From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.46]) by mx.groups.io with SMTP id smtpd.web09.2815.1608065490107038354 for ; Tue, 15 Dec 2020 12:51:30 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=GDyTWHRP; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.237.46, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XUHhaBcsxrZMFbeLYcd82aOlcKMETmpIFD7DL2fqKTi+XERgW6UY/M6Wwoa8sBW0NbzMAPEeRGR41sYNODslDlwwO27NxllygKEl+0+26s76FJsZ7WeJkz/KTw0Bgb/MGTxlKg61h3vSjwGYMWfWi2whvEoS2w2ObThD9WftZVRjnluuMqoyZnZB9v0DQo0H4uhcGjpFPSONne+PdQNiNswfG+EvowHab9uLnDo2Zz63IlYZlxYkBN3M6q6de9jzs1UgflolO2eVtLp08DmljNQyvLvJ3had4STdDi0kaYveK9GQH4TucGfbLyQxLyJ2x7BUO9MuGR5SSqTBlEUg6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R7ds9xBFxOLS246C4OsUq+ytu+Qqp3Q1WxTbf9T1HMk=; b=FdFLQBovqFk9egaT3gMQHgcWu5v9tlBbWjg8ll/jugr2jAPAYqMpnEhayhVLJ/nrybNFmmnFCvrIgcIBaRg6nVDde7G9D80ncu0u8DTboR0Di6BY8B4+s3+O4fvbmrqR/+CNloJJM2q0J+0DUp7Sz/kONai2HGBXxlPB+R2i5Y+N0wP1HS6XodzeCld4hntDiwPr16qkhxvGG3idFJsXIuQItBubLcTpvarC+hsNty2LJutd2SdJ14A8SHDsJLJC7j5rUQPAiNaQl8g9/Z6gVqVBscuXjfQNhtRLT5B/LgkM9E9b14OOKijiyu3yFa6kGJ7Q6SN8VNEl6KEuD33sPA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R7ds9xBFxOLS246C4OsUq+ytu+Qqp3Q1WxTbf9T1HMk=; b=GDyTWHRPh6jRixfL4WgxV0hcOtyuq+1Agb0lhA4pSJjPmHoizGpbErmfWFKyD0mUNtlhmWSscTxfWyL3OFuX4IGG2L64DNWhuUfWZoxZ8duuc+0AN3Z+u4PNFdhp4Um7+veAQ55cffa+fAZCFo8aF8kHvsNqbMTvJDifG5Vpo6M= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (10.168.234.7) by DM6PR12MB4155.namprd12.prod.outlook.com (10.141.8.79) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.15; Tue, 15 Dec 2020 20:51:26 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3654.025; Tue, 15 Dec 2020 20:51:26 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io CC: Brijesh Singh , James Bottomley , Ard Biesheuvel , Rebecca Cran , Laszlo Ersek , Julien Grall , Peter Grehan , Jordan Justen , Anthony Perard Subject: [PATCH 00/12] SEV-ES security mitigations Date: Tue, 15 Dec 2020 14:50:59 -0600 Message-ID: X-Mailer: git-send-email 2.28.0 X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: CH2PR10CA0018.namprd10.prod.outlook.com (2603:10b6:610:4c::28) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by CH2PR10CA0018.namprd10.prod.outlook.com (2603:10b6:610:4c::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12 via Frontend Transport; Tue, 15 Dec 2020 20:51:25 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 6e39ee25-4e5c-4083-daca-08d8a13b3080 X-MS-TrafficTypeDiagnostic: DM6PR12MB4155: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2803; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: wFikTEAVXZWcZpQY0a2P6wzTpzyMH6RC6aKwqi4ji7pG8x+TQq/fz3fVyGzzgJRhd/4CiHR8/7h9KAUhY17OVq+ldDz5Txf5jEzT3aNWeKJOMX5gUhiRhPIfHUBrle+NcpddfLq7XIzFxanXvGfUWBp+mS8ickpxtENStTovFuTZa3QPJyyhZQa1k3cmUglwyVKOaZcR8II0AZVwrS3Fbq8WT3uhzP47FguboO4gdgob4Zz24eKCfo1YqQmXpoh2qDkvZk1smu64UV6NKEJgh1ccgmlHQjZf8hlHahbtEGSmYBZuJghoF5aMXuEm8STWXupa5HDl3avsfdsTfRZhB3QclCqJEtUHIW2Vrt0aklVNBsFZV+j3RUZZr169LtpOY75xwK6rso5lH0KX8ty8jxcrXtxdsOvUHfgBnsONTTr03T0gRYHcpdtV1zMBbci41/BwrUs2og3qzOFFmrPP0w== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(366004)(136003)(346002)(66946007)(26005)(4326008)(19627235002)(16526019)(6916009)(8676002)(36756003)(508600001)(52116002)(6666004)(83380400001)(5660300002)(8936002)(966005)(186003)(54906003)(956004)(2616005)(66476007)(2906002)(86362001)(34490700003)(6486002)(66556008)(15650500001)(7696005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?D5gHVnZhqZEYm+dhWKPDC0iLr06x3JiMsbhyk1XtVDs6JwUD2HsSDIR5XFh8?= =?us-ascii?Q?fo/MH+cYVO+i+PBQDyMDrAVNRfNczGoidsyYGFl1smfebRS1YJjEICjcZr2j?= =?us-ascii?Q?CmK7A/8sgfXBF0KxL87xfvrit2+Av4acXKi4gc/K34NzkxCwkHnE2PAohwnt?= =?us-ascii?Q?8i7EK+E0S77/GhWHQdOfOVvGXAe8e9IBkiyk9z9Rd5vfuFC3XqU+QhkXr+B+?= =?us-ascii?Q?PKuQGnV+CnrAnxgguduMLz2/qgpnc0nbVkPXP9WbNAwtd4JgGJxpnfhNDmB+?= =?us-ascii?Q?L0TAJ1DEcUM1gLlxlz9r4NeIXn5lZ3izBkBqbFd5XdkUJZp5Flo6RI4bqHWi?= =?us-ascii?Q?TJ5oDSbuOnuioum4ZWzQjtm9l91dBIyD212sF5RBY0emNUEgUDdsulgL6vDi?= =?us-ascii?Q?48EkgrZUyQdvQ7D9GlklN59BK7nogUOKRMGdc8eig6XVCmyaDVJli+FYiP6l?= =?us-ascii?Q?1imiXBa3Q4WLjOUEaRUipBY4Im8xDqn4yiCC96MLGW976RfTemp8VQuUhevE?= =?us-ascii?Q?3QMxO2aGidji+VVbF9wDN7++EN/hyjvsUpND9e8xPRENl5++JhjtA3sYAzMO?= =?us-ascii?Q?2C81gUoGKFBgUFZauqLwNMWAlAwLRMN4YYudU/SlO8bIwTdAKkzpS4kuQUFC?= =?us-ascii?Q?6RoFShXEGvSzAxsxO6MiA9QE6kAJ7ufzwSlqUJQVhaq8rcDrsfwYXHPH8iPe?= =?us-ascii?Q?hbXs+OYPrH7LT8sJXB/jE36tEYzkNMbU9hm49M1zaK9dxyGpsVKUlUgF3ZDE?= =?us-ascii?Q?DoknS6FIfOGDCVNNq343/G0CArUnL5fJXCZIe/GNqkimWqJ3N87r9angMeVb?= =?us-ascii?Q?1rEw53sQJP/TkVtJJs1rpKuSf6dhnbiYRXHvhUJJtYZeJat8pzDPkD9ow4dR?= =?us-ascii?Q?OcBImeZfadbjxyk6tcqhZJ4CrUHKrwmC91DiC2JO8fH0SmU6tpyDuCTMx1uJ?= =?us-ascii?Q?FYKxRTbra1BersI+CkJjNr4tMQtM7ShzwZJd07H4yM+FCmOXJzS+ys8agmPW?= =?us-ascii?Q?0pLL?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Dec 2020 20:51:26.0669 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-Network-Message-Id: 6e39ee25-4e5c-4083-daca-08d8a13b3080 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ou+1py58B2pIAlsQzKtPJ7HiaGRV4tXy5wj50bURDNZCWq1MxkebFNZWWv2X1BB/1j0NECilwkcKjR0SKD9QDg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4155 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Tom Lendacky This patch series provides security mitigations for SEV-ES to protect against some attacks identified in the paper titled "Exploiting Interfaces of Secure Encrypted Virtual Machines" at: https://arxiv.org/pdf/2010.07094.pdf The mitigations include: - Validating the encryption bit position provided by the hypervisor. Additionally, once validated use the validated value throughout the code. - Validating that SEV-ES has been advertised to the guest if a #VC has been taken to prevent the hypervisor from pretending that SEV-ES is not enabled. - Validate that MMIO is performed to/from unencrypted memory addresses to prevent the hypervisor try to inject data or expose secrets within the guest. And a change separate from the above paper: - When checking #VC related per-vCPU values, make checks for explicit values vs non-zero values so that a hypervisor can't write random data to the location to alter guest processing behavior. Also, as part of creating these mitigations: - MemEncryptSevLib is updated to now be available during SEC - #VC now supports a single nested invocation BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3108 --- These patches are based on commit: 5c3cdebf95bf ("MdePkg/include: Add DMAR SATC Table Definition") Cc: Ard Biesheuvel Cc: Rebecca Cran Cc: Laszlo Ersek Cc: Julien Grall Cc: Peter Grehan Cc: Jordan Justen Cc: Anthony Perard Cc: Brijesh Singh Tom Lendacky (12): Ovmf/ResetVector: Simplify and consolidate the SEV features checks OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header file OvmfPkg/ResetVector: Validate the encryption bit position for SEV/SEV-ES OvmfPkg/ResetVector: Perform a simple SEV-ES sanity check OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC OvmfPkg/MemEncryptSevLib: Address range encryption state interface OvmfPkg/VmgExitLib: Support nested #VCs OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory OvmfPkg/OvmfPkg.dec | 2 + OvmfPkg/AmdSev/AmdSevX64.dsc | 6 +- OvmfPkg/Bhyve/BhyveX64.dsc | 4 +- OvmfPkg/OvmfPkgIa32.dsc | 4 +- OvmfPkg/OvmfPkgIa32X64.dsc | 4 +- OvmfPkg/OvmfPkgX64.dsc | 6 +- OvmfPkg/OvmfXen.dsc | 3 +- OvmfPkg/AmdSev/AmdSevX64.fdf | 3 + OvmfPkg/OvmfPkgX64.fdf | 3 + OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 8 +- ...SevLib.inf =3D> DxeBaseMemEncryptSevLib.inf} | 14 +- .../PeiBaseMemEncryptSevLib.inf | 57 ++ .../SecBaseMemEncryptSevLib.inf | 55 + OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 44 + OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 6 +- OvmfPkg/PlatformPei/PlatformPei.inf | 2 + OvmfPkg/Include/Library/MemEncryptSevLib.h | 90 +- .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 35 +- OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.h | 53 + OvmfPkg/AmdSevDxe/AmdSevDxe.c | 20 +- OvmfPkg/Bhyve/PlatformPei/AmdSev.c | 12 +- .../DxeMemEncryptSevLibInternal.c | 145 +++ .../Ia32/MemEncryptSevLib.c | 31 +- .../MemEncryptSevLibInternal.c | 91 +- .../PeiMemEncryptSevLibInternal.c | 159 +++ .../SecMemEncryptSevLibInternal.c | 130 +++ .../X64/MemEncryptSevLib.c | 32 +- .../X64/PeiDxeVirtualMemory.c | 893 ++++++++++++++++ .../X64/SecVirtualMemory.c | 100 ++ .../BaseMemEncryptSevLib/X64/VirtualMemory.c | 954 +++--------------- .../VmgExitLib/PeiDxeVmgExitVcHandler.c | 103 ++ .../Library/VmgExitLib/SecVmgExitVcHandler.c | 109 ++ OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 130 ++- OvmfPkg/PlatformPei/AmdSev.c | 50 +- OvmfPkg/PlatformPei/MemDetect.c | 5 + OvmfPkg/Sec/SecMain.c | 6 +- OvmfPkg/XenPlatformPei/AmdSev.c | 12 +- OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm | 116 +++ OvmfPkg/ResetVector/Ia32/PageTables64.asm | 108 +- OvmfPkg/ResetVector/ResetVector.nasmb | 5 +- 40 files changed, 2590 insertions(+), 1020 deletions(-) rename OvmfPkg/Library/BaseMemEncryptSevLib/{BaseMemEncryptSevLib.inf =3D>= DxeBaseMemEncryptSevLib.inf} (66%) create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptS= evLib.inf create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/SecBaseMemEncryptS= evLib.inf create mode 100644 OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.h create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLi= bInternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLi= bInternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLi= bInternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualM= emory.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemo= ry.c create mode 100644 OvmfPkg/Library/VmgExitLib/PeiDxeVmgExitVcHandler.c create mode 100644 OvmfPkg/Library/VmgExitLib/SecVmgExitVcHandler.c create mode 100644 OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm --=20 2.28.0