From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web09.11382.1623154194941662592 for ; Tue, 08 Jun 2021 05:09:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=c2iutM5t; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 158AfNHO146208; Tue, 8 Jun 2021 08:09:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=Rs2d3zORnQGVRGnSMKt95eDy/AwlrwJqhntuKhrgAbQ=; b=c2iutM5ty3c2vflOBdwwAs6vT7Zh89w/DBHobgi2DKIYem8zB/H9302IhL+T/+Um19ts SVIGPbVsnDHPfBPx/CQZcNRMlI6xBFhKWI+8BTTLkc1XBPlXuVl1z+6kpBn3VRe0JfZN HTDKPokhYhjOSz+JM1mWpjRuEWhhkdeRtSYMDtGrvl6uQYK15ZgMPtffE8eETpINEM9j SvHUvwHDoRYwMTALiGB30XHkN9jPl6xlnI8BuB+rLo1bitYgs+BuTEvYB+C4Qi2BDW2Z V84lqRvLyAARMSJ2Uh8IM+gEWQCB3zrpiTiXgaylD4hnHw2/RKfzV/D4POsfmJ8EsAjK IQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 392712t644-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Jun 2021 08:09:52 -0400 Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 158AfNLK146168; Tue, 8 Jun 2021 08:09:52 -0400 Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0a-001b2d01.pphosted.com with ESMTP id 392712t62t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Jun 2021 08:09:52 -0400 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 158C7PR9018393; Tue, 8 Jun 2021 12:09:49 GMT Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by ppma06ams.nl.ibm.com with ESMTP id 3900hhsgqj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Jun 2021 12:09:49 +0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 158C9kHB25100788 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Jun 2021 12:09:46 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D033611C04C; Tue, 8 Jun 2021 12:09:46 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AF54A11C04A; Tue, 8 Jun 2021 12:09:42 +0000 (GMT) Received: from [9.160.63.216] (unknown [9.160.63.216]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 8 Jun 2021 12:09:42 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH v1 0/8] Measured SEV boot with kernel/initrd/cmdline To: Laszlo Ersek , devel@edk2.groups.io, Ard Biesheuvel Cc: Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky References: <20210525053116.1533673-1-dovmurik@linux.ibm.com> <5d8c598e-31de-7973-df51-e913bba54587@redhat.com> <3cead34f-a736-3a5d-4933-cebc085ca868@redhat.com> From: "Dov Murik" Message-ID: Date: Tue, 8 Jun 2021 15:09:40 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <3cead34f-a736-3a5d-4933-cebc085ca868@redhat.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: jJTbBESXl_-fY6JnJDWakhhODygXQWjM X-Proofpoint-ORIG-GUID: _l85fsr95kOsg5D7UzrdxonSLLILpMOI X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-06-08_05:2021-06-04,2021-06-08 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 spamscore=0 clxscore=1015 priorityscore=1501 adultscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106080051 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 08/06/2021 13:59, Laszlo Ersek wrote: > Ard, > > do you have any comments please, on the topic at the bottom? > > My comments follow: > > On 06/08/21 11:57, Dov Murik wrote: >> >> >> On 04/06/2021 14:26, Laszlo Ersek wrote: >>> On 06/04/21 12:30, Dov Murik wrote: >>> >> >> ... >> >>>> >>>>> [Ard, please see this one question:] >>>>> >>>>> - A major complication for hashing all three of: kernel, initrd, >>>>> cmdline, is that the *fetching* of this triplet is split between >>>>> two places. (Well, it is split between *three* places in fact, but >>>>> I'm going to ignore LinuxInitrdDynamicShellCommand for now, because >>>>> the AmdSevX64 platform sets BUILD_SHELL to FALSE for production.) >>>>> >>>>> The kernel and the initrd are fetched in QemuKernelLoaderFsDxe, but >>>>> the command line is fetched in (both) QemuLoadImageLib instances. >>>>> This requires that all these modules be littered with hashing as >>>>> well, which I find *really bad*. Even if we factor out the actual >>>>> logic, I strongly dislike having *just hooks* for hashing in >>>>> multiple modules. >>>>> >>>>> Now, please refer to efc52d67e157 ("OvmfPkg/QemuKernelLoaderFsDxe: >>>>> don't expose kernel command line", 2020-03-05). If we first >>>>> >>>>> (a) reverted that commit, and >>>>> >>>>> (b) modified *both* QemuLoadImageLib instances, to load the kernel >>>>> command line from the *synthetic filesystem* (rather than directly >>>>> from fw_cfg), >>>>> >>>>> then we could centralize the hashing to just QemuKernelLoaderFsDxe. >>>>> >>>>> Ard -- what's your thought on this? >>>>> >>>> >>>> I understand there's agreement here, and that both this suggested >>>> change (use the synthetic filesystem) and my patch series (add hash >>>> verification) touch the same code areas. How do you envision this >>>> process in the mailing list? Seperate patch serieses with >>>> dependency? One long patch series with both changes? What goes >>>> first? >>> >>> Good point. I do have a kind of patch order laid out in my mind, but >>> I didn't think of whether we should have the patches in one patch >>> series, or in two "waves". >>> >>> OK, let's go with two patch sets. >>> >>> In the first set, we should just focus on the above steps (a) and >>> (b). Step (a) shouldn't be too hard. In step (b), you'd modify both >>> QemuLoadImageLib instances (two separate patches), replacing the >>> QemuFwCfgLib APIs for fetching the cmdline with >>> EFI_SIMPLE_FILE_SYSTEM_PROTOCOL and EFI_FILE_PROTOCOL APIs. >>> >>> Speaking from memory, the synthetic filesystem has a unique device >>> path, so the first step would be calling gBS->LocateDevicePath(), for >>> finding SimpleFs on the unique device path. Once you have the >>> SimpleFs interface, you can call OpenVolume, then open the "cmdline" >>> file using the EFI_FILE_PROTOCOL output by OpenVolume. >>> >>> Once we merge this series (basically just three patches), there is no >>> QemuFwCfgLib dependency left in either QemuLoadImageLib instance, I >>> reckon. >> >> I started working on that, and managed to remove all QemuFwCfg* calls >> in the main path of QemuLoadKernelImage (so far working on >> X86QemuLoadImageLib.c). That works fine: I read the content of the >> "cmdline" synthetic file, and I check the size of the synthetic >> "initrd" file. I used Library/FileHandleLib.h; I hope that's fine. > > The lib class header says "Provides interface to EFI_FILE_HANDLE > functionality", which is not too bad; but I don't immediately see what > those APIs save us -- the APIs that I believe to be relevant to this use > case all seem to be thin wrappers around EFI_FILE_PROTOCOL. (The only > instance of FileHandleLib is > "MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf".) While not > necessarily a problem, it doesn't seem an obvious win (unless it saves > you much complexity and/or code in a way that I'm missing). Using FileHandleGetSize() saves some handling of a EFI_FILE_INFO pointer and freeing it etc (for getting the size of "cmdline" and "initrd"). But maybe it's better not to add another dependency. > > In OVMF, the following executables use UefiFileHandleLib at the moment: > > - MdeModulePkg/Universal/BdsDxe/BdsDxe.inf > - ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf > - ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf > - OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf > - ShellPkg/Application/Shell/Shell.inf > > The last four are shell-related, so "prior art" is really just BdsDxe... > >> However, there's another path (which I don't reach with my test >> setup), which is the call to QemuLoadLegacyImage, which has a lot of >> calls to QemuFwCfg* in its body. >> >> Am I expected to change that legacy path as well? >> Or is it in a "it's working don't touch" state? >> If I modify this, how do I test it? > > The use case that you foresee for this feature is really important here. > > When you say that you don't reach QemuLoadLegacyImage(), that means your > guest kernel is built with the UEFI stub. > > (1) If you can make the Linux UEFI stub a *required* part of the use > case, then: > > (1a) switch the QemuLoadImageLib class resolution from > "OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf" to > "OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf" in > "OvmfPkg/AmdSev/AmdSevX64.dsc", > > (1b) modify "OvmfPkg/Library/GenericQemuLoadImageLib" only (your > modifications thus far should be easy to transplant to this lib > instance); ignore "OvmfPkg/Library/X86QemuLoadImageLib". There is no > QemuLoadLegacyImage() in GenericQemuLoadImageLib. > > This makes sense especially because "OvmfPkg/AmdSev/AmdSevX64.dsc" does > not offer Secure Boot support, so there's not going to be a case when > gBS->LoadImage() rejects the UEFI stubbed Linux binary due to Secure > Boot verification failing (EFI_SECURITY_VIOLATION, EFI_ACCESS_DENIED). > > > (2) If you cannot make the Linux UEFI stub a required part of the use > case, then X86QemuLoadImageLib needs to be modified indeed. > > (2a) Unfortunately, in this case we have to add a hack, because the > synthetic filesystem only exposes the concatenated "setup data + kernel > image" blob. The following would have to be preserved (as the only > remaining QemuFwCfgLib access): > > QemuFwCfgSelectItem (QemuFwCfgItemKernelSetupSize); > SetupSize = (UINTN)QemuFwCfgRead32 (); > > (2b) and then the kernel blob from the synthetic fs would have to be > split in two (= setup, kernel), within QemuLoadLegacyImage(). > > > I'm sorry for missing this aspect previously! I really hope we can go > with (1)! > I'll check. But if we go with (1) -- do you (and Ard) prefer: (a) leave X86QemuLoadImageLib as it is in master; -or- (b) modify X86QemuLoadImageLib the "main" path to use the QemuKernelLoaderFs (what I started doing) and leave the "legacy" path with QemuFwCfg ? Or, in other words, is the refactoring to read the cmdline from QemuKernelLoaderFs (across both QemuLoadImageLib implementations) beneficial even if we don't add the verification "hooks"? -Dov > Thanks, > Laszlo >