From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web09.429.1637235638774591368
 for <devel@edk2.groups.io>;
 Thu, 18 Nov 2021 03:40:38 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@ibm.com header.s=pp1 header.b=H3AFG4X7;
 spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: dovmurik@linux.ibm.com)
Received: from pps.filterd (m0098394.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1AIABckk013016;
	Thu, 18 Nov 2021 11:40:36 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : date :
 subject : to : cc : references : from : in-reply-to : content-type :
 content-transfer-encoding : mime-version; s=pp1;
 bh=EC2fut1rCXWksUHk/3X7tXT7zDUTpdjivLP3ja0T+aM=;
 b=H3AFG4X7hILjKA2TiDqBPlCZHGHe5OOXAJhbuGFmhQDLdRWDmPEsGGl8sUKCSm/bfPr1
 XmBxEAkCs9xAFqqUgIBxfwARgtpXrmblkVYLydTGjg1o9tyND9vPb/Q1lKODGdDod/mS
 7NOj9iHCLuzRSX8oM8E+31Gpcjy9NqdeYUeoRVm52EBxhYlUCEfK/3Xl36J3namTHgLh
 jOPR9NpVeOZwqL0K0pxU0O9HukCC2KAa7AaWVMhuy2fsGZEzQ/ua81VwT3yeXjtXujui
 OY+9AqXjIfL9pDR6NA1pnZHOGuKvrI4S9+vhJ0tPmatmasLWXObsWelUC0NfYLfEUxmk vg== 
Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 3cdmv01nfe-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 18 Nov 2021 11:40:36 +0000
Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1AIAZum1017086;
	Thu, 18 Nov 2021 11:40:35 GMT
Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253])
	by mx0a-001b2d01.pphosted.com with ESMTP id 3cdmv01net-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 18 Nov 2021 11:40:35 +0000
Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1])
	by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1AIBcggV028089;
	Thu, 18 Nov 2021 11:40:34 GMT
Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16])
	by ppma01wdc.us.ibm.com with ESMTP id 3cd7c2yt68-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 18 Nov 2021 11:40:34 +0000
Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233])
	by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1AIBeXBs52625674
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 18 Nov 2021 11:40:33 GMT
Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 0CEB013605E;
	Thu, 18 Nov 2021 11:40:33 +0000 (GMT)
Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 2246713604F;
	Thu, 18 Nov 2021 11:40:30 +0000 (GMT)
Received: from [9.160.188.78] (unknown [9.160.188.78])
	by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 18 Nov 2021 11:40:29 +0000 (GMT)
Message-ID: <ec090f6c-c215-f10e-6498-a3f658fc59dd@linux.ibm.com>
Date: Thu, 18 Nov 2021 13:40:29 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.3.1
Subject: Re: [PATCH] OvmfPkg/AmdSev: Erase secret area content on ExitBootServices
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Gerd Hoffmann
 <kraxel@redhat.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Jiewen Yao <jiewen.yao@intel.com>, Min Xu <min.m.xu@intel.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Dov Murik <dovmurik@linux.ibm.com>
References: <20211102082506.366921-1-dovmurik@linux.ibm.com>
From: "Dov Murik" <dovmurik@linux.ibm.com>
In-Reply-To: <20211102082506.366921-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: 9UmQWeXtQYMa1eOlh4ADzfeQs90pBGDF
X-Proofpoint-ORIG-GUID: Ckkb4b7YAQJtNcJji2_NcHuH4Qic6u7c
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475
 definitions=2021-11-18_05,2021-11-17_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 spamscore=0 phishscore=0 mlxscore=0 adultscore=0 bulkscore=0
 mlxlogscore=999 clxscore=1015 impostorscore=0 malwarescore=0
 lowpriorityscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.12.0-2110150000 definitions=main-2111180067
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit


Please don't merge this.  We're going in a different direction, see
https://edk2.groups.io/g/devel/message/83853 .  Instead of letting the
guest kernel copy the secret content and OVMF will erase the original
(the patch below), we mark the area as "reserved" (in OVMF) and then the
OS doesn't need to copy it around.  This is also similar to the approach
taken in the SNP patches for the SNP-Secrets and SNP-CPUID pages.

Added bonus is that it's less code both in OVMF and in kernel's efi and
efi/libstub.

Thanks,
-Dov



On 02/11/2021 10:25, Dov Murik wrote:
> The confidential computing secrets area is marked as EfiBootServicesData
> region, which means it is released for the OS use when the OS EFI stub
> calls ExitBootServices.  However, its content is not erased, and
> therefore the OS might unintentionally reuse this sensitive memory area
> and expose the injected secrets.
> 
> Erase the content of the secret area on ExitBootServices so that the
> memory released to the OS contains zeros.  If the OS needs to keep the
> secrets for its own use, it must copy the secrets area to another memory
> area before calling ExitBootServices (for example in efi/libstub in
> Linux).
> 
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Brijesh Singh <brijesh.singh@amd.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
> Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
> ---
> 
> Code is in: https://github.com/confidential-containers-demo/edk2/tree/erase-secret-area
> 
> ---
>  OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf |  2 +
>  OvmfPkg/AmdSev/SecretDxe/SecretDxe.c   | 47 ++++++++++++++++++--
>  2 files changed, 45 insertions(+), 4 deletions(-)
> 
> diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
> index 40bda7ff846c..ff831afaeb66 100644
> --- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
> +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
> @@ -23,6 +23,8 @@ [Packages]
>    MdePkg/MdePkg.dec
> 
>  
> 
>  [LibraryClasses]
> 
> +  BaseMemoryLib
> 
> +  DebugLib
> 
>    UefiBootServicesTableLib
> 
>    UefiDriverEntryPoint
> 
>  
> 
> diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
> index 934ad207632b..085759f0e523 100644
> --- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
> +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
> @@ -5,6 +5,8 @@
>    SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>  **/
> 
>  #include <PiDxe.h>
> 
> +#include <Library/BaseMemoryLib.h>
> 
> +#include <Library/DebugLib.h>
> 
>  #include <Library/UefiBootServicesTableLib.h>
> 
>  #include <Guid/ConfidentialComputingSecret.h>
> 
>  
> 
> @@ -13,6 +15,35 @@ STATIC CONFIDENTIAL_COMPUTING_SECRET_LOCATION mSecretDxeTable = {
>    FixedPcdGet32 (PcdSevLaunchSecretSize),
> 
>  };
> 
>  
> 
> +STATIC EFI_EVENT mSecretDxeExitBootEvent;
> 
> +
> 
> +/**
> 
> +  ExitBootServices event notification function for the secret table.
> 
> +
> 
> +  This function erases the content of the secret area so the secrets don't leak
> 
> +  via released BootServices memory.  If the OS wants to keep the secrets for
> 
> +  its own use, it must copy the secrets area to another memory area before
> 
> +  calling ExitBootServices (for example in efi/libstub in Linux).
> 
> +
> 
> +  @param[in] Event         The ExitBoot event that has been signaled.
> 
> +
> 
> +  @param[in] Context       Unused.
> 
> +**/
> 
> +STATIC
> 
> +VOID
> 
> +EFIAPI
> 
> +SecretDxeExitBoot (
> 
> +  IN EFI_EVENT Event,
> 
> +  IN VOID      *Context
> 
> +  )
> 
> +{
> 
> +  ASSERT(mSecretDxeTable.Base != 0);
> 
> +  ASSERT(mSecretDxeTable.Size > 0);
> 
> +
> 
> +  ZeroMem ((VOID *) ((UINTN) mSecretDxeTable.Base), mSecretDxeTable.Size);
> 
> +}
> 
> +
> 
> +
> 
>  EFI_STATUS
> 
>  EFIAPI
> 
>  InitializeSecretDxe(
> 
> @@ -20,8 +51,16 @@ InitializeSecretDxe(
>    IN EFI_SYSTEM_TABLE     *SystemTable
> 
>    )
> 
>  {
> 
> -  return gBS->InstallConfigurationTable (
> 
> -                &gConfidentialComputingSecretGuid,
> 
> -                &mSecretDxeTable
> 
> -                );
> 
> +  EFI_STATUS Status;
> 
> +
> 
> +  Status = gBS->InstallConfigurationTable (
> 
> +                  &gConfidentialComputingSecretGuid,
> 
> +                  &mSecretDxeTable
> 
> +                  );
> 
> +  if (EFI_ERROR (Status)) {
> 
> +    return Status;
> 
> +  }
> 
> +
> 
> +  return gBS->CreateEvent (EVT_SIGNAL_EXIT_BOOT_SERVICES, TPL_CALLBACK,
> 
> +                SecretDxeExitBoot, NULL, &mSecretDxeExitBootEvent);
> 
>  }
>