From: Sean Christopherson <seanjc@google.com>
To: Dmytro Maluka <dmy@semihalf.com>
Cc: Carlos Bilbao <carlos.bilbao@amd.com>,
corbet@lwn.net, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, ardb@kernel.org,
kraxel@redhat.com, dovmurik@linux.ibm.com,
elena.reshetova@intel.com, dave.hansen@linux.intel.com,
Dhaval.Giani@amd.com, michael.day@amd.com,
pavankumar.paluri@amd.com, David.Kaplan@amd.com,
Reshma.Lal@amd.com, Jeremy.Powell@amd.com,
sathyanarayanan.kuppuswamy@linux.intel.com,
alexander.shishkin@linux.intel.com, thomas.lendacky@amd.com,
tglx@linutronix.de, dgilbert@redhat.com,
gregkh@linuxfoundation.org, dinechin@redhat.com,
linux-coco@lists.linux.dev, berrange@redhat.com, mst@redhat.com,
tytso@mit.edu, jikos@kernel.org, joro@8bytes.org,
leon@kernel.org, richard.weinberger@gmail.com, lukas@wunner.de,
jejb@linux.ibm.com, cdupontd@redhat.com, jasowang@redhat.com,
sameo@rivosinc.com, bp@alien8.de, security@kernel.org,
Larry Dewey <larry.dewey@amd.com>,
android-kvm@google.com, Dmitry Torokhov <dtor@google.com>,
Allen Webb <allenwebb@google.com>,
Tomasz Nowicki <tn@semihalf.com>,
Grzegorz Jaszczyk <jaz@semihalf.com>,
Patryk Duda <pdk@semihalf.com>
Subject: Re: [PATCH v2] docs: security: Confidential computing intro and threat model for x86 virtualization
Date: Fri, 16 Jun 2023 07:20:07 -0700 [thread overview]
Message-ID: <ZIxvl4sMH6N8TrAL@google.com> (raw)
In-Reply-To: <2cfa3122-6b54-aab5-8a61-41c08853286b@semihalf.com>
On Fri, Jun 16, 2023, Dmytro Maluka wrote:
> On 6/13/23 19:03, Sean Christopherson wrote:
> > On Mon, Jun 12, 2023, Carlos Bilbao wrote:
> >> +well as CoCo technology specific hypercalls, if present. Additionally, the
> >> +host in a CoCo system typically controls the process of creating a CoCo
> >> +guest: it has a method to load into a guest the firmware and bootloader
> >> +images, the kernel image together with the kernel command line. All of this
> >> +data should also be considered untrusted until its integrity and
> >> +authenticity is established via attestation.
> >
> > Attestation is SNP and TDX specific. AIUI, none of SEV, SEV-ES, or pKVM (which
> > doesn't even really exist on x86 yet), have attestation of their own, e.g. the
> > proposed pKVM support would rely on Secure Boot of the original "full" host kernel.
>
> Seems to be a bit of misunderstanding here. Secure Boot verifies the
> host kernel, which is indeed also important, since the pKVM hypervisor
> is a part of the host kernel image. But when it comes to verifying the
> guests, it's a different story: a protected pKVM guest is started by the
> (untrusted) host at an arbitrary moment in time, not before the early
> kernel deprivileging when the host is still considered trusted.
> (Moreover, in practice the guest is started by a userspace VMM, i.e. not
> exactly the most trusted part of the host stack.) So the host can
> maliciously or mistakenly load a wrong guest image for running as a
> protected guest, so we do need attestation for protected guests.
>
> This attestation is not implemented in pKVM on x86 yet (you are right
> that pKVM on x86 is little more than a proposal at this point). But in
> pKVM on ARM it is afaik already working, it is software based (ensured
> by pKVM hypervisor + a tiny generic guest bootloader which verifies the
> guest image before jumping to the guest) and architecture-independent,
> so it should be possible to adopt it for x86 as is.
Sorry, instead of "Attestation is SNP and TDX specific", I should have said, "The
form of attestation described here is SNP and TDX specific".
pKVM's "attestation", effectively has its root of trust in the pKVM hypervisor,
which is in turn attested via Secure Boot. I.e. the guest payload is verified
*before* it is launched.
That is different from SNP and TDX where guest code and data is controlled by the
*untrusted* host. The initial payload is measured by trusted firmware, but it is
not verified, and so that measurement must be attested after the guest boots,
before any sensitive data is provisioned to the guest.
Specifically, with "untrusted" inserted by me for clarification, my understanding
is that this doesn't hold true for pKVM when splitting hairs:
Additionally, the **untrusted** host in a CoCo system typically controls the
process of creating a CoCo guest: it has a method to load into a guest the
firmware and bootloader images, the kernel image together with the kernel
command line. All of this data should also be considered untrusted until its
integrity and authenticity is established via attestation.
because the guest firmware comes from a trusted entity, not the untrusted host.
next prev parent reply other threads:[~2023-06-16 14:20 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 16:47 [PATCH v2] docs: security: Confidential computing intro and threat model for x86 virtualization Carlos Bilbao
2023-06-12 22:43 ` Randy Dunlap
2023-06-14 13:55 ` Carlos Bilbao
2023-06-14 15:06 ` Randy Dunlap
2023-06-13 17:03 ` Sean Christopherson
2023-06-14 7:37 ` Reshetova, Elena
2023-06-14 14:15 ` Sean Christopherson
2023-06-16 12:36 ` Dmytro Maluka
2023-06-16 13:56 ` Sean Christopherson
2023-06-16 14:09 ` Allen Webb
2023-06-16 14:42 ` Sean Christopherson
2023-06-16 15:16 ` Allen Webb
2023-06-17 18:15 ` Dmytro Maluka
2023-06-16 15:31 ` Dmytro Maluka
2023-06-16 18:07 ` Sean Christopherson
2023-06-17 17:43 ` Dmytro Maluka
2023-06-19 11:23 ` Reshetova, Elena
2023-06-19 15:03 ` Dmytro Maluka
2023-06-16 12:24 ` Dmytro Maluka
2023-06-16 14:20 ` Sean Christopherson [this message]
2023-06-16 15:36 ` Dmytro Maluka
2023-06-22 14:32 ` Carlos Bilbao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZIxvl4sMH6N8TrAL@google.com \
--to=seanjc@google.com \
--cc=David.Kaplan@amd.com \
--cc=Dhaval.Giani@amd.com \
--cc=Jeremy.Powell@amd.com \
--cc=Reshma.Lal@amd.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=allenwebb@google.com \
--cc=android-kvm@google.com \
--cc=ardb@kernel.org \
--cc=berrange@redhat.com \
--cc=bp@alien8.de \
--cc=carlos.bilbao@amd.com \
--cc=cdupontd@redhat.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dgilbert@redhat.com \
--cc=dinechin@redhat.com \
--cc=dmy@semihalf.com \
--cc=dovmurik@linux.ibm.com \
--cc=dtor@google.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=jaz@semihalf.com \
--cc=jejb@linux.ibm.com \
--cc=jikos@kernel.org \
--cc=joro@8bytes.org \
--cc=kraxel@redhat.com \
--cc=larry.dewey@amd.com \
--cc=leon@kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=michael.day@amd.com \
--cc=mst@redhat.com \
--cc=pavankumar.paluri@amd.com \
--cc=pdk@semihalf.com \
--cc=richard.weinberger@gmail.com \
--cc=sameo@rivosinc.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=security@kernel.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tn@semihalf.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.