From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (NAM02-SN1-obe.outbound.protection.outlook.com [40.107.77.75]) by mx.groups.io with SMTP id smtpd.web11.1065.1610045319618343400 for ; Thu, 07 Jan 2021 10:48:39 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=bGEZmvBy; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.77.75, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PBylXu3Rx4eCS/066n/sh09Sd+MrsUrEaxv2uw27guKvCfpHhDKsGTlYvRFma1wxrxoAC7XaxQ6jzSjqdI19GIYG8rAU2QkcjAifVRl9D0GGkPKmvJT8aVxGCj3DfzW5aFNIZ4GDuN5GWIiJpT0obgw+05uY0Tn7Y0r0NzD5TigoJ/whux7rrdD/83pq8RQimPg9wYmAlqtKOLiqGidyPNIZUg699DhdsL6fEGVmvcIthBgyzsu98/dSqWJFpOrxU/b49sq4eu1Otl+MUgSFOapI3AATw4k156hHv89sosC1xEyuSNhdMmIlSf3GNQytlcTp5BBXpkx9ZRss5oqbLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZliRRbZrX9+Sctdv01cPQ59Qw2oP7KuygWoWXQRrPXo=; b=PbwcgYkqUY3pCzQVJpn8RdLzh0uQqeBml9fyEDUb+qPpkIFh8OUMNcLW2Lp198hKwXX5o2wAEdTVtvJLVDQ3ogxmKkl8ZtDC00PZ8P6FlbVYQ7HZVB3c/6VxbX21KCcbOmCcjB+5XGiIjsd+osVRgbYa58SxXxjb0sC55A9e5z5ColImjR95wFiyjZ8cM9L4lF1ebg80p/tqG8SckVdrvXy1pfhnvt0Y5UHp/fi0J4A3c5HTv4ArB9mYsMCEku2u1NqQCo13PCIshFxGJ3Tg/DAUP5iqAL08MyQFOLuy+Ph8XS1X5W3Nws14pVdhWdCoLbFXtrmkPzIJTWkg/6NHBw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZliRRbZrX9+Sctdv01cPQ59Qw2oP7KuygWoWXQRrPXo=; b=bGEZmvByAdlW0YmOZqqgenbzX8U1kaHTxwKWMxwb77JM0XsFahyW7odqpMoAhqgBy86m6qsmlq3cXVyjOHYG9G0CsLwiu7Nz3cZLSSjZa2AQVlv1EakfBFtliR6N8Vt68C88GzhH/MHBtTmrQM5QymcFUD2kz5QInOM5Od4uBfs= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM5PR1201MB0121.namprd12.prod.outlook.com (2603:10b6:4:56::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3721.23; Thu, 7 Jan 2021 18:48:36 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::d95e:b9d:1d6a:e845%12]) with mapi id 15.20.3721.024; Thu, 7 Jan 2021 18:48:36 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io CC: Brijesh Singh , James Bottomley , Ard Biesheuvel , Rebecca Cran , Laszlo Ersek , Julien Grall , Peter Grehan , Jordan Justen , Anthony Perard Subject: [PATCH v3 00/15] SEV-ES security mitigations Date: Thu, 7 Jan 2021 12:48:10 -0600 Message-ID: X-Mailer: git-send-email 2.30.0 X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SN6PR16CA0064.namprd16.prod.outlook.com (2603:10b6:805:ca::41) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by SN6PR16CA0064.namprd16.prod.outlook.com (2603:10b6:805:ca::41) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.6 via Frontend Transport; Thu, 7 Jan 2021 18:48:36 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: c16341b2-3bde-4d81-9702-08d8b33cd785 X-MS-TrafficTypeDiagnostic: DM5PR1201MB0121: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3276; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DzOnGSXSXCz/L+kNqhvRn4sRRryxZNZ8s3sYLU5eYL4Z6Fptf4ObyEz/G8altgNSV3BL3JmgOdFbP9wbJUQv4cfqcu8o50M+DGdUCUyAGkcE80+07Os0uC7BD1JXhfC0KBkFBcHCXSzc/pGX7ZzcxKMIKY1vqKEPwRz6tW3FcW2gG9XMW4Mcznw4eadtkzy6I7IYu8+XyUZhMVZxQoySb32qjRdyMqR83KzumTEX43VrRHBl6hL7U/LamRgQ1U9R7qCw8qTMUBzQvFrszYox58+CsVNftor7uV0zr/mtFkcaRRDz+uBVqrZSFH29m/yhrUb9Y36F0K1I4KuLfUPTRgIOJQfR9vrviqg6NNOo0IH5g2fa6DyEFiVeK65Kgsm/Y2pH9NPXOvt8w3tpJRXpIwAXQ85IkYQo2iYi3tW9hQZsYWnOjAi66wF+qs9fL2jz1Zckm+xiLJQBgIaNM7tbog== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(136003)(366004)(346002)(376002)(396003)(54906003)(36756003)(316002)(52116002)(16526019)(186003)(6666004)(15650500001)(7696005)(4326008)(83380400001)(66556008)(66946007)(6916009)(956004)(2906002)(8936002)(5660300002)(6486002)(66476007)(8676002)(86362001)(478600001)(966005)(2616005)(26005)(19627235002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?hPd3zV0YJfUqBAec+V7g5RMLDBaIpPmqDEffoSMOE5kVzYfZNN6tk2KSH5uv?= =?us-ascii?Q?aHy1n+WcL/AD9XESFDmJ279ovGlREMr5HMvhYOKVCqoIGirHofMkvn9Fhfsw?= =?us-ascii?Q?GPF8lDeom4btqp0b0PxdyePPWTXMHgzHyY+KOYK3sSJ1tNCkRuOdZ9hAdBUX?= =?us-ascii?Q?zwd6juqDa6mOd7rnYGjxgIOEVMYs4pnOKjBETGOiwo5iSuGLpZMapWHD/ukc?= =?us-ascii?Q?7KVFzhKYpwYZCVFiN/5Fpx0Sgmc+8xmTc5RvZvMA3FZzl2FprlkTZdZ2gMTV?= =?us-ascii?Q?M22yhILLhxxCdkoS803TL+Gtp1OEqb+FHEZtw8cggGyH5XnFYkmaiR0H1SsD?= =?us-ascii?Q?xYrV4PatmiG+W18lerof+BmqLL/QaClSLkDd+gecCAdjkkA8l5cioLYbIzMd?= =?us-ascii?Q?7Enpz49CqXuVCCwD3scYYCaaIGHTRv26rhUqEsWc1vXLWXxtMVL5QK8fceoU?= =?us-ascii?Q?8gbkb0CUtGfGvbS4lcRfj0dyG8WivYfwXrhI3Fa4mQkU1HBHb4FliEZPMQaf?= =?us-ascii?Q?y7N7DxRDd/ELBVbyXPthnIbleCFkc21Ft6O9cKLoe8yXlTW9+5PmJtUR8VEI?= =?us-ascii?Q?qCQBU71kySYceKS3IBd1ukzN1KusDxbMVR/rMJojiohSYV4WM+B5UOjizuzd?= =?us-ascii?Q?YRfmDG7X3fx+kIROLhmGqYkApbUK2vCaDM93bZdcLZq5NyMcA74ZM8V0guhx?= =?us-ascii?Q?tJh8Z0tavL/avTg9sbrHq9NSPNB360nyzj+MPfmzibFWoMupcaxnYNOe9vfa?= =?us-ascii?Q?c0NP5ZZCo88mXbjze6/l4+OxqRHq7zHdqovCHbRPlvsr9fiNOmIRwfzvrc62?= =?us-ascii?Q?l1WC5fOjMlf6XNQUORAwWw3cvrarivhCZFar3/kv9YOncgqBOrX2m7h2YuLF?= =?us-ascii?Q?jlEpH/Lmxn223VuhI9wwKZBv8Qo12uc5O4x1ogtJU2bu+oiWOE8rbT2adOn4?= =?us-ascii?Q?NTJS+bYmofp8giPefbLu13+vff1JIKjA8xauYmk50tLRI5p4h3mRzXPS6to4?= =?us-ascii?Q?i59R?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jan 2021 18:48:36.7801 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-Network-Message-Id: c16341b2-3bde-4d81-9702-08d8b33cd785 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: XIrd2wsswjicU6e96yz4vd1aI2KD6Kn2ARJLe/p28C6FAqAG1c7ubwomt8LISeeAgxOmclelYeeARqUcu8BsJw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1201MB0121 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Tom Lendacky This patch series provides security mitigations for SEV-ES to protect against some attacks identified in the paper titled "Exploiting Interfaces of Secure Encrypted Virtual Machines" at: https://arxiv.org/pdf/2010.07094.pdf The mitigations include: - Validating the encryption bit position provided by the hypervisor. Additionally, once validated use the validated value throughout the code. - Validating that SEV-ES has been advertised to the guest if a #VC has been taken to prevent the hypervisor from pretending that SEV-ES is not enabled. - Validate that MMIO is performed to/from unencrypted memory addresses to prevent the hypervisor try to inject data or expose secrets within the guest. And a change separate from the above paper: - When checking #VC related per-vCPU values, make checks for explicit values vs non-zero values so that a hypervisor can't write random data to the location to alter guest processing behavior. Also, as part of creating these mitigations: - MemEncryptSevLib is updated to now be available during SEC - #VC now supports a single nested invocation BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3108 --- These patches are based on commit: 7785b38ac977 ("ArmPkg: Fix Ecc error 5007 in DefaultExceptionHandlerLib") All modified DSC files successfully built. Changes since v2: - Updated source file order in DSC package changes - Updated two commit subjects Changes since v1: - Added CLI before HLT in the halt loops - Split the encryption mask retrieval interface patch into three patches - Split out some coding style fixes as a pre-patch in order to pass ECC - Implemented an SEC specific version of the MemEncryptSevLocateInitialSmramSaveStateMapPagesCreated() interface. - Clarified/expanded some commit messages and comments Cc: Ard Biesheuvel Cc: Rebecca Cran Cc: Laszlo Ersek Cc: Julien Grall Cc: Peter Grehan Cc: Jordan Justen Cc: Anthony Perard Cc: Brijesh Singh Tom Lendacky (15): Ovmf/ResetVector: Simplify and consolidate the SEV features checks OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header file OvmfPkg/ResetVector: Validate the encryption bit position for SEV/SEV-ES OvmfPkg/ResetVector: Perform a simple SEV-ES sanity check OvmfPkg/ResetVector: Save the encryption mask at boot time OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption mask OvmfPkg: Obtain SEV encryption mask with the new MemEncryptSevLib API OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value OvmfPkg/MemEncryptSevLib: Coding style fixes in prep for SEC library OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC OvmfPkg/MemEncryptSevLib: Address range encryption state interface OvmfPkg/VmgExitLib: Support nested #VCs OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory OvmfPkg/OvmfPkg.dec = | 2 + OvmfPkg/AmdSev/AmdSevX64.dsc = | 6 +- OvmfPkg/Bhyve/BhyveX64.dsc = | 4 +- OvmfPkg/OvmfPkgIa32.dsc = | 4 +- OvmfPkg/OvmfPkgIa32X64.dsc = | 4 +- OvmfPkg/OvmfPkgX64.dsc = | 6 +- OvmfPkg/OvmfXen.dsc = | 3 +- OvmfPkg/AmdSev/AmdSevX64.fdf = | 3 + OvmfPkg/OvmfPkgX64.fdf = | 3 + OvmfPkg/AmdSevDxe/AmdSevDxe.inf = | 8 +- OvmfPkg/Library/BaseMemEncryptSevLib/{BaseMemEncryptSevLib.inf =3D> DxeMem= EncryptSevLib.inf} | 16 +- OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf = | 57 ++ OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf = | 51 ++ OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf = | 45 + OvmfPkg/Library/VmgExitLib/VmgExitLib.inf = | 6 +- OvmfPkg/PlatformPei/PlatformPei.inf = | 2 + OvmfPkg/Include/Library/MemEncryptSevLib.h = | 90 +- OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h = | 35 +- OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.h = | 53 ++ OvmfPkg/AmdSevDxe/AmdSevDxe.c = | 20 +- OvmfPkg/Bhyve/PlatformPei/AmdSev.c = | 12 +- OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c = | 145 +++ OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c = | 31 +- OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibInternal.c = | 155 ---- OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c = | 63 ++ OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c = | 159 ++++ OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c = | 155 ++++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/MemEncryptSevLib.c = | 32 +- OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c = | 893 ++++++++++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c = | 100 ++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.c = | 954 +++----------------- OvmfPkg/Library/VmgExitLib/PeiDxeVmgExitVcHandler.c = | 103 +++ OvmfPkg/Library/VmgExitLib/SecVmgExitVcHandler.c = | 109 +++ OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c = | 130 ++- OvmfPkg/PlatformPei/AmdSev.c = | 50 +- OvmfPkg/PlatformPei/MemDetect.c = | 5 + OvmfPkg/Sec/SecMain.c = | 6 +- OvmfPkg/XenPlatformPei/AmdSev.c = | 12 +- OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm = | 118 +++ OvmfPkg/ResetVector/Ia32/PageTables64.asm = | 110 ++- OvmfPkg/ResetVector/ResetVector.nasmb = | 5 +- 41 files changed, 2679 insertions(+), 1086 deletions(-) rename OvmfPkg/Library/BaseMemEncryptSevLib/{BaseMemEncryptSevLib.inf =3D>= DxeMemEncryptSevLib.inf} (63%) create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLi= b.inf create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLi= b.inf create mode 100644 OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.h create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLi= bInternal.c delete mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/MemEncryptSevLibIn= ternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSe= vLibInternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLi= bInternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLi= bInternal.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualM= emory.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemo= ry.c create mode 100644 OvmfPkg/Library/VmgExitLib/PeiDxeVmgExitVcHandler.c create mode 100644 OvmfPkg/Library/VmgExitLib/SecVmgExitVcHandler.c create mode 100644 OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm --=20 2.30.0