From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.107.92.71]) by mx.groups.io with SMTP id smtpd.web12.482.1609968139924001873 for ; Wed, 06 Jan 2021 13:22:20 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=ZUdHVJBH; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.92.71, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TvTc2wd4yfW+LQOypCm4EksjY8AtKkRF9d81v+en+w6ZWGQgYG+Upaeo0KzSEgxT2OeSE6gr8JtvUviHEjEvppxkOBI5maMRNkF7thEa/7kY64ABs2a+QuNldBBAAY/7uQPYyGOZc7qBtyWEosNy991exO8C2DTTxYVceOhfqCuXPa6kSsyPUlPM0EJ7Da+K96byb9UN2QmOPdexrP/QOBuXDtcL+8sDRaNW3mfiN58fs9ypJKfaB2ueUM/ROhO+S4p3RjRNO2XKCm6BPUVN1/bnQGMMAERVcaTAvINEegug9gSBG0VwIeSmk2PG+G+KHsdgWvpxnkVnnrXt7sUhfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3B4nqKvD+z3BZLqFUWMKMML4yZqciGrSaukEOkjovR4=; b=CvBWrSCrwXP9rdYiljTI1kUyS0RkQOfryXqv0Kgdp+W5bvo3XdgF2h0SfAPkg7D9m+4NhB4a6qGLBjY+KdfZURwTvjQnrFWO2CtOLD+re2jjLT1UxWOR2WptjHRcyCrQoAIWWqgZiCKZox+SyXWz5hG9IkcIYLm8d9zrJ+gVzFpe5x+q496ErfThH/sB0ccsWnnn25mR5/riISokAxeqTPOh03ssIqm3P9VTchYLauVGuXJGjWjN/Y80YhzilDRsh2mfjPdJjuoQA5MlJoQqPiql2BtV8RVfvj3D8e0JbpwatmvRhpfpIkc9I6u7rtjSpRvIQAwWB/91/cAgJ1T+3Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3B4nqKvD+z3BZLqFUWMKMML4yZqciGrSaukEOkjovR4=; b=ZUdHVJBHHBbcIb7XChkEGmkaXQuGIUkvJAmXhqznczqAzkyQ86HRlkQv4dMB9BviUXCXlbuMl2LOw8pnk/kMk+TYZT8E2aLwhXfhhKUSKmQJ4kc2Pjg0T1F7XcLJDQVP2ZaprNSfgPHl9JhL2nx3/Ncbbd20mDfPC+UG6wkZaLw= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM6PR12MB3578.namprd12.prod.outlook.com (2603:10b6:5:3c::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.24; Wed, 6 Jan 2021 21:22:16 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3721.024; Wed, 6 Jan 2021 21:22:16 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io CC: Brijesh Singh , James Bottomley , Ard Biesheuvel , Rebecca Cran , Laszlo Ersek , Julien Grall , Peter Grehan , Jordan Justen , Anthony Perard Subject: [PATCH v2 00/15] SEV-ES security mitigations Date: Wed, 6 Jan 2021 15:21:26 -0600 Message-ID: X-Mailer: git-send-email 2.30.0 X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA0PR11CA0038.namprd11.prod.outlook.com (2603:10b6:806:d0::13) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by SA0PR11CA0038.namprd11.prod.outlook.com (2603:10b6:806:d0::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6 via Frontend Transport; Wed, 6 Jan 2021 21:22:15 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 146b8f7d-d3a5-4b7c-233c-08d8b2892451 X-MS-TrafficTypeDiagnostic: DM6PR12MB3578: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3276; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 1GKbTxwKORCFtBEqDwLwxJsq7Qaoml+C3rLeCRAV2P9jobSig5i1KTZ2t7rd9uN30mgJWJz3CoPggip55PsU6/ajdO5K8z/7LwHRIQZWsH4XOKAYIpDLZ7dNJppvLfHUDuAux1Affnl/c0Yzq3IsXMJnELapvexzDd/nqX6tkuL9tzqSld93LrIkQDgmnAN8A6OpEJeKXJZRhC0u0F9zoFgDg5RpRcXuO+WJU8zdHoFVYir6u6jnsbE6MNk6ImtHlSyTc/2dZfmSuj0RFHY4vLCe5Qe+o7k/KLmlmmgow198mSTPuzhaa4yd4ZKTi5s1voOReQ7U8/cc+MxdS8T8RusBiLZlKDHmUbojYZqFjNKAlhmvdl9vE862NhBoUrkzPUmqhmuPSLlksNPSyFLsNj5q5QGE3Tp5cbmDsOz548vkW1jISAItbaqm83McIOtc244vSH9N6EPkvDrdoWIZYg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(396003)(366004)(136003)(346002)(376002)(4326008)(36756003)(956004)(16526019)(83380400001)(186003)(66556008)(6486002)(66476007)(2616005)(7696005)(316002)(52116002)(2906002)(26005)(54906003)(66946007)(8676002)(86362001)(966005)(5660300002)(6916009)(8936002)(19627235002)(478600001)(15650500001)(6666004);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?xOxxt5oPQCn5kFfY5C3tsu0gRJKEKNXp5frtioEp08KTVsKaaDNcKV7fwLH0?= =?us-ascii?Q?wTQjRSX7ILhrBqM/IMxGsNnJe9c8gBYa6zlB9jObZBkduAgZOsephHFG34s6?= =?us-ascii?Q?/6SPImMm725aXX/FNuvm1++R+0yPbTrSmowEO+2NxJ91PkZp3iz9bE9o8MXc?= =?us-ascii?Q?V5W1IDBmsHJBGSyVlEBoZWsmF2PwTs0DSIqrNrgkgZSX6kokp/GAVTz3E3NE?= =?us-ascii?Q?ktBT8rLeClEOKhcCzp4MKTCOK75xp+tVCnAzgtNf4QpDGKSJU/0GbkqpChNx?= =?us-ascii?Q?sjqiT/wFhTOINCL+FpY2ALC2Z0uBdhXq4bUyUcJnvx6OeugUU3KU4+jJxvdF?= =?us-ascii?Q?x0ngCCsGlwbG9qQmG2DgOXbGXrb6krkKs/sb9SAoi7DoroX1v9o4LJjGEbNL?= =?us-ascii?Q?hWj2lU1rWcoedfa+E7VE4WqI1ko8Z4lPJ+bZ1MlbnQ4EtRe3KEAKH99HnpYv?= =?us-ascii?Q?OvcjOaS/amOIM4rb4rQ/ogStxnIkWm+OTIhs5lFHS3v+HG1EcZF7T12yjbCh?= =?us-ascii?Q?tQymQBNBsWQOMSXInEI/aBZIcUpczwUjd0GfRXrwy4+Y6SZACHfVMxNyOaWv?= =?us-ascii?Q?DXVCzzgCbkBof6zIgNE2axeDdQcrZzbboSDjDb+Q1kg7KAE0TiDmbe1GCevt?= =?us-ascii?Q?fii00shT0+eOW8U9lQV+enRZ58jj56LoSZzsG+sTzuDOSHkVpa+isVFatrK0?= =?us-ascii?Q?gQLNcGYFWMtKT3NxSvz269L48W1bKU7yPuh+k9UKr9ijZ5rwO8qCy1tPh1w/?= =?us-ascii?Q?w8OMkW2UBgV9MVUs+oXD30KohRJ/61Ljolm5JExIA2+Hxs1Ta1MFx1p5uvxK?= =?us-ascii?Q?X5DjWr+0aQOfumaiO9V1vhQGvi1+KW5ljeRNfOUYP1Iy1Cwkro5Q0b/Oq8RB?= =?us-ascii?Q?QiTUb3Hg1d8miMs+yvDb3vrN1Bl0MSNdId1QI7RjhG627dDg2CXijzX30Wck?= =?us-ascii?Q?YJEKd0nG0pz9rb55hRRlceidTNAUAGPEqjaVzU3J7ZB8GfuwB499CCCG4Jhy?= =?us-ascii?Q?fM3g?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jan 2021 21:22:16.0706 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-Network-Message-Id: 146b8f7d-d3a5-4b7c-233c-08d8b2892451 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: +9MLZsdpIXl7uW+LGnPpI6sB7z9he6EFe6Cg2sw8wzUe65Yhr/hy3nlKQYmFH7XvdIer8V11Ln4vfkIBftpnwQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB3578 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Tom Lendacky This patch series provides security mitigations for SEV-ES to protect against some attacks identified in the paper titled "Exploiting Interfaces of Secure Encrypted Virtual Machines" at: https://arxiv.org/pdf/2010.07094.pdf The mitigations include: - Validating the encryption bit position provided by the hypervisor. Additionally, once validated use the validated value throughout the code. - Validating that SEV-ES has been advertised to the guest if a #VC has been taken to prevent the hypervisor from pretending that SEV-ES is not enabled. - Validate that MMIO is performed to/from unencrypted memory addresses to prevent the hypervisor try to inject data or expose secrets within the guest. And a change separate from the above paper: - When checking #VC related per-vCPU values, make checks for explicit values vs non-zero values so that a hypervisor can't write random data to the location to alter guest processing behavior. Also, as part of creating these mitigations: - MemEncryptSevLib is updated to now be available during SEC - #VC now supports a single nested invocation BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3108 --- These patches are based on commit: 7785b38ac977 ("ArmPkg: Fix Ecc error 5007 in DefaultExceptionHandlerLib") All modified DSC files successfully built. Changes since v1: - Added CLI before HLT in the halt loops - Split the encryption mask retrieval interface patch into three patches - Split out some coding style fixes as a pre-patch in order to pass ECC - Implemented an SEC specific version of the MemEncryptSevLocateInitialSmramSaveStateMapPagesCreated() interface. - Clarified/expanded some commit messages and comments Cc: Ard Biesheuvel Cc: Rebecca Cran Cc: Laszlo Ersek Cc: Julien Grall Cc: Peter Grehan Cc: Jordan Justen Cc: Anthony Perard Cc: Brijesh Singh Tom Lendacky (15): Ovmf/ResetVector: Simplify and consolidate the SEV features checks OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header file OvmfPkg/ResetVector: Validate the encryption bit position for SEV/SEV-ES OvmfPkg/ResetVector: Perform a simple SEV-ES sanity check OvmfPkg/MemEncryptSevLib: Save the encryption mask at boot time OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask OvmfPkg/MemEncryptSevLib: Obtain encryption mask using the new interface OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value OvmfPkg/MemEncryptSevLib: Coding style fixes in prep for SEC library OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC OvmfPkg/MemEncryptSevLib: Address range encryption state interface OvmfPkg/VmgExitLib: Support nested #VCs OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory OvmfPkg/OvmfPkg.dec = | 2 + OvmfPkg/AmdSev/AmdSevX64.dsc = | 6 +- OvmfPkg/Bhyve/BhyveX64.dsc = | 4 +- OvmfPkg/OvmfPkgIa32.dsc = | 4 +- OvmfPkg/OvmfPkgIa32X64.dsc = | 4 +- OvmfPkg/OvmfPkgX64.dsc = | 6 +- OvmfPkg/OvmfXen.dsc = | 3 +- OvmfPkg/AmdSev/AmdSevX64.fdf = | 3 + OvmfPkg/OvmfPkgX64.fdf = | 3 + OvmfPkg/AmdSevDxe/AmdSevDxe.inf = | 8 +- OvmfPkg/Library/BaseMemEncryptSevLib/{BaseMemEncryptSevLib.inf =3D> DxeMem= EncryptSevLib.inf} | 16 +- OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf = | 57 ++ OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf = | 51 ++ OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf = | 45 + OvmfPkg/Library/VmgExitLib/VmgExitLib.inf = | 6 +- OvmfPkg/PlatformPei/PlatformPei.inf = | 2 + OvmfPkg/Include/Library/MemEncryptSevLib.h = | 90 +- OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h = | 35 +- OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.h = | 53 ++ OvmfPkg/AmdSevDxe/AmdSevDxe.c = | 20 +- OvmfPkg/Bhyve/PlatformPei/AmdSev.c = | 12 +- OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c = | 145 +++ OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c = | 31 +- OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c = | 155 ---- OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c = | 63 ++ OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c = | 159 ++++ OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c = | 155 ++++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c = | 32 +- OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c = | 893 ++++++++++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c = | 100 ++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c = | 954 +++----------------- OvmfPkg/Library/VmgExitLib/PeiDxeVmgExitVcHandler.c = | 103 +++ OvmfPkg/Library/VmgExitLib/SecVmgExitVcHandler.c = | 109 +++ OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c = | 130 ++- OvmfPkg/PlatformPei/AmdSev.c = | 50 +- OvmfPkg/PlatformPei/MemDetect.c = | 5 + OvmfPkg/Sec/SecMain.c = | 6 +- OvmfPkg/XenPlatformPei/AmdSev.c = | 12 +- OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm = | 118 +++ OvmfPkg/ResetVector/Ia32/PageTables64.asm = | 110 ++- OvmfPkg/ResetVector/ResetVector.nasmb = | 5 +- 41 files changed, 2679 insertions(+), 1086 deletions(-) rename OvmfPkg/Library/BaseMemEncryptSevLib/{BaseMemEncryptSevLib.inf =3D>= DxeMemEncryptSevLib.inf} (63%) create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLi= b.inf create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLi= b.inf create mode 100644 OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.h create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLi= bInternal.c delete mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibIn= ternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSe= vLibInternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLi= bInternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLi= bInternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualM= emory.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemo= ry.c create mode 100644 OvmfPkg/Library/VmgExitLib/PeiDxeVmgExitVcHandler.c create mode 100644 OvmfPkg/Library/VmgExitLib/SecVmgExitVcHandler.c create mode 100644 OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm --=20 2.30.0