From: Michael Roth <michael.roth@amd.com>
To: Borislav Petkov <bp@alien8.de>
Cc: Brijesh Singh <brijesh.singh@amd.com>, <x86@kernel.org>,
<linux-kernel@vger.kernel.org>, <kvm@vger.kernel.org>,
<linux-efi@vger.kernel.org>,
<platform-driver-x86@vger.kernel.org>,
<linux-coco@lists.linux.dev>, <linux-mm@kvack.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Joerg Roedel <jroedel@suse.de>,
Tom Lendacky <thomas.lendacky@amd.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Ard Biesheuvel <ardb@kernel.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
Jim Mattson <jmattson@google.com>,
"Andy Lutomirski" <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Sergio Lopez <slp@redhat.com>, Peter Gonda <pgonda@google.com>,
"Peter Zijlstra" <peterz@infradead.org>,
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>,
David Rientjes <rientjes@google.com>,
Dov Murik <dovmurik@linux.ibm.com>,
Tobin Feldman-Fitzthum <tobin@ibm.com>,
Vlastimil Babka <vbabka@suse.cz>,
"Kirill A . Shutemov" <kirill@shutemov.name>,
Andi Kleen <ak@linux.intel.com>,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
<tony.luck@intel.com>, <marcorr@google.com>,
<sathyanarayanan.kuppuswamy@linux.intel.com>
Subject: Re: [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler
Date: Mon, 18 Oct 2021 13:40:03 -0500 [thread overview]
Message-ID: <20211018184003.3ob2uxcpd2rpee3s@amd.com> (raw)
In-Reply-To: <YW2EsxcqBucuyoal@zn.tnic>
On Mon, Oct 18, 2021 at 04:29:07PM +0200, Borislav Petkov wrote:
> On Fri, Oct 08, 2021 at 01:04:19PM -0500, Brijesh Singh wrote:
> > From: Michael Roth <michael.roth@amd.com>
> >
> > Generally access to MSR_AMD64_SEV is only safe if the 0x8000001F CPUID
> > leaf indicates SEV support. With SEV-SNP, CPUID responses from the
> > hypervisor are not considered trustworthy, particularly for 0x8000001F.
> > SEV-SNP provides a firmware-validated CPUID table to use as an
> > alternative, but prior to checking MSR_AMD64_SEV there are no
> > guarantees that this is even an SEV-SNP guest.
> >
> > Rather than relying on these CPUID values early on, allow SEV-ES and
> > SEV-SNP guests to instead use a cpuid instruction to trigger a #VC and
> > have it cache MSR_AMD64_SEV in sev_status, since it is known to be safe
> > to access MSR_AMD64_SEV if a #VC has triggered.
> >
> > Signed-off-by: Michael Roth <michael.roth@amd.com>
> > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> > ---
> > arch/x86/kernel/sev-shared.c | 14 ++++++++++++++
> > 1 file changed, 14 insertions(+)
> >
> > diff --git a/arch/x86/kernel/sev-shared.c b/arch/x86/kernel/sev-shared.c
> > index 8ee27d07c1cd..2796c524d174 100644
> > --- a/arch/x86/kernel/sev-shared.c
> > +++ b/arch/x86/kernel/sev-shared.c
> > @@ -191,6 +191,20 @@ void __init do_vc_no_ghcb(struct pt_regs *regs, unsigned long exit_code)
> > if (exit_code != SVM_EXIT_CPUID)
> > goto fail;
> >
> > + /*
> > + * A #VC implies that either SEV-ES or SEV-SNP are enabled, so the SEV
> > + * MSR is also available. Go ahead and initialize sev_status here to
> > + * allow SEV features to be checked without relying solely on the SEV
> > + * cpuid bit to indicate whether it is safe to do so.
> > + */
> > + if (!sev_status) {
> > + unsigned long lo, hi;
> > +
> > + asm volatile("rdmsr" : "=a" (lo), "=d" (hi)
> > + : "c" (MSR_AMD64_SEV));
> > + sev_status = (hi << 32) | lo;
> > + }
> > +
> > sev_es_wr_ghcb_msr(GHCB_CPUID_REQ(fn, GHCB_CPUID_REQ_EAX));
> > VMGEXIT();
> > val = sev_es_rd_ghcb_msr();
> > --
>
> Ok, you guys are killing me. ;-\
>
> How is bolting some pretty much unrelated code into the early #VC
> handler not a hack? Do you not see it?
This was the result of my proposal in v5:
> More specifically, the general protocol to determine SNP is enabled
> seems
> to be:
>
> 1) check cpuid 0x8000001f to determine if SEV bit is enabled and SEV
> MSR is available
> 2) check the SEV MSR to see if SEV-SNP bit is set
>
> but the conundrum here is the CPUID page is only valid if SNP is
> enabled, otherwise it can be garbage. So the code to set up the page
> skips those checks initially, and relies on the expectation that UEFI,
> or whatever the initial guest blob was, will only provide a CC_BLOB if
> it already determined SNP is enabled.
>
> It's still possible something goes awry and the kernel gets handed a
> bogus CC_BLOB even though SNP isn't actually enabled. In this case the
> cpuid values could be bogus as well, but the guest will fail
> attestation then and no secrets should be exposed.
>
> There is one thing that could tighten up the check a bit though. Some
> bits of SEV-ES code will use the generation of a #VC as an indicator
> of SEV-ES support, which implies SEV MSR is available without relying
> on hypervisor-provided CPUID bits. I could add a one-time check in
> the cpuid #VC to check SEV MSR for SNP bit, but it would likely
> involve another static __ro_after_init variable store state. If that
> seems worthwhile I can look into that more as well.
Yes, the skipping of checks above sounds weird: why don't you simply
keep the checks order: SEV, -ES, -SNP and then parse CPUID. It'll fail
at attestation eventually, but you'll have the usual flow like with the
rest of the SEV- feature picking apart.
https://lore.kernel.org/lkml/YS3+saDefHwkYwny@zn.tnic/
I'd thought you didn't like the previous approach of having snp_cpuid_init()
defer the CPUID/MSR checks until sme_enable() sets up sev_status later on,
then failing the boot retroactively if SNP bit isn't set but CPUID table
was advertised. So I added those checks in snp_cpuid_init(), along with the
additional #VC-based indicator of SEV-ES/SEV-SNP support as an additional
sanity check of what EFI firmware was providing, since I thought that was
the key concern here.
Now I'm realizing that perhaps your suggestion was to actually defer the
entire CPUID page setup until after sme_enable(). Is that correct?
>
> So sme_enable() is reading MSR_AMD64_SEV and setting up everything
> there, including sev_status. If a SNP guest does not trust CPUID, why
> can't you attempt to read that MSR there, even if CPUID has lied to the
> guest?
If CPUID has lied, that would result in a #GP, rather than a controlled
termination in the various checkers/callers. The latter is easier to
debug.
Additionally, #VC is arguably a better indicator of SEV MSR availability
for SEV-ES/SEV-SNP guests, since it is only generated by ES/SNP hardware
and doesn't rely directly on hypervisor/EFI-provided CPUID values. It
doesn't work for SEV guests, but I don't think it's a bad idea to allow
SEV-ES/SEV-SNP guests to initialize sev_status in #VC handler to make
use of the added assurance.
Is it just the way it's currently implemented as something
cpuid-table-specific that's at issue, or are you opposed to doing so in
general?
Thanks,
Mike
>
> And not just slap it somewhere just because it works?
>
> --
> Regards/Gruss,
> Boris.
>
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpeople.kernel.org%2Ftglx%2Fnotes-about-netiquette&data=04%7C01%7Cmichael.roth%40amd.com%7C462c7481ae414f7706a808d99243a615%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637701641625364120%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6MViA5KCFEgSA2fijEx3Dg05btIEAjw55bFYRKL0P6o%3D&reserved=0
next prev parent reply other threads:[~2021-10-18 18:40 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-08 18:04 [PATCH v6 00/42] Add AMD Secure Nested Paging (SEV-SNP) Guest Support Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 01/42] x86/mm: Extend cc_attr to include AMD SEV-SNP Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 02/42] x86/sev: Shorten GHCB terminate macro names Brijesh Singh
2021-10-11 13:15 ` Borislav Petkov
2021-10-08 18:04 ` [PATCH v6 03/42] x86/sev: Get rid of excessive use of defines Brijesh Singh
2021-10-11 8:48 ` Borislav Petkov
2021-10-08 18:04 ` [PATCH v6 04/42] x86/head64: Carve out the guest encryption postprocessing into a helper Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 05/42] x86/sev: Define the Linux specific guest termination reasons Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 06/42] x86/sev: Save the negotiated GHCB version Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 07/42] x86/sev: Add support for hypervisor feature VMGEXIT Brijesh Singh
2021-10-13 14:02 ` Borislav Petkov
2021-10-08 18:04 ` [PATCH v6 08/42] x86/sev-es: initialize sev_status/features within #VC handler Brijesh Singh
2021-10-18 14:29 ` Borislav Petkov
2021-10-18 18:40 ` Michael Roth [this message]
2021-10-18 19:18 ` Borislav Petkov
2021-10-20 16:10 ` Michael Roth
2021-10-20 18:01 ` Borislav Petkov
2021-10-21 0:35 ` Michael Roth
2021-10-21 14:28 ` Borislav Petkov
2021-10-20 18:08 ` Borislav Petkov
2021-10-21 2:05 ` Michael Roth
2021-10-21 14:39 ` Borislav Petkov
2021-10-21 23:00 ` Michael Roth
2021-10-21 14:48 ` Borislav Petkov
2021-10-21 15:56 ` Dr. David Alan Gilbert
2021-10-21 16:55 ` Borislav Petkov
2021-10-21 17:12 ` Dr. David Alan Gilbert
2021-10-21 17:37 ` Borislav Petkov
2021-10-21 17:47 ` Dr. David Alan Gilbert
2021-10-21 18:46 ` Borislav Petkov
2021-10-21 21:34 ` Michael Roth
2021-10-21 14:51 ` Borislav Petkov
2021-10-21 20:41 ` Michael Roth
2021-10-25 11:04 ` Borislav Petkov
2021-10-25 16:35 ` Michael Roth
2021-10-27 11:17 ` Borislav Petkov
2021-10-27 15:13 ` Michael Roth
2021-10-08 18:04 ` [PATCH v6 09/42] x86/sev: Check SEV-SNP features support Brijesh Singh
2021-10-19 14:47 ` Borislav Petkov
2021-10-08 18:04 ` [PATCH v6 10/42] x86/sev: Add a helper for the PVALIDATE instruction Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 11/42] x86/sev: Check the vmpl level Brijesh Singh
2021-10-28 15:07 ` Borislav Petkov
2021-10-08 18:04 ` [PATCH v6 12/42] x86/compressed: Add helper for validating pages in the decompression stage Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 13/42] x86/compressed: Register GHCB memory when SEV-SNP is active Brijesh Singh
2021-11-02 16:33 ` Borislav Petkov
2021-10-08 18:04 ` [PATCH v6 14/42] x86/sev: " Brijesh Singh
2021-11-02 16:53 ` Borislav Petkov
2021-11-02 18:24 ` Brijesh Singh
2021-11-02 18:44 ` Borislav Petkov
2021-11-03 20:10 ` Brijesh Singh
2021-11-04 13:58 ` Borislav Petkov
2021-11-04 15:26 ` Brijesh Singh
2021-11-04 16:03 ` Boris Petkov
2021-10-08 18:04 ` [PATCH v6 15/42] x86/sev: Remove do_early_exception() forward declarations Brijesh Singh
2021-11-02 16:54 ` Borislav Petkov
2021-10-08 18:04 ` [PATCH v6 16/42] x86/sev: Add helper for validating pages in early enc attribute changes Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 17/42] x86/kernel: Make the bss.decrypted section shared in RMP table Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 18/42] x86/kernel: Validate rom memory before accessing when SEV-SNP is active Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 19/42] x86/mm: Add support to validate memory when changing C-bit Brijesh Singh
2021-11-09 19:34 ` Borislav Petkov
2021-11-10 14:21 ` Brijesh Singh
2021-11-10 18:43 ` Borislav Petkov
2021-11-11 14:49 ` Tom Lendacky
2021-11-11 16:01 ` Borislav Petkov
2021-10-08 18:04 ` [PATCH v6 20/42] KVM: SVM: Define sev_features and vmpl field in the VMSA Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 21/42] KVM: SVM: Create a separate mapping for the SEV-ES save area Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 22/42] KVM: SVM: Create a separate mapping for the GHCB " Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 23/42] KVM: SVM: Update the SEV-ES save area mapping Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 24/42] x86/sev: Use SEV-SNP AP creation to start secondary CPUs Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 25/42] x86/head: re-enable stack protection for 32/64-bit builds Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 26/42] x86/sev: move MSR-based VMGEXITs for CPUID to helper Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 27/42] KVM: x86: move lookup of indexed CPUID leafs " Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 28/42] x86/compressed/acpi: move EFI system table lookup " Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 29/42] x86/compressed/acpi: move EFI config " Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 30/42] x86/compressed/acpi: move EFI vendor " Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 31/42] x86/boot: Add Confidential Computing type to setup_data Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 32/42] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 33/42] boot/compressed/64: use firmware-validated CPUID for SEV-SNP guests Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 34/42] x86/boot: add a pointer to Confidential Computing blob in bootparams Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 35/42] x86/compressed/64: store Confidential Computing blob address " Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 36/42] x86/compressed/64: add identity mapping for Confidential Computing blob Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 37/42] x86/sev: use firmware-validated CPUID for SEV-SNP guests Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 38/42] x86/sev: Provide support for SNP guest request NAEs Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 39/42] x86/sev: Register SNP guest request platform device Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 40/42] virt: Add SEV-SNP guest driver Brijesh Singh
2021-10-10 17:51 ` Dov Murik
2021-10-13 11:37 ` Brijesh Singh
2021-10-20 21:33 ` Peter Gonda
2021-10-27 16:07 ` Brijesh Singh
2021-10-27 20:10 ` Peter Gonda
2021-10-27 20:47 ` Brijesh Singh
2021-10-27 21:05 ` Peter Gonda
2021-10-27 21:12 ` Brijesh Singh
2021-10-27 21:15 ` Peter Gonda
2021-10-08 18:04 ` [PATCH v6 41/42] virt: sevguest: Add support to derive key Brijesh Singh
2021-10-08 18:04 ` [PATCH v6 42/42] virt: sevguest: Add support to get extended report Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211018184003.3ob2uxcpd2rpee3s@amd.com \
--to=michael.roth@amd.com \
--cc=ak@linux.intel.com \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=dave.hansen@linux.intel.com \
--cc=dgilbert@redhat.com \
--cc=dovmurik@linux.ibm.com \
--cc=hpa@zytor.com \
--cc=jmattson@google.com \
--cc=jroedel@suse.de \
--cc=kirill@shutemov.name \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=marcorr@google.com \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=pgonda@google.com \
--cc=platform-driver-x86@vger.kernel.org \
--cc=rientjes@google.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=slp@redhat.com \
--cc=srinivas.pandruvada@linux.intel.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
--cc=tony.luck@intel.com \
--cc=vbabka@suse.cz \
--cc=vkuznets@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).