From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.groups.io with SMTP id smtpd.web09.8810.1608215028300520547 for ; Thu, 17 Dec 2020 06:23:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=g9PGzFIU; spf=pass (domain: redhat.com, ip: 63.128.21.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1608215027; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AkJL4x/UFSz1DDHQw7MOJfu8o6bLMAtFoUAOIVh+WJI=; b=g9PGzFIU6YHdYP1kVB317CQMWzn3/MavXdAUormUCXbVQBKW00LbvLe0arKbUl6EzFlykE EaXaW0uCIEyt9q/JwMEyXCLI1z7J+oGHesrwPQcUVkvZKXV8PY2dnVVyBAN6oUPkWRlhVS GIf1sD43yJtxoC39muiEG7R7YhgcWMA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-422-E_eU3ejTPg61mq9E6PjCHQ-1; Thu, 17 Dec 2020 09:23:43 -0500 X-MC-Unique: E_eU3ejTPg61mq9E6PjCHQ-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3CCD8800D62; Thu, 17 Dec 2020 14:23:41 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-115-40.ams2.redhat.com [10.36.115.40]) by smtp.corp.redhat.com (Postfix) with ESMTP id C45AC18993; Thu, 17 Dec 2020 14:23:38 +0000 (UTC) Subject: Re: [PATCH 00/12] SEV-ES security mitigations To: Tom Lendacky , devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Ard Biesheuvel , Rebecca Cran , Julien Grall , Peter Grehan , Jordan Justen , Anthony Perard References: From: "Laszlo Ersek" Message-ID: Date: Thu, 17 Dec 2020 15:23:37 +0100 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Hi Tom, On 12/15/20 21:50, Tom Lendacky wrote: > From: Tom Lendacky > > This patch series provides security mitigations for SEV-ES to protect > against some attacks identified in the paper titled "Exploiting Interfaces > of Secure Encrypted Virtual Machines" at: > https://arxiv.org/pdf/2010.07094.pdf > > The mitigations include: > > - Validating the encryption bit position provided by the hypervisor. > Additionally, once validated use the validated value throughout the > code. > > - Validating that SEV-ES has been advertised to the guest if a #VC has > been taken to prevent the hypervisor from pretending that SEV-ES is > not enabled. > > - Validate that MMIO is performed to/from unencrypted memory addresses > to prevent the hypervisor try to inject data or expose secrets within > the guest. > > And a change separate from the above paper: > > - When checking #VC related per-vCPU values, make checks for explicit > values vs non-zero values so that a hypervisor can't write random data > to the location to alter guest processing behavior. > > Also, as part of creating these mitigations: > - MemEncryptSevLib is updated to now be available during SEC > - #VC now supports a single nested invocation > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 > > --- > > These patches are based on commit: > 5c3cdebf95bf ("MdePkg/include: Add DMAR SATC Table Definition") I plan to review this series next year (and then after the VCPU hot-unplug stuff that's already been in my review queue for a bit...) Thanks, Laszlo > > Cc: Ard Biesheuvel > Cc: Rebecca Cran > Cc: Laszlo Ersek > Cc: Julien Grall > Cc: Peter Grehan > Cc: Jordan Justen > Cc: Anthony Perard > Cc: Brijesh Singh > > Tom Lendacky (12): > Ovmf/ResetVector: Simplify and consolidate the SEV features checks > OvmfPkg/Sec: Move SEV-ES SEC workarea definition to common header file > OvmfPkg/ResetVector: Validate the encryption bit position for > SEV/SEV-ES > OvmfPkg/ResetVector: Perform a simple SEV-ES sanity check > OvmfPkg/MemEncryptSevLib: Add an interface to retrieve the encryption > mask > OvmfPkg/AmdSevDxe: Clear encryption bit on PCIe MMCONFIG range > OvmfPkg/VmgExitLib: Check for an explicit DR7 cached value > OvmfPkg/MemEncryptSevLib: Make the MemEncryptSevLib available for SEC > OvmfPkg/MemEncryptSevLib: Address range encryption state interface > OvmfPkg/VmgExitLib: Support nested #VCs > OvmfPkg/PlatformPei: Reserve GHCB backup pages if S3 is supported > OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory > > OvmfPkg/OvmfPkg.dec | 2 + > OvmfPkg/AmdSev/AmdSevX64.dsc | 6 +- > OvmfPkg/Bhyve/BhyveX64.dsc | 4 +- > OvmfPkg/OvmfPkgIa32.dsc | 4 +- > OvmfPkg/OvmfPkgIa32X64.dsc | 4 +- > OvmfPkg/OvmfPkgX64.dsc | 6 +- > OvmfPkg/OvmfXen.dsc | 3 +- > OvmfPkg/AmdSev/AmdSevX64.fdf | 3 + > OvmfPkg/OvmfPkgX64.fdf | 3 + > OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 8 +- > ...SevLib.inf => DxeBaseMemEncryptSevLib.inf} | 14 +- > .../PeiBaseMemEncryptSevLib.inf | 57 ++ > .../SecBaseMemEncryptSevLib.inf | 55 + > OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 44 + > OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 6 +- > OvmfPkg/PlatformPei/PlatformPei.inf | 2 + > OvmfPkg/Include/Library/MemEncryptSevLib.h | 90 +- > .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 35 +- > OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.h | 53 + > OvmfPkg/AmdSevDxe/AmdSevDxe.c | 20 +- > OvmfPkg/Bhyve/PlatformPei/AmdSev.c | 12 +- > .../DxeMemEncryptSevLibInternal.c | 145 +++ > .../Ia32/MemEncryptSevLib.c | 31 +- > .../MemEncryptSevLibInternal.c | 91 +- > .../PeiMemEncryptSevLibInternal.c | 159 +++ > .../SecMemEncryptSevLibInternal.c | 130 +++ > .../X64/MemEncryptSevLib.c | 32 +- > .../X64/PeiDxeVirtualMemory.c | 893 ++++++++++++++++ > .../X64/SecVirtualMemory.c | 100 ++ > .../BaseMemEncryptSevLib/X64/VirtualMemory.c | 954 +++--------------- > .../VmgExitLib/PeiDxeVmgExitVcHandler.c | 103 ++ > .../Library/VmgExitLib/SecVmgExitVcHandler.c | 109 ++ > OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 130 ++- > OvmfPkg/PlatformPei/AmdSev.c | 50 +- > OvmfPkg/PlatformPei/MemDetect.c | 5 + > OvmfPkg/Sec/SecMain.c | 6 +- > OvmfPkg/XenPlatformPei/AmdSev.c | 12 +- > OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm | 116 +++ > OvmfPkg/ResetVector/Ia32/PageTables64.asm | 108 +- > OvmfPkg/ResetVector/ResetVector.nasmb | 5 +- > 40 files changed, 2590 insertions(+), 1020 deletions(-) > rename OvmfPkg/Library/BaseMemEncryptSevLib/{BaseMemEncryptSevLib.inf => DxeBaseMemEncryptSevLib.inf} (66%) > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiBaseMemEncryptSevLib.inf > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/SecBaseMemEncryptSevLib.inf > create mode 100644 OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf > create mode 100644 OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.h > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c > create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecVirtualMemory.c > create mode 100644 OvmfPkg/Library/VmgExitLib/PeiDxeVmgExitVcHandler.c > create mode 100644 OvmfPkg/Library/VmgExitLib/SecVmgExitVcHandler.c > create mode 100644 OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm >