From: "Laszlo Ersek" <lersek@redhat.com>
To: James Bottomley <jejb@linux.ibm.com>, devel@edk2.groups.io
Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com,
ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com,
david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com,
frankeh@us.ibm.com,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Ard Biesheuvel <ard.biesheuvel@arm.com>
Subject: Re: [PATCH v3 0/6] SEV Encrypted Boot for Ovmf
Date: Tue, 1 Dec 2020 09:05:33 +0100 [thread overview]
Message-ID: <e81c9ac1-2f46-2eb5-519a-73d87e129e82@redhat.com> (raw)
In-Reply-To: <20201130202819.3910-1-jejb@linux.ibm.com>
On 11/30/20 21:28, James Bottomley wrote:
> v3:
>
> - More grub and boot stripping (I think I got everything out, but
> there may be something that strayed in the boot panic resolution).
> - grub.sh tidy up with tabs->spaces.
> - Move the reset vector GUIDisation patch to the front so it can be
> applied independently
> - Update the .dsc and .fdf files for variable policy
>
> v2:
>
> - Strip more out of AmdSev image (networking, secure boot, smm)
> - give sev reset block a generic table guid and use it for boot secret area
> - separate secret patches and make grub script more robust
> - Add copyrights and fix formatting issues
>
> v1:
>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
>
> This patch series is modelled on the structure of the Bhyve patches
> for Ovmf, since it does somewhat similar things. This patch series
> creates a separate build for an AmdSev OVMF.fd that does nothing
> except combine with grub and boot straight through the internal grub
> to try to mount an encrypted volume.
>
> Concept: SEV Secure Encrypted Images
> ====================================
>
> The SEV patches in Linux and OVMF allow for the booting of SEV VMs in
> an encrypted state, but don't really show how this could be done with
> an encrypted image. Since the key used to decrypt the image must be
> maintained within the SEV encryption envelope, encrypted QCOW is not
> an option because the key would then have to be known to QEMU which is
> outside the encryption envelope. The proposal here is that an
> encrypted image should be a QCOW image consisting of two partitions,
> the normal unencrypted EFI partition (Identifying it as an OVMF
> bootable image) and a luks encrypted root partition. The kernel would
> be inside the encrypted root in the /boot directory. The secret
> injected securely through QEMU is extracted by OVMF and passed to grub
> which uses it to mount the encrypted root and boot the kernel
> normally. The creator of the secret bundle must be satisfied with the
> SEV attestation before the secret is constructed. Unfortunately, the
> SEV attestation can only be on the first QEMU firmware volume and
> nothing else, so this patch series builds grub itself into a firmware
> volume and places it inside OVMF so that the entire boot system can be
> attested. In a normal OVMF KVM system, the variable store is on the
> second flash volume (which is read/write). Unfortunately, this
> mutable configuration provided by the variables is outside the
> attestation envelope and can significantly alter the boot path,
> possibly leading to secret leak, so encrypted image boot should only
> be done with the OVMF.fd that combines both the code and variables.
> the OVMF.fd is constructed so that it becomes impossible to interrupt
> the boot sequence after attestation and the system will either boot
> the image or fail. The boot sequence runs the grub.efi embedded in the
> OVMF firmware volume so the encrypted image owner knows their own
> version of grub is the only one that will boot before injecting the
> secret. Note this boot path actually ignores the unencrypted EFI
> partition. However, as part of this design, the encrypted image may be
> booted by a standard OVMF KVM boot and in that case, the user will
> have to type the encryption password. This standard boot will be
> insecure but it might be used by the constructor of the encrypted
> images on their own private laptop, for instance. The standard boot
> path will use the unencrypted EFI partition.
>
> Patches Required Outside of OVMF
> ================================
>
> There is a patch set to grub which allows it to extract the SEV secret
> area from the configuration table and use the secret as a password to
> do a luks crypto mount of root (this is the sevsecret grub module):
>
> https://lists.gnu.org/archive/html/grub-devel/2020-11/msg00078.html
>
> There is also a patch to qemu which allows it to search through the
> OVMF.fd and find the SEV secret area which is now described inside the
> Reset Vector using the existing SEV_ES reset block. This area is the
> place QEMU will inject the encrypted SEV secret bundle.
>
> Security of the System
> ======================
>
> Since Grub is now part of the attested OVMF.fd bundle, the VM owner
> knows absolutely that it will proceed straight to partition decryption
> inside the attested code and boot the kernel off the encrypted
> partition. Even if a different QCOW image is substituted, the boot
> will fail without revealing the secret because the system is designed
> to fail hard in that case and because the secret is always contained
> within the encrypted envelope it should be impossible for the cloud
> operator to obtain it even if they can pause the boot and examine the
> machine memory.
>
> Putting it All Together
> =======================
>
> This is somewhat hard. You must first understand how to boot a QEMU
> system so as to have the VM pause after firmware loading (-S option)
> and use the qmp port to request an attestation. Only if the
> attestation corresponds to the expected sha256sum of OVMF.fd should
> the secret bundle be constructed and injected using qmp. The tools
> for constructing the secret bundle are in
>
> https://github.com/AMDESE/sev-tool/
>
> James
>
> ---
>
> James Bottomley (6):
> OvmfPkg/ResetVector: convert SEV-ES Reset Block structure to be GUIDed
> OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF
> OvmfPkg/AmdSev: add Grub Firmware Volume Package
> OvmfPkg: create a SEV secret area in the AmdSev memfd
> OvmfPkg/AmdSev: assign and protect the Sev Secret area
> OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table
>
> OvmfPkg/OvmfPkg.dec | 8 +
> OvmfPkg/AmdSev/AmdSevX64.dsc | 844 ++++++++++
> OvmfPkg/AmdSev/AmdSevX64.fdf | 456 +++++
> OvmfPkg/AmdSev/Grub/Grub.inf | 39 +
> OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 37 +
> OvmfPkg/AmdSev/SecretPei/SecretPei.inf | 35 +
> .../PlatformBootManagerLibGrub.inf | 71 +
> OvmfPkg/ResetVector/ResetVector.inf | 4 +
> OvmfPkg/Include/Guid/SevLaunchSecret.h | 28 +
> .../PlatformBootManagerLibGrub/BdsPlatform.h | 175 ++
> OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 26 +
> OvmfPkg/AmdSev/SecretPei/SecretPei.c | 25 +
> .../PlatformBootManagerLibGrub/BdsPlatform.c | 1482 +++++++++++++++++
> .../PlatformBootManagerLibGrub/PlatformData.c | 214 +++
> OvmfPkg/AmdSev/Grub/.gitignore | 1 +
> OvmfPkg/AmdSev/Grub/grub.cfg | 46 +
> OvmfPkg/AmdSev/Grub/grub.sh | 93 ++
> OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 70 +-
> OvmfPkg/ResetVector/ResetVector.nasmb | 2 +
> 19 files changed, 3645 insertions(+), 11 deletions(-)
> create mode 100644 OvmfPkg/AmdSev/AmdSevX64.dsc
> create mode 100644 OvmfPkg/AmdSev/AmdSevX64.fdf
> create mode 100644 OvmfPkg/AmdSev/Grub/Grub.inf
> create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
> create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf
> create mode 100644 OvmfPkg/Include/Guid/SevLaunchSecret.h
> create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h
> create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
> create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.c
> create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
> create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformData.c
> create mode 100644 OvmfPkg/AmdSev/Grub/.gitignore
> create mode 100644 OvmfPkg/AmdSev/Grub/grub.cfg
> create mode 100644 OvmfPkg/AmdSev/Grub/grub.sh
>
Confirming that I got this; I'll need some time to get to it.
Thanks
Laszlo
next prev parent reply other threads:[~2020-12-01 8:05 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-30 20:28 [PATCH v3 0/6] SEV Encrypted Boot for Ovmf James Bottomley
2020-11-30 20:28 ` [PATCH v3 1/6] OvmfPkg/ResetVector: convert SEV-ES Reset Block structure to be GUIDed James Bottomley
2020-12-03 8:10 ` [edk2-devel] " Laszlo Ersek
2020-11-30 20:28 ` [PATCH v3 2/6] OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF James Bottomley
2020-12-03 8:20 ` [edk2-devel] " Laszlo Ersek
2020-11-30 20:28 ` [PATCH v3 3/6] OvmfPkg/AmdSev: add Grub Firmware Volume Package James Bottomley
2020-12-03 8:39 ` [edk2-devel] " Laszlo Ersek
2020-11-30 20:28 ` [PATCH v3 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd James Bottomley
2020-12-03 8:42 ` [edk2-devel] " Laszlo Ersek
2020-11-30 20:28 ` [PATCH v3 5/6] OvmfPkg/AmdSev: assign and protect the Sev Secret area James Bottomley
2020-12-01 7:54 ` Ard Biesheuvel
2020-12-01 18:36 ` [edk2-devel] " James Bottomley
2020-11-30 20:28 ` [PATCH v3 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table James Bottomley
2020-12-03 8:46 ` [edk2-devel] " Laszlo Ersek
2020-12-09 12:02 ` Yao, Jiewen
2020-12-09 15:46 ` James Bottomley
2020-12-09 15:54 ` James Bottomley
2020-12-09 16:33 ` Yao, Jiewen
2020-12-09 16:38 ` James Bottomley
2020-12-09 16:51 ` Yao, Jiewen
2020-12-09 17:04 ` James Bottomley
2020-12-10 9:12 ` Laszlo Ersek
2020-12-10 9:27 ` Yao, Jiewen
2020-12-01 8:05 ` [PATCH v3 0/6] SEV Encrypted Boot for Ovmf Ard Biesheuvel
2020-12-01 8:13 ` Laszlo Ersek
2020-12-01 15:26 ` James Bottomley
2020-12-01 8:05 ` Laszlo Ersek [this message]
2020-12-03 12:26 ` [edk2-devel] " Laszlo Ersek
2020-12-03 14:27 ` James Bottomley
2020-12-04 0:46 ` Laszlo Ersek
2020-12-04 1:05 ` James Bottomley
2020-12-04 1:55 ` Laszlo Ersek
2020-12-04 2:01 ` Laszlo Ersek
2020-12-14 19:57 ` Laszlo Ersek
2020-12-21 15:00 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e81c9ac1-2f46-2eb5-519a-73d87e129e82@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox