From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.54]) by mx.groups.io with SMTP id smtpd.web12.218.1626801743219134097 for ; Tue, 20 Jul 2021 10:22:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=J9lW+zpQ; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.93.54, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hEHSZ7fw6W/CBRZVTb4ZAXuWUJfaabr+nMPrvbOfEqVA99i/phTJXirXj0zTtXnbFeiTjvdLaGvnd9yXjgHW1vI3VWiVbECNdyU7mcNZ/8ZHslbJCR2UZbdd5V8dU4TgtEh//p9UaoJd/ouq7brR/cl8eh5wfpMen4xRsan2jdojw+5mQY/V2LYjteTR37gN0hepbErHLBC954E7S4Hj/OGwSuaOHCCOSB4wfMbkrP1r+2ybM6HLN7sZl+RxikvGT1zMgXY/WxTakABIi690uJfxqlYTxwL6Eior6L/e92rB5jWrr65N8FD0N23UEsFpBPbYJPoVM9M3x+tKNrqHMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fSoj06k00omc7ZxRnVl/lfxGrEQGZh/9NVg/g5xyji4=; b=E+TY6kLubk2lfCRD/u66dTuP8qyZIqHxwShc/iAVXKsTmtcQyMhOlxW9UrMoksBnSLYn8UghT01dJ7r2GwDdvBn1Z1GLLtNUUuGJZgVA1gZ3t/kdeHYWjdOWXkAq0ekwr0LEx46HZ+pzjPzhyyk9j7HSEIDu3HbAyyzJzXFpI7OrI1XQ/fyl2eM2YlVFh/gciRIWCDSlBfzv1fjbIR9HBdQtr2DGBXDJqc/hKOSP8PdJLLmewhjQNyRp6rPOW8FB0YGuXMplWq2qmZ8MfXfO3PeDv/12Ysyhk6v8z7Ntb+Sq7yD57yv8McxJVQPSfMJH6fVwXvbESx6jdQ1LWXIUPA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fSoj06k00omc7ZxRnVl/lfxGrEQGZh/9NVg/g5xyji4=; b=J9lW+zpQ/D/e6dsvAU7HGyV4VzNKyrlqnyxU32IXqTKmRG3amWNld6dC78EHCJYQIfbeKhRuDQd3+r0I6vWNzJIvxZAehN9wWyxA5oN7QHmbev4sWhZcW/CtNMx0aJxNGn+J3zqIrxyXnuHd2+HrXSmO6/rqSCrr6YZ4q8teSVQ= Authentication-Results: arm.com; dkim=none (message not signed) header.d=none;arm.com; dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by DM4PR12MB5373.namprd12.prod.outlook.com (2603:10b6:5:39a::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.32; Tue, 20 Jul 2021 17:22:21 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::73:2581:970b:3208%3]) with mapi id 15.20.4331.034; Tue, 20 Jul 2021 17:22:21 +0000 Subject: Re: [PATCH v3 00/11] Measured SEV boot with kernel/initrd/cmdline To: Dov Murik , devel@edk2.groups.io Cc: Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Leif Lindholm , Sami Mujawar References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> From: "Lendacky, Thomas" Message-ID: Date: Tue, 20 Jul 2021 12:22:19 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-ClientProxiedBy: SA9PR13CA0154.namprd13.prod.outlook.com (2603:10b6:806:28::9) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [10.236.30.241] (165.204.77.1) by SA9PR13CA0154.namprd13.prod.outlook.com (2603:10b6:806:28::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.10 via Frontend Transport; Tue, 20 Jul 2021 17:22:20 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3f9f41d8-87e8-4d2c-20a0-08d94ba2eef9 X-MS-TrafficTypeDiagnostic: DM4PR12MB5373: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2958; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: t97VBDPbCf8j6JgO8gF6zMxmWm5LDmbmiXNpP2vHj46Sgeg2GEhx2l56jlsnhPCvTH5Ej55ybsGqWNBZV+rLjpcC3zzlDogCSoI9fNcvMlyoz8XpQYa3CXY5U8VXx3aYN3J7fYwxLdT4sSjL1qE4Gm9txjGUtItCECYHyndZZW45L5ggXG4g/tBUKJos6HEPagDbaiIySmnc6n9ESsHZxx74KQMYdQOrlsibND2fk5MZQt0jVmHRsQ6tWfDCy0OkV2WuzTlXAINm0h5I7pQqQX+5y9lhb+4YBYxpc9/7URAsOOmORvFyY5mklzHUtfGWzA+P0yTmNlqMUBfPin7+t+7hS7tj414OLvbOvMgabuuM1gHPvRfZiLH17xk60b2HOkvrmP7KzQHWZcQLXBfnn3k5FJSaicYWd5oTTxr1JDattdhoeSw+tDIUfuCUS8jKzcGEZ8hxEkMSnHg8a7i6+JLRQeuKm3n7xan9q4ZqVtsGmpgbtApEqzoHgYeQZ8GG4W6HJ2slgjKGEhUK7D1WXBZOxi7cnTgSSIoIq+3GnqMANbB6tWGNqfOEHm4cc4tVsUn6RwcgcOzN4J2WjwMp3ohrThhX4Bj5GcwJtCA/7E7tJNYJolak98GGeygVQSZKRRtmB0FUk/ckP3bogDEhB5NAMtcqe07JREUzC9d74+UupWWhH/Vy/tM306XFjz5J4WRvOtC+cv8XuhDS7hB9dF6f9P4R2cluVcaswEUrc0kdFl4zdjoLwe50jQjvazJBEw+ZUbJU82G+ND3tIgPV+MkNFacsZH7vWI32+vDAAbzorIAXHpqsIqqiQSpOEbrhu70c7DPCvCMKV5XlxB/D5ZWyt2SEMUBTzVStSQTZGyA= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(346002)(136003)(39860400002)(366004)(396003)(186003)(5660300002)(8936002)(53546011)(2616005)(16576012)(36756003)(478600001)(8676002)(83380400001)(66556008)(956004)(66476007)(4326008)(54906003)(31686004)(86362001)(26005)(966005)(316002)(6486002)(66946007)(31696002)(2906002)(38100700002)(7416002)(19627235002)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?UDVrYWt5THVJYkpkWkJCSFM1dzlBMnhTRmNGcWNqU2xYTzdqVlc1QzA5Ym9z?= =?utf-8?B?T1ZuWXdETzR5MzFrM3dnZE9rcnVpazJyUG8xMHQrZFJuVE5YTDFqY0pNTGtw?= =?utf-8?B?azFWb3VEUHkxdVBVd0RpUmVya3FxaXVuNDJENWZOUS82WjlNMTZYKzRHZ2h4?= =?utf-8?B?eUJvSkhvaVd6ZnYyYm51cGozbk5tcklqcS9HSkpvUUtoVTJaMDJXY09VMCt5?= =?utf-8?B?bFdMZGFVY251ZCthaCs3OU1XN1kvRCswMzNjL2RQTHpWaURaTGtsd1lzYmtF?= =?utf-8?B?Z3hqbnJpZ3FhMnM4M0E3Mm9Rc2lET0IyclprOThYZWtlcm83ZDhuVHJKN3pF?= =?utf-8?B?bm5uQVpIQnJQa1BtVXoyZGJoUkN3SVdOY2FLMm5SNmVpZ2RPVDdTK3AxVldT?= =?utf-8?B?MlVqTjBzeHJ4SzJWM0k4MEJZN3NkT25VVkZGaXU4Rnk4MDJpRnFnc2pJZkF4?= =?utf-8?B?UkdvZUhWRzg2Y25KUUNnWkhoMzFzT3dyWUxwWXpMNlVCZmdWNTg2SlJCVVd4?= =?utf-8?B?K29BMjRHOStRWC9hRG1BNUxkemRhYm5BVXhPM3RWMEFKcjRtSG1DZmdobExo?= =?utf-8?B?Y2NNSW94Q0U5K0lHa0RpcmYvYks1MjZwRXc1RFRJOGwzTnd5L0tkb3QwcjVT?= =?utf-8?B?akJIdUZCa3czKzJieGU1NVovTWpwbHVLV1JXbnN3ZXZnT0l5ei9WN05CV0ZZ?= =?utf-8?B?Tm9JQzJtckNwZ3J0WWFBbE80L212MmFiQ051UGNLTmExTXduODlhL2J3b3NF?= =?utf-8?B?UnI0Nm5FWXFrRkFvdUR4RUhOTGVOd1gwM0xKUEczTDJ6MzJyQUkxMGpoVG1q?= =?utf-8?B?T1dtL0xxbUFtOWI5Qlo5anNrMmRGOGEzTTQ1L1dRRDFNb2ZyY2gwd0k3VklG?= =?utf-8?B?c3RKRC9MM1dYdk15aDFCWFpJdDFrQitqZzQ4OUc5RjBjdEVEdm1Jam53bXRG?= =?utf-8?B?eXI0dDVxSCtkbHFEWUxnYzJMWlZkUHdjamt6YUVod1BIRTlCYklPbHFNNjc4?= =?utf-8?B?YkdwdmpCMGVWbHIwdTlvQVl3OTZ2aUdudGZCaGpHc0hocGFaRWM1UGJrTWZB?= =?utf-8?B?WlRFdVd5NzllZ0VzdG9WV05OMFJCVGhTUDQ3NXkxUElXNkZNc0NMNXBoVWpv?= =?utf-8?B?d040TE9TdmVjRUFXazA2Vjc2cVFUbldMYjRwU0t5Zms1ZzdHcjRTd280OVlk?= =?utf-8?B?ZG5SV3RuNGNONXVld2lodnRzVHhDeDhFTHozK2I5NkV5MGgvSmYxdnJ6R3lW?= =?utf-8?B?TENUVGFrSTJHaTdSemZ3UmlSMXUybXJLSTBwbnNmK3p6ajNNK0ZlZmNvSjVT?= =?utf-8?B?T0YvdHFhb21zdUlaTmQzR3hYL2FSTVBKWUY0ckh6MjlEa0pPeW9xZmVYelZM?= =?utf-8?B?M3hVWmNiRjRSVDBCWmEvRGVQdjBENU5ZaG40YVdRL0d2ZkVCNmlvZm9TQTdz?= =?utf-8?B?MWpHbDAvS3FXQ3I2Z09zbFB1STF3QzN6TC8wVnlXcGpmcnF6emdnRHh2dmtC?= =?utf-8?B?ZS91c3FaVUkwcDE4OWpJdWdFc2FKS0ZuQThORzJtTWRUQWs5a1AxQlRzcnV1?= =?utf-8?B?QTNSVUordEl4SUpEanc0SXlzVGdWOUd0YloxdkZrNEJ0a3lJbGUrUEtsS1Z4?= =?utf-8?B?RENQWWN1ZXdldmRnRjlXNUxXYVZ2dGRxUVpVOWxQSTh1SEpjbnFMcGVQYkdw?= =?utf-8?B?R09jak5YcnBLajRhT2Evb0kxTXl2SVBrNWZpQ21wWnZKbjNCRlVmUCtoNjR1?= =?utf-8?Q?zhZIXFLBX01wZrstlhLIp/aQs3EA8qAFEFIS3Kg?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3f9f41d8-87e8-4d2c-20a0-08d94ba2eef9 X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2021 17:22:21.6880 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: c/LU+A410p/teWWow2I1AOD2Z5JzqXYf9vpK6AO9wOo7cCik+NioX0xc7D7V8rWZnyC4VQsVH0oX0UPayyPMxw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5373 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 7/20/21 3:03 AM, Dov Murik wrote: > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457 I believe the convention is that this line be in the individual patch commit messages just like this (i.e. with the BZ: tag and the first line), not as a Ref: tag at the end of the commit message. I'll let Ard decide on that, though. Thanks, Tom > > Booting with SEV prevented the loading of kernel, initrd, and kernel > command-line via QEMU fw_cfg interface because they arrive from the VMM > which is untrusted in SEV. > > However, in some cases the kernel, initrd, and cmdline are not secret > but should not be modified by the host. In such a case, we want to > verify inside the trusted VM that the kernel, initrd, and cmdline are > indeed the ones expected by the Guest Owner, and only if that is the > case go on and boot them up (removing the need for grub inside OVMF in > that mode). > > This patch series reserves an area in MEMFD (previously the last 1KB of > the launch secret page) which will contain the hashes of these three > blobs (kernel, initrd, cmdline), each under its own GUID entry. This > tables of hashes is populated by QEMU before launch, and encrypted as > part of the initial VM memory; this makes sure these hashes are part of > the SEV measurement (which has to be approved by the Guest Owner for > secret injection, for example). Note that populating the hashes table > requires QEMU support [1]. > > OVMF parses the table of hashes populated by QEMU (patch 10), and as it > reads the fw_cfg blobs from QEMU, it will verify each one against the > expected hash. This is all done inside the trusted VM context. If all > the hashes are correct, boot of the kernel is allowed to continue. > > Any attempt by QEMU to modify the kernel, initrd, cmdline (including > dropping one of them), or to modify the OVMF code that verifies those > hashes, will cause the initial SEV measurement to change and therefore > will be detectable by the Guest Owner during launch before secret > injection. > > Relevant part of OVMF serial log during boot with AmdSevX86 build and > QEMU with -kernel/-initrd/-append: > > ... > BlobVerifierLibSevHashesConstructor: Found injected hashes table in secure location > Select Item: 0x17 > Select Item: 0x8 > FetchBlob: loading 7379328 bytes for "kernel" > Select Item: 0x18 > Select Item: 0x11 > VerifyBlob: Found GUID 4DE79437-ABD2-427F-B835-D5B172D2045B in table > VerifyBlob: Hash comparison succeeded for "kernel" > Select Item: 0xB > FetchBlob: loading 12483878 bytes for "initrd" > Select Item: 0x12 > VerifyBlob: Found GUID 44BAF731-3A2F-4BD7-9AF1-41E29169781D in table > VerifyBlob: Hash comparison succeeded for "initrd" > Select Item: 0x14 > FetchBlob: loading 86 bytes for "cmdline" > Select Item: 0x15 > VerifyBlob: Found GUID 97D02DD8-BD20-4C94-AA78-E7714D36AB2A in table > VerifyBlob: Hash comparison succeeded for "cmdline" > ... > > The patch series is organized as follows: > > 1: Simple comment fix in adjacent area in the code. > 2: Use GenericQemuLoadImageLib to gain one location for fw_cfg blob > fetching. > 3: Allow the (previously blocked) usage of -kernel in AmdSevX64. > 4-7: Add BlobVerifierLib with null implementation and use it in the correct > location in QemuKernelLoaderFsDxe. > 8-9: Reserve memory for hashes table, declare this area in the reset vector. > 10-11: Add the secure implementation BlobVerifierLibSevHashes and use it in > AmdSevX64 builds. > > [1] https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-dovmurik@linux.ibm.com/ > > Code is at > https://github.com/confidential-containers-demo/edk2/tree/sev-hashes-v3 > > v3 changes: > - Rename to BlobVerifierLibNull, use decimal INF_VERSION, remove unused > DebugLib reference, fix doxygen comments, add missing IN attribute > - Rename to BlobVerifierLibSevHashes, use decimal INF_VERSION, fix > doxygen comments, add missing IN attribute, > calculate buffer hash only when the guid is found in hashes table > - SecretPei: use ALIGN_VALUE to round the hob size > - Coding style fixes > - Add missing 'Ref:' in patch 1 commit message > - Fix phrasing and typos in commit messages > - Remove Cc: Laszlo from series > > v2: https://edk2.groups.io/g/devel/message/77505 > v2 changes: > - Use the last 1KB of the existing SEV launch secret page for hashes table > (instead of reserving a whole new MEMFD page). > - Build on top of commit cf203024745f ("OvmfPkg/GenericQemuLoadImageLib: Read > cmdline from QemuKernelLoaderFs", 2021-06-28) to have a single location in > which all of kernel/initrd/cmdline are fetched from QEMU. > - Use static linking of the two BlobVerifierLib implemenatations. > - Reorganize series. > > v1: https://edk2.groups.io/g/devel/message/75567 > > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Ashish Kalra > Cc: Brijesh Singh > Cc: Erdem Aktas > Cc: James Bottomley > Cc: Jiewen Yao > Cc: Min Xu > Cc: Tom Lendacky > Cc: Leif Lindholm > Cc: Sami Mujawar > > Dov Murik (8): > OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds > OvmfPkg: add library class BlobVerifierLib with null implementation > OvmfPkg: add BlobVerifierLibNull to DSC > ArmVirtPkg: add BlobVerifierLibNull to DSC > OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg > OvmfPkg/AmdSev/SecretPei: build hob for full page > OvmfPkg: add BlobVerifierLibSevHashes > OvmfPkg/AmdSev: Enforce hash verification of kernel blobs > > James Bottomley (3): > OvmfPkg/AmdSev/SecretDxe: fix header comment to generic naming > OvmfPkg: PlatformBootManagerLibGrub: Allow executing kernel via fw_cfg > OvmfPkg/AmdSev: reserve MEMFD space for for firmware config hashes > > OvmfPkg/OvmfPkg.dec | 9 + > ArmVirtPkg/ArmVirtQemu.dsc | 5 +- > ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 +- > OvmfPkg/AmdSev/AmdSevX64.dsc | 9 +- > OvmfPkg/OvmfPkgIa32.dsc | 5 +- > OvmfPkg/OvmfPkgIa32X64.dsc | 5 +- > OvmfPkg/OvmfPkgX64.dsc | 5 +- > OvmfPkg/AmdSev/AmdSevX64.fdf | 5 +- > OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf | 24 +++ > OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf | 37 ++++ > OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf | 2 + > OvmfPkg/ResetVector/ResetVector.inf | 2 + > OvmfPkg/Include/Library/BlobVerifierLib.h | 38 ++++ > OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h | 11 ++ > OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 2 +- > OvmfPkg/AmdSev/SecretPei/SecretPei.c | 3 +- > OvmfPkg/Library/BlobVerifierLib/BlobVerifierNull.c | 33 ++++ > OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c | 200 ++++++++++++++++++++ > OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c | 5 + > OvmfPkg/Library/{PlatformBootManagerLib => PlatformBootManagerLibGrub}/QemuKernel.c | 0 > OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 9 + > OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 20 ++ > OvmfPkg/ResetVector/ResetVector.nasmb | 2 + > 23 files changed, 426 insertions(+), 10 deletions(-) > create mode 100644 OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf > create mode 100644 OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf > create mode 100644 OvmfPkg/Include/Library/BlobVerifierLib.h > create mode 100644 OvmfPkg/Library/BlobVerifierLib/BlobVerifierNull.c > create mode 100644 OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c > copy OvmfPkg/Library/{PlatformBootManagerLib => PlatformBootManagerLibGrub}/QemuKernel.c (100%) >