From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 808D919922 for ; Fri, 16 Jun 2023 12:24:25 +0000 (UTC) Received: by mail-lf1-f45.google.com with SMTP id 2adb3069b0e04-4f640e48bc3so836017e87.2 for ; Fri, 16 Jun 2023 05:24:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf.com; s=google; t=1686918263; x=1689510263; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=OHHJMVvxjSG31pi51Gp1mclD2e/YsepxsxxTfRtM4/c=; b=ivk7Nc1OroL2Qci6OBq3Aw2cw3ZttBg0XLtayXM7An0TEOOlI3d4owkvW3mNXwkkPx D68XfDyeKGe1l6kzwZiqiRx3nKZ532HzE4dBISy+J6Lqn/BbPmjp+CMyH9KZQQj4m61B zvAMCYjNaQ0MWTpwtEl82xDTe/PPFtHSL83MX3fLLX3vW90tnyAGCJTdQ6OtC1sEeNcK VjP3d7zT5HBaQ4PKUOXkJqGzh+U9OIEMaGO03vcYNR2KlO0iDaQCnl4ESWCgYCBb1fL8 lMFZkPlAfrFy+867JzEBTJIKTAu9iDrLVAyNNwDi+pKF1saEQ5UZ3z16RFVURCxebh8N hQMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686918263; x=1689510263; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=OHHJMVvxjSG31pi51Gp1mclD2e/YsepxsxxTfRtM4/c=; b=W6OnvREo+OJjkEJ/wxbfYzHRY3TOVsh9kzSZmw9y+mgqOF2VOIBw2zur254XnCgOtZ TBVuY1UfCqxhVkieELrWkBkkOHKE+Qokxm8teMZQkzjeRsVJMh0vKQ/gb0VjPsRLgHnR wnTVySj6NYmLULYamW3+tvKkKuQwfRnWY3fBEboJC9XpLMHfqbfsxFiY62HoTBGI4w8Q spZEkEMlMvnabftl7esNeu++jHMOJ3nouVoy/felxVdEbIkqGhI1MBhpUTBm353R1D1h 4dq7FucgCKz8DG+p1nFmYWMCZweuUyn02yH+aL9sf9Qj87qpJc667t4udw3EN1ils18n 6dsg== X-Gm-Message-State: AC+VfDwgR+FntpSZTGWl7Etm3Swe6RUy+4T1Q7n3PrE+EHjChJ3X1qey SnP9n56Gc7X77d6/WIRqsmcehQ== X-Google-Smtp-Source: ACHHUZ6AzPXkjReYZoZNAHq+wtr6OCDbf9GVO9EGhvCijYda0xoVofjwFvUuRrFO9TVV5esgh89UxQ== X-Received: by 2002:a19:6601:0:b0:4f3:8196:80cb with SMTP id a1-20020a196601000000b004f3819680cbmr1253347lfc.41.1686918262709; Fri, 16 Jun 2023 05:24:22 -0700 (PDT) Received: from [10.43.1.253] ([83.142.187.84]) by smtp.gmail.com with ESMTPSA id j20-20020a19f514000000b004eae73a0530sm2994177lfb.39.2023.06.16.05.24.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 16 Jun 2023 05:24:22 -0700 (PDT) Message-ID: <2cfa3122-6b54-aab5-8a61-41c08853286b@semihalf.com> Date: Fri, 16 Jun 2023 14:24:19 +0200 Precedence: bulk X-Mailing-List: linux-coco@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: [PATCH v2] docs: security: Confidential computing intro and threat model for x86 virtualization To: Sean Christopherson , Carlos Bilbao Cc: corbet@lwn.net, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, ardb@kernel.org, kraxel@redhat.com, dovmurik@linux.ibm.com, elena.reshetova@intel.com, dave.hansen@linux.intel.com, Dhaval.Giani@amd.com, michael.day@amd.com, pavankumar.paluri@amd.com, David.Kaplan@amd.com, Reshma.Lal@amd.com, Jeremy.Powell@amd.com, sathyanarayanan.kuppuswamy@linux.intel.com, alexander.shishkin@linux.intel.com, thomas.lendacky@amd.com, tglx@linutronix.de, dgilbert@redhat.com, gregkh@linuxfoundation.org, dinechin@redhat.com, linux-coco@lists.linux.dev, berrange@redhat.com, mst@redhat.com, tytso@mit.edu, jikos@kernel.org, joro@8bytes.org, leon@kernel.org, richard.weinberger@gmail.com, lukas@wunner.de, jejb@linux.ibm.com, cdupontd@redhat.com, jasowang@redhat.com, sameo@rivosinc.com, bp@alien8.de, security@kernel.org, Larry Dewey , android-kvm@google.com, Dmitry Torokhov , Allen Webb , Tomasz Nowicki , Grzegorz Jaszczyk , Patryk Duda References: <20230612164727.3935657-1-carlos.bilbao@amd.com> Content-Language: en-US From: Dmytro Maluka In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 6/13/23 19:03, Sean Christopherson wrote: > On Mon, Jun 12, 2023, Carlos Bilbao wrote: >> +well as CoCo technology specific hypercalls, if present. Additionally, the >> +host in a CoCo system typically controls the process of creating a CoCo >> +guest: it has a method to load into a guest the firmware and bootloader >> +images, the kernel image together with the kernel command line. All of this >> +data should also be considered untrusted until its integrity and >> +authenticity is established via attestation. > > Attestation is SNP and TDX specific. AIUI, none of SEV, SEV-ES, or pKVM (which > doesn't even really exist on x86 yet), have attestation of their own, e.g. the > proposed pKVM support would rely on Secure Boot of the original "full" host kernel. Seems to be a bit of misunderstanding here. Secure Boot verifies the host kernel, which is indeed also important, since the pKVM hypervisor is a part of the host kernel image. But when it comes to verifying the guests, it's a different story: a protected pKVM guest is started by the (untrusted) host at an arbitrary moment in time, not before the early kernel deprivileging when the host is still considered trusted. (Moreover, in practice the guest is started by a userspace VMM, i.e. not exactly the most trusted part of the host stack.) So the host can maliciously or mistakenly load a wrong guest image for running as a protected guest, so we do need attestation for protected guests. This attestation is not implemented in pKVM on x86 yet (you are right that pKVM on x86 is little more than a proposal at this point). But in pKVM on ARM it is afaik already working, it is software based (ensured by pKVM hypervisor + a tiny generic guest bootloader which verifies the guest image before jumping to the guest) and architecture-independent, so it should be possible to adopt it for x86 as is. Furthermore, since for pKVM on x86 use cases we also need assigning physical secure hardware devices to the protected guest, we need attestation not just for the guest image itself but also for the secure devices assigned to it by the host.