From: Tom Lendacky <thomas.lendacky@amd.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
Andy Lutomirski <luto@amacapital.net>
Cc: linux-arch <linux-arch@vger.kernel.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"kvm list" <kvm@vger.kernel.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"X86 ML" <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
kasan-dev <kasan-dev@googlegroups.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
iommu@lists.linux-foundation.org,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Jonathan Corbet" <corbet@lwn.net>,
"Matt Fleming" <matt@codeblueprint.co.uk>,
"Joerg Roedel" <joro@8bytes.org>,
"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
"Ingo Molnar" <mingo@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"H. Peter Anvin" <hpa@zytor.com>,
"Andrey Ryabinin" <aryabinin@virtuozzo.com>,
"Alexander Potapenko" <glider@google.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Dmitry Vyukov" <dvyukov@google.com>
Subject: Re: [RFC PATCH v1 00/18] x86: Secure Memory Encryption (AMD)
Date: Mon, 9 May 2016 16:08:03 -0500 [thread overview]
Message-ID: <5730FC33.2060804@amd.com> (raw)
In-Reply-To: <5730A91E.6040601@redhat.com>
On 05/09/2016 10:13 AM, Paolo Bonzini wrote:
>
>
> On 02/05/2016 20:31, Andy Lutomirski wrote:
>> And did the SEV implementation remember to encrypt the guest register
>> state? Because, if not, everything of importance will leak out
>> through the VMCB and/or GPRs.
>
> No, it doesn't. And SEV is very limited unless you paravirtualize
> everything.
>
> For example, the hypervisor needs to read some instruction bytes from
> memory, and instruction bytes are always encrypted (15.34.5 in the APM).
> So you're pretty much restricted to IN/OUT operations (not even
> INS/OUTS) on emulated (non-assigned) devices, paravirtualized MSRs, and
> hypercalls. These are the only operations that connect the guest and
> the hypervisor, where the vmexit doesn't have the need to e.g. walk
> guest page tables (also always encrypted). It possibly can be made to
> work once the guest boots, and a modern UEFI firmware probably can cope
> with it too just like a kernel can, but you need to ensure that your
> hardware has no memory BARs for example. And I/O port space is not very
> abundant.
The instruction bytes stored in the VMCB at offset 0xd0 for a data
side #NPF are stored un-encrypted (which is not clearly documented in
the APM). This allows for the hypervisor to perform MMIO on emulated
devices. Because the hardware provides enough information on VMEXIT
events, such as exit codes, decode assist, etc., the hypervisor has
the information it needs to perform the operation without having to
read the guest pagetables and/or the guest instruction stream from
guest memory. There are a few minor corner cases (e.g. rep ins) and
there will be more info on those when the SEV patches are submitted.
>
> Even in order to emulate I/O ports or RDMSR/WRMSR or process hypercalls,
> the hypervisor needs to read the GPRs. The VMCB doesn't store guest
> GPRs, not even on SEV-enabled processors. Accordingly, the hypervisor
> has access to the guest GPRs on every exit.
In this initial version of SEV support the hardware does not encrypt
the guest save state and the hypervisor does have access to the GPRs.
>
> In general, SEV provides mitigation only. Even if the hypervisor cannot
> write known plaintext directly to memory, an accomplice virtual machine
> can e.g. use the network to spray the attacked VM's memory. At least
Can you elaborate further on this? The accomplice VM will not have
access to the encryption key of the target VM and cannot accomplish
any spraying that the hypervisor itself cannot do.
> it's not as easy as "disable NX under the guest's feet and redirect RIP"
> (pte.nx is reserved if efer.nxe=0, all you get is a #PF). But the
> hypervisor can still disable SMEP and SMAP, it can use hardware
> breakpoints to leak information through the registers, and it can do all
> the other attacks you mentioned. If AMD had rdrand/rdseed, it could
> replace the output with not so random values, and so on.
AMD added support for the rdrand in some of the later fam16h models.
>
> It's surely better than nothing, but "encryption that really is nothing
> more than mitigation" is pretty weird. I'm waiting for cloud vendors to
> sell this as the best thing since sliced bread, when in reality it's
> just mitigation. I wonder how wise it is to merge SEV in its current
> state---and since security is not my specialty I am definitely looking
> for advice on this.
>
In this first generation of SEV, we are targeting a threat model very
similar to the one used by SMEP and SMAP. Specifically, SEV protects a
guest from a benign but vulnerable hypervisor, where a malicious guest
or unprivileged process exploits a system/hypervisor interface in an
attempt to read or modify the guest's memory. But, like SMEP and SMAP,
if an attacker has the ability to arbitrarily execute code in the
kernel, he would be able to circumvent the control. AMD has a vision
for this generation of SEV to be foundational to future generations
that defend against stronger attacks.
Thanks,
Tom
> Paolo
>
> ps: I'm now reminded of this patch:
>
> commit dab429a798a8ab3377136e09dda55ea75a41648d
> Author: David Kaplan <David.Kaplan@amd.com>
> Date: Mon Mar 2 13:43:37 2015 -0600
>
> kvm: svm: make wbinvd faster
>
> No need to re-decode WBINVD since we know what it is from the
> intercept.
>
> Signed-off-by: David Kaplan <David.Kaplan@amd.com>
> [extracted from larger unlrelated patch, forward ported,
> tested,style cleanup]
> Signed-off-by: Joel Schopp <joel.schopp@amd.com>
> Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>
> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
>
> and I wonder if the larger unlrelated patch had anything to do with SEV!
>
next prev parent reply other threads:[~2016-05-09 21:08 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-26 22:55 [RFC PATCH v1 00/18] x86: Secure Memory Encryption (AMD) Tom Lendacky
2016-03-22 13:00 ` Pavel Machek
2016-04-27 14:05 ` Borislav Petkov
2016-04-27 14:30 ` Pavel Machek
2016-04-27 14:39 ` Borislav Petkov
2016-04-27 14:58 ` Pavel Machek
2016-04-27 15:47 ` Pavel Machek
2016-04-27 14:21 ` Tom Lendacky
2016-04-26 22:56 ` [RFC PATCH v1 01/18] x86: Set the write-protect cache mode for AMD processors Tom Lendacky
2016-04-27 14:33 ` Andy Lutomirski
2016-04-27 14:44 ` Tom Lendacky
2016-04-27 14:47 ` Andy Lutomirski
2016-04-27 15:05 ` Tom Lendacky
2016-04-27 15:12 ` Andy Lutomirski
2016-04-27 15:31 ` Borislav Petkov
2016-04-27 15:34 ` Andy Lutomirski
2016-04-26 22:56 ` [RFC PATCH v1 02/18] x86: Secure Memory Encryption (SME) build enablement Tom Lendacky
2016-03-22 13:01 ` Pavel Machek
2016-04-27 15:17 ` Tom Lendacky
2016-04-27 15:30 ` Pavel Machek
2016-04-27 15:41 ` Borislav Petkov
2016-04-27 16:41 ` Pavel Machek
2016-04-27 17:07 ` Robin Murphy
2016-04-27 17:12 ` Borislav Petkov
2016-04-26 22:56 ` [RFC PATCH v1 03/18] x86: Secure Memory Encryption (SME) support Tom Lendacky
2016-03-22 13:03 ` Pavel Machek
2016-04-27 16:20 ` Tom Lendacky
2016-04-26 22:56 ` [RFC PATCH v1 04/18] x86: Add the Secure Memory Encryption cpu feature Tom Lendacky
2016-04-26 22:56 ` [RFC PATCH v1 05/18] x86: Handle reduction in physical address size with SME Tom Lendacky
2016-04-26 22:56 ` [RFC PATCH v1 06/18] x86: Provide general kernel support for memory encryption Tom Lendacky
2016-04-26 22:57 ` [RFC PATCH v1 07/18] x86: Extend the early_memmap support with additional attrs Tom Lendacky
2016-04-26 22:57 ` [RFC PATCH v1 08/18] x86: Add support for early encryption/decryption of memory Tom Lendacky
2016-04-26 22:57 ` [RFC PATCH v1 09/18] x86: Insure that memory areas are encrypted when possible Tom Lendacky
2016-04-26 22:57 ` [RFC PATCH v1 10/18] x86/efi: Access EFI related tables in the clear Tom Lendacky
2016-05-10 13:43 ` Matt Fleming
2016-05-10 13:57 ` Borislav Petkov
2016-05-12 18:20 ` Tom Lendacky
2016-05-24 14:54 ` Tom Lendacky
2016-05-25 16:09 ` Daniel Kiper
2016-05-25 19:30 ` Matt Fleming
2016-05-26 13:45 ` Tom Lendacky
2016-06-08 10:07 ` Matt Fleming
2016-06-09 16:16 ` Tom Lendacky
2016-06-13 12:03 ` Matt Fleming
2016-06-13 12:34 ` Matt Fleming
2016-06-13 15:16 ` Tom Lendacky
2016-06-08 11:18 ` Matt Fleming
2016-06-09 18:33 ` Tom Lendacky
2016-06-13 13:51 ` Matt Fleming
2016-06-15 13:17 ` Tom Lendacky
2016-06-16 14:38 ` Tom Lendacky
2016-06-17 15:51 ` Matt Fleming
2016-04-26 22:57 ` [RFC PATCH v1 11/18] x86: Decrypt trampoline area if memory encryption is active Tom Lendacky
2016-04-26 22:58 ` [RFC PATCH v1 12/18] x86: Access device tree in the clear Tom Lendacky
2016-04-26 22:58 ` [RFC PATCH v1 13/18] x86: DMA support for memory encryption Tom Lendacky
[not found] ` <20160429071743.GC11592@char.us.oracle.com>
2016-04-29 15:12 ` Tom Lendacky
[not found] ` <20160429162757.GA1191@char.us.oracle.com>
2016-04-29 23:49 ` Tom Lendacky
2016-04-26 22:58 ` [RFC PATCH v1 14/18] iommu/amd: AMD IOMMU " Tom Lendacky
2016-04-26 22:58 ` [RFC PATCH v1 15/18] x86: Enable memory encryption on the APs Tom Lendacky
2016-05-01 22:10 ` Huang, Kai
2016-05-03 15:59 ` Tom Lendacky
2016-04-26 22:58 ` [RFC PATCH v1 16/18] x86: Do not specify encrypted memory for VGA mapping Tom Lendacky
2016-04-26 22:58 ` [RFC PATCH v1 17/18] x86/kvm: Enable Secure Memory Encryption of nested page tables Tom Lendacky
2016-04-26 22:59 ` [RFC PATCH v1 18/18] x86: Add support to turn on Secure Memory Encryption Tom Lendacky
2016-03-22 13:13 ` Pavel Machek
2016-04-27 14:39 ` [RFC PATCH v1 00/18] x86: Secure Memory Encryption (AMD) Andy Lutomirski
2016-04-27 20:10 ` Tom Lendacky
2016-05-02 18:31 ` Andy Lutomirski
2016-05-09 15:13 ` Paolo Bonzini
2016-05-09 21:08 ` Tom Lendacky [this message]
2016-05-10 11:23 ` Paolo Bonzini
2016-05-10 12:04 ` Borislav Petkov
2016-04-30 6:13 ` Elliott, Robert (Persistent Memory)
2016-05-03 15:55 ` Tom Lendacky
-- strict thread matches above, loose matches on Subject: below --
2016-04-26 22:45 Tom Lendacky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5730FC33.2060804@amd.com \
--to=thomas.lendacky@amd.com \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=iommu@lists.linux-foundation.org \
--cc=joro@8bytes.org \
--cc=kasan-dev@googlegroups.com \
--cc=konrad.wilk@oracle.com \
--cc=kvm@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=matt@codeblueprint.co.uk \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).