5296: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2803; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Cwvft7rcKbEGufOYR88TYdvrNKVIDhQlsXsB2Bp386NhdVsSTRQ/X42oIRCaYKgjCFmKRhp+VhKUSBhsD8kzZETRCxi0t0frwPbL7TCCpWSFXldXMB6MTRymUts1HqOF8FJVIjsR08DPGnSGZauF0rbF8eSPf2+5Q97oVOh136DgbeQJSaHNn94NGmqN0iuK5/eAAhaL/fZXtKHLLkWZURW/WwSmXHgom5Dt27eVVl3Ci3BpmwgeZk/+948hGMGYcU7JC6U1pvGQtBxvwnHZYR6iSNMAG2QJ931S3FkIUZfkEOgOOBaa9knigIucevWIAOWVGi4innbTM+6GhHNA+04X3dUQ7puBUBfadv6Jjph1dvgHpjCkGT3RhDX12N9yc1hjaQuCpqZ6LWQYBfZeX67nFotTS3Z4VAht4NUx85Uaq1indSKuLCHLC8K/5tCa7av2HYzF4zAflCJIDBCEOxLG13s21HTlwnXUbxO4UPreIbEzzs8PsAqswXxzwOWf092OId995YqAqNSXW0dPAaekSsPIkNtoeH3EpFZFnMBINY7PP5SOXEBLrIXPfryvtVVOyoB1wyCu/9H+ZSBoikAROmImR4VqCEK5CD0e+E+uLWKmfTGeinbAlaE15uWgWyuFxbc/PZoZUhQNHMVi2DnODMZ5scb6Kjmc4R+rJk5gF0nejbYOSlA6Wb/pQ/DUdd+r2sUtCHhn37KayH/oZAssyXmYWL8Qlncy9yOZ45niX3MSGZenKzo+C+XPebRCegssSlcLlBVeUFsBDVFtpNb3TsSE/1FS4KqsnzLkVe8brSZ5c/ENQSbLQU+VWRqIBmgTqwZezirjbX+pIGCS1L+Ld5M6lozvxqvtE9rhjLE= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(136003)(376002)(346002)(396003)(39860400002)(31696002)(19627235002)(53546011)(2906002)(66556008)(66476007)(66946007)(966005)(16576012)(26005)(316002)(36756003)(31686004)(83380400001)(8676002)(8936002)(186003)(478600001)(54906003)(86362001)(4326008)(7416002)(2616005)(956004)(38100700002)(5660300002)(6486002)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?dFJZU1RzM00rZ1ZWV2pCSFFZOWluYXBHcTFFL1lkVnV4b1lZZldNZlZuOEZP?= =?utf-8?B?Znk3NzZ4MUxScTFvOGdNa1RGNkNkMUtHbGU3anFiQkJSUlFIRU9PRng1NVZo?= =?utf-8?B?Z2pNL3pJZnQ3WHlFamlaeExtTTVlaEdRaUVLV2ZtNkMyZ3RaY09hdSthRXd2?= =?utf-8?B?ODh2Y1o2SXUyZWhBNHdVUCtLd0ZIWW5CSWVkbHJJa1FnN3YxZ1ZwNFRSd3FF?= =?utf-8?B?SjZoN0NSS2Vyb3ZOZ1pOYTJzV1NKMUpHaHU3OSszL3E0OHRxcVBERHNBOVBJ?= =?utf-8?B?dXBqRUcrQm9XQnVmbzM1bmpqWlFLdFRqSjgyNjhjNkdqN3VQVHZ2OE1pb3dW?= =?utf-8?B?clZIMjYyWlRZN1I5M0FKQnlldzVqc1N0ckRtMkNRU2ZheUZzcjhteURVYk1H?= =?utf-8?B?MFlLVG5oTlg5ZFp2KzZKNWZkMVlxWjZBUlI5MFR4SzAwQkRQTkhCSVhrZGVr?= =?utf-8?B?KzJJSitDcGlWTk01VXZyc09rTXJGTDBBZGdVY284VnlLZXZERVRmeWQrN3d5?= =?utf-8?B?NmkyMkhNbnM0Nk5oVXY1OUo0OGs3dWhOMGV2a0JLMm5FUFBEQm5xTUVsOStR?= =?utf-8?B?ZnlNVU5WcEFUbTRhVWtEd0Z4MExSZWU2T3BYaGllb1d2eG9XcTNkR09CUEVE?= =?utf-8?B?OXgzNTQ5aFFpa0VlOFJFNXlZc3ZVNVRPT2RPbzQyc3pFTVdJRzQxcDkrUTlk?= =?utf-8?B?UlA1MmY2d3gyNEo4TWZQeUZreXJNSFA4LzNJT2dwbDN4TzZFRXdPeVIzcFBL?= =?utf-8?B?Y3YxSzVQYW1zelJVL29jaHdORENKRG5naEhyYmRMcWU0QVJMaEZnNkhvOVJa?= =?utf-8?B?b3pJS2VjNEFPdHEyVC9ycXlCeE5mV1BocDd2aWQ2aFphUG9WajRNZnpLb2JF?= =?utf-8?B?SmkyVis4b3k0bzhrTTR2empIWWhIT1B3dzJWZ0puRVVWcWp3RjQzOVI0MXhm?= =?utf-8?B?UkVoWnJtSFNtRTdoMVV6WTR1anM5ZjhpNTgvQW9wVmwxT2tGeWtJSVpnMDBH?= =?utf-8?B?Z0wrWlUxYnkybTVKTWFUM3B4TXdzOGljVS9RWmJ1V2lFa0cxNHJITjlrcXpn?= =?utf-8?B?K1pTbDUxQ0lQNHhTU0ZkOVZoWHhheGRMSWptQnppRUowK0JpckZuSlRlUkN2?= =?utf-8?B?S3BGdlAwNWFzZ3RqdEI4aUp4SlNYTHIwQnNPbnRwcThnM3RiOW1hbHlQWk5n?= =?utf-8?B?QkhhNk01VlNnelZ5ZU5xVzFUOE9qbDZTKzdMa0NFc2JtOVFEb3F1ZWZkSUMz?= =?utf-8?B?R3FMNGh1UUxOdnRrRXkwODB4aDlsdVpJaFI5S1lDMHBRdGxEbWZGRDBjUkJy?= =?utf-8?B?ZEM1VmZtQUx4amtySHplckFwQzlkWmdGYm1PSWRBMWpsUzhnVW1VeWtWbnl4?= =?utf-8?B?b2VpSmRiYUxicjJ6dEtVZ2NNUnJBMVFnZEtjb3hnVnh5RDh4NmdJSjhoaEs1?= =?utf-8?B?Q2tzTXB2SG4rWHpLVzN0RnpKMDlTeHM4RW1icVlORlQ0dld0VDREZjUwR1I3?= =?utf-8?B?bTFhWUxkTXdQaXQrdE5wUFp5bmN0ZXJaQ0V4cE4yNDRHdEw4bXk0QXJyNndw?= =?utf-8?B?MW43dHhqaG9LT1RsZVNYRHpyc1pMSmlNS0FBU2dqZVVZNnNJVnh0YXJxRmt5?= =?utf-8?B?V3VlRnZBQzFPeXlTQjJPOFJ3QW1Gc241cUxLK2NkWTFranc0RDFPZU5ISXVz?= =?utf-8?B?UGYxeUZGK1dJazE5SG9xd0M0bjZnS29KWlRCT3FESi91amVFaE9Jam5PY2NS?= =?utf-8?Q?I8AjMmfCdM994lZuBTIpXcHnJpwO3XYCbW+gyLK?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8b98a266-f002-4410-aeb2-08d94ac7ef3c X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jul 2021 15:14:42.4793 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ZD/3xf5+0AL6qFtVKYQHcz11XCCy/ibYJ7ZJbm+cNMXgSxsxqV7999841PEDZAie5nn96h4LbYoFGkQ8I55gTg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5296 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 7/6/21 3:54 AM, Dov Murik wrote: > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 This BZ link should be part of all the commit messages in the series. Thanks, Tom > > Booting with SEV prevented the loading of kernel, initrd, and kernel > command-line via QEMU fw_cfg interface because they arrive from the VMM > which is untrusted in SEV. > > However, in some cases the kernel, initrd, and cmdline are not secret > but should not be modified by the host. In such a case, we want to > verify inside the trusted VM that the kernel, initrd, and cmdline are > indeed the ones expected by the Guest Owner, and only if that is the > case go on and boot them up (removing the need for grub inside OVMF in > that mode). > > This patch series reserves an area in MEMFD (previously the last 1KB of > the launch secret page) which will contain the > hashes of these three blobs (kernel, initrd, cmdline), each under its > own GUID entry. This tables of hashes is populated by QEMU before > launch, and encrypted as part of the initial VM memory; this makes sure > theses hashes are part of the SEV measurement (which has to be approved > by the Guest Owner for secret injection, for example). Note that this > requires QEMU support [1]. > > OVMF parses the table of hashes populated by QEMU (patch 5), and as it > reads the fw_cfg blobs from QEMU, it will verify each one against the > expected hash (kernel and initrd verifiers are introduced in patch 6, > and command-line verifier is introduced in patches 7+8). This is all > done inside the trusted VM context. If all the hashes are correct, boot > of the kernel is allowed to continue. > > Any attempt by QEMU to modify the kernel, initrd, cmdline (including > dropping one of them), or to modify the OVMF code that verifies those > hashes, will cause the initial SEV measurement to change and therefore > will be detectable by the Guest Owner during launch before secret > injection. > > Relevant part of OVMF serial log during boot with AmdSevX86 build and QEMU with > -kernel/-initrd/-append: > > ... > SevHashesBlobVerifierLibConstructor: found injected hashes table in secure location > Select Item: 0x17 > Select Item: 0x8 > FetchBlob: loading 7379328 bytes for "kernel" > Select Item: 0x18 > Select Item: 0x11 > VerifyBlob: Found GUID 4DE79437-ABD2-427F-B835-D5B172D2045B in table > VerifyBlob: Hash comparison succeeded for entry 'kernel' > Select Item: 0xB > FetchBlob: loading 12483878 bytes for "initrd" > Select Item: 0x12 > VerifyBlob: Found GUID 44BAF731-3A2F-4BD7-9AF1-41E29169781D in table > VerifyBlob: Hash comparison succeeded for entry 'initrd' > Select Item: 0x14 > FetchBlob: loading 86 bytes for "cmdline" > Select Item: 0x15 > VerifyBlob: Found GUID 97D02DD8-BD20-4C94-AA78-E7714D36AB2A in table > VerifyBlob: Hash comparison succeeded for entry 'cmdline' > ... > > The patch series is organized as follows: > > 1: Simple comment fix in adjacent area in the code. > 2: Use GenericQemuLoadImageLib to gain one location for fw_cfg blob > fetching. > 3: Allow the (previously blocked) usage of -kernel in AmdSevX64. > 4-7: Add BlobVerifierLib with null implementation and use it in the correct > location in QemuKernelLoaderFsDxe. > 8-9: Reserve memory for hashes table, declare this area in the reset vector. > 10-11: Add the secure implementation SevHashesBlobVerifierLib and use it in > AmdSevX64 builds. > > [1] https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-dovmurik@linux.ibm.com/ > > Code is at > https://github.com/confidential-containers-demo/edk2/tree/sev-hashes-v2 > > v2 changes: > - Use the last 1KB of the existing SEV launch secret page for hashes table > (instead of reserving a whole new MEMFD page). > - Build on top of commit cf203024745f ("OvmfPkg/GenericQemuLoadImageLib: Read > cmdline from QemuKernelLoaderFs", 2021-06-28) to have a single location in > which all of kernel/initrd/cmdline are fetched from QEMU. > - Use static linking of the two BlobVerifierLib implemenatations. > - Reorganize series. > > v1: https://edk2.groups.io/g/devel/message/75567 > > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Ashish Kalra > Cc: Brijesh Singh > Cc: Erdem Aktas > Cc: James Bottomley > Cc: Jiewen Yao > Cc: Min Xu > Cc: Tom Lendacky > Cc: Leif Lindholm > Cc: Sami Mujawar > > Dov Murik (8): > OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds > OvmfPkg: add library class BlobVerifierLib with null implementation > OvmfPkg: add NullBlobVerifierLib to DSC > ArmVirtPkg: add NullBlobVerifierLib to DSC > OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg > OvmfPkg/AmdSev/SecretPei: build hob for full page > OvmfPkg: add SevHashesBlobVerifierLib > OvmfPkg/AmdSev: Enforce hash verification of kernel blobs > > James Bottomley (3): > OvmfPkg/AmdSev/SecretDxe: fix header comment to generic naming > OvmfPkg: PlatformBootManagerLibGrub: Allow executing kernel via fw_cfg > OvmfPkg/AmdSev: reserve MEMFD space for for firmware config hashes > > OvmfPkg/OvmfPkg.dec | 9 + > ArmVirtPkg/ArmVirtQemu.dsc | 5 +- > ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 +- > OvmfPkg/AmdSev/AmdSevX64.dsc | 9 +- > OvmfPkg/OvmfPkgIa32.dsc | 5 +- > OvmfPkg/OvmfPkgIa32X64.dsc | 5 +- > OvmfPkg/OvmfPkgX64.dsc | 5 +- > OvmfPkg/AmdSev/AmdSevX64.fdf | 5 +- > OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf | 27 +++ > OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf | 36 ++++ > OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf | 2 + > OvmfPkg/ResetVector/ResetVector.inf | 2 + > OvmfPkg/Include/Library/BlobVerifierLib.h | 38 ++++ > OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h | 11 ++ > OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 2 +- > OvmfPkg/AmdSev/SecretPei/SecretPei.c | 9 +- > OvmfPkg/Library/BlobVerifierLib/NullBlobVerifier.c | 34 ++++ > OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifier.c | 199 ++++++++++++++++++++ > OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c | 5 + > OvmfPkg/Library/{PlatformBootManagerLib => PlatformBootManagerLibGrub}/QemuKernel.c | 0 > OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 9 + > OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 20 ++ > OvmfPkg/ResetVector/ResetVector.nasmb | 2 + > 23 files changed, 434 insertions(+), 10 deletions(-) > create mode 100644 OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf > create mode 100644 OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf > create mode 100644 OvmfPkg/Include/Library/BlobVerifierLib.h > create mode 100644 OvmfPkg/Library/BlobVerifierLib/NullBlobVerifier.c > create mode 100644 OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifier.c > copy OvmfPkg/Library/{PlatformBootManagerLib => PlatformBootManagerLibGrub}/QemuKernel.c (100%) >