From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.groups.io with SMTP id smtpd.web08.6814.1606809947683027718 for ; Tue, 01 Dec 2020 00:05:47 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=BpiOBZ0E; spf=pass (domain: redhat.com, ip: 63.128.21.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606809946; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zOxyeh8RrhxXlsRa8e8yRluler49QbhDUzCEgl0Py4Q=; b=BpiOBZ0EZMO1D28RPDwJYH2+vREUqnrozPmLpX3b2LJP1kkg+K7kMMOSxbIRVtP3F3ioKW 2gU7Wat50yilHmWGeaRoJwo/vjQvDsAeiizjpjknZ2Jf49s88Fhu0NbnrnXiZqBeaBFIAP YdgTNOqR9XQ8aLXXzAHmuyoA6XDrHvA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-334-lniPONg5Om-KOJqYRq9zbA-1; Tue, 01 Dec 2020 03:05:39 -0500 X-MC-Unique: lniPONg5Om-KOJqYRq9zbA-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A9411107ACF6; Tue, 1 Dec 2020 08:05:37 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-80.ams2.redhat.com [10.36.112.80]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6C9BD60BE5; Tue, 1 Dec 2020 08:05:34 +0000 (UTC) Subject: Re: [PATCH v3 0/6] SEV Encrypted Boot for Ovmf To: James Bottomley , devel@edk2.groups.io Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com, frankeh@us.ibm.com, "Dr . David Alan Gilbert" , Jordan Justen , Ard Biesheuvel References: <20201130202819.3910-1-jejb@linux.ibm.com> From: "Laszlo Ersek" Message-ID: Date: Tue, 1 Dec 2020 09:05:33 +0100 MIME-Version: 1.0 In-Reply-To: <20201130202819.3910-1-jejb@linux.ibm.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 11/30/20 21:28, James Bottomley wrote: > v3: > > - More grub and boot stripping (I think I got everything out, but > there may be something that strayed in the boot panic resolution). > - grub.sh tidy up with tabs->spaces. > - Move the reset vector GUIDisation patch to the front so it can be > applied independently > - Update the .dsc and .fdf files for variable policy > > v2: > > - Strip more out of AmdSev image (networking, secure boot, smm) > - give sev reset block a generic table guid and use it for boot secret area > - separate secret patches and make grub script more robust > - Add copyrights and fix formatting issues > > v1: > > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077 > > This patch series is modelled on the structure of the Bhyve patches > for Ovmf, since it does somewhat similar things. This patch series > creates a separate build for an AmdSev OVMF.fd that does nothing > except combine with grub and boot straight through the internal grub > to try to mount an encrypted volume. > > Concept: SEV Secure Encrypted Images > ==================================== > > The SEV patches in Linux and OVMF allow for the booting of SEV VMs in > an encrypted state, but don't really show how this could be done with > an encrypted image. Since the key used to decrypt the image must be > maintained within the SEV encryption envelope, encrypted QCOW is not > an option because the key would then have to be known to QEMU which is > outside the encryption envelope. The proposal here is that an > encrypted image should be a QCOW image consisting of two partitions, > the normal unencrypted EFI partition (Identifying it as an OVMF > bootable image) and a luks encrypted root partition. The kernel would > be inside the encrypted root in the /boot directory. The secret > injected securely through QEMU is extracted by OVMF and passed to grub > which uses it to mount the encrypted root and boot the kernel > normally. The creator of the secret bundle must be satisfied with the > SEV attestation before the secret is constructed. Unfortunately, the > SEV attestation can only be on the first QEMU firmware volume and > nothing else, so this patch series builds grub itself into a firmware > volume and places it inside OVMF so that the entire boot system can be > attested. In a normal OVMF KVM system, the variable store is on the > second flash volume (which is read/write). Unfortunately, this > mutable configuration provided by the variables is outside the > attestation envelope and can significantly alter the boot path, > possibly leading to secret leak, so encrypted image boot should only > be done with the OVMF.fd that combines both the code and variables. > the OVMF.fd is constructed so that it becomes impossible to interrupt > the boot sequence after attestation and the system will either boot > the image or fail. The boot sequence runs the grub.efi embedded in the > OVMF firmware volume so the encrypted image owner knows their own > version of grub is the only one that will boot before injecting the > secret. Note this boot path actually ignores the unencrypted EFI > partition. However, as part of this design, the encrypted image may be > booted by a standard OVMF KVM boot and in that case, the user will > have to type the encryption password. This standard boot will be > insecure but it might be used by the constructor of the encrypted > images on their own private laptop, for instance. The standard boot > path will use the unencrypted EFI partition. > > Patches Required Outside of OVMF > ================================ > > There is a patch set to grub which allows it to extract the SEV secret > area from the configuration table and use the secret as a password to > do a luks crypto mount of root (this is the sevsecret grub module): > > https://lists.gnu.org/archive/html/grub-devel/2020-11/msg00078.html > > There is also a patch to qemu which allows it to search through the > OVMF.fd and find the SEV secret area which is now described inside the > Reset Vector using the existing SEV_ES reset block. This area is the > place QEMU will inject the encrypted SEV secret bundle. > > Security of the System > ====================== > > Since Grub is now part of the attested OVMF.fd bundle, the VM owner > knows absolutely that it will proceed straight to partition decryption > inside the attested code and boot the kernel off the encrypted > partition. Even if a different QCOW image is substituted, the boot > will fail without revealing the secret because the system is designed > to fail hard in that case and because the secret is always contained > within the encrypted envelope it should be impossible for the cloud > operator to obtain it even if they can pause the boot and examine the > machine memory. > > Putting it All Together > ======================= > > This is somewhat hard. You must first understand how to boot a QEMU > system so as to have the VM pause after firmware loading (-S option) > and use the qmp port to request an attestation. Only if the > attestation corresponds to the expected sha256sum of OVMF.fd should > the secret bundle be constructed and injected using qmp. The tools > for constructing the secret bundle are in > > https://github.com/AMDESE/sev-tool/ > > James > > --- > > James Bottomley (6): > OvmfPkg/ResetVector: convert SEV-ES Reset Block structure to be GUIDed > OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF > OvmfPkg/AmdSev: add Grub Firmware Volume Package > OvmfPkg: create a SEV secret area in the AmdSev memfd > OvmfPkg/AmdSev: assign and protect the Sev Secret area > OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table > > OvmfPkg/OvmfPkg.dec | 8 + > OvmfPkg/AmdSev/AmdSevX64.dsc | 844 ++++++++++ > OvmfPkg/AmdSev/AmdSevX64.fdf | 456 +++++ > OvmfPkg/AmdSev/Grub/Grub.inf | 39 + > OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 37 + > OvmfPkg/AmdSev/SecretPei/SecretPei.inf | 35 + > .../PlatformBootManagerLibGrub.inf | 71 + > OvmfPkg/ResetVector/ResetVector.inf | 4 + > OvmfPkg/Include/Guid/SevLaunchSecret.h | 28 + > .../PlatformBootManagerLibGrub/BdsPlatform.h | 175 ++ > OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 26 + > OvmfPkg/AmdSev/SecretPei/SecretPei.c | 25 + > .../PlatformBootManagerLibGrub/BdsPlatform.c | 1482 +++++++++++++++++ > .../PlatformBootManagerLibGrub/PlatformData.c | 214 +++ > OvmfPkg/AmdSev/Grub/.gitignore | 1 + > OvmfPkg/AmdSev/Grub/grub.cfg | 46 + > OvmfPkg/AmdSev/Grub/grub.sh | 93 ++ > OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 70 +- > OvmfPkg/ResetVector/ResetVector.nasmb | 2 + > 19 files changed, 3645 insertions(+), 11 deletions(-) > create mode 100644 OvmfPkg/AmdSev/AmdSevX64.dsc > create mode 100644 OvmfPkg/AmdSev/AmdSevX64.fdf > create mode 100644 OvmfPkg/AmdSev/Grub/Grub.inf > create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.inf > create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf > create mode 100644 OvmfPkg/Include/Guid/SevLaunchSecret.h > create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h > create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.c > create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.c > create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c > create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformData.c > create mode 100644 OvmfPkg/AmdSev/Grub/.gitignore > create mode 100644 OvmfPkg/AmdSev/Grub/grub.cfg > create mode 100644 OvmfPkg/AmdSev/Grub/grub.sh > Confirming that I got this; I'll need some time to get to it. Thanks Laszlo