From: "Michael S. Tsirkin" <mst@redhat.com>
To: Christophe de Dinechin Dupont de Dinechin <cdupontd@redhat.com>
Cc: Christophe de Dinechin <dinechin@redhat.com>,
James Bottomley <jejb@linux.ibm.com>,
"Reshetova, Elena" <elena.reshetova@intel.com>,
Leon Romanovsky <leon@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Shishkin, Alexander" <alexander.shishkin@intel.com>,
"Shutemov, Kirill" <kirill.shutemov@intel.com>,
"Kuppuswamy,
Sathyanarayanan" <sathyanarayanan.kuppuswamy@intel.com>,
"Kleen, Andi" <andi.kleen@intel.com>,
"Hansen, Dave" <dave.hansen@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
"Wunner, Lukas" <lukas.wunner@intel.com>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Jason Wang <jasowang@redhat.com>,
"Poimboe, Josh" <jpoimboe@redhat.com>,
"aarcange@redhat.com" <aarcange@redhat.com>,
Cfir Cohen <cfir@google.com>, Marc Orr <marcorr@google.com>,
"jbachmann@google.com" <jbachmann@google.com>,
"pgonda@google.com" <pgonda@google.com>,
"keescook@chromium.org" <keescook@chromium.org>,
James Morris <jmorris@namei.org>,
Michael Kelley <mikelley@microsoft.com>,
"Lange, Jon" <jlange@microsoft.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: Linux guest kernel threat model for Confidential Computing
Date: Wed, 1 Feb 2023 11:02:09 -0500 [thread overview]
Message-ID: <20230201105305-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <4B78D161-2712-434A-8E6F-9D8BA468BB3A@redhat.com>
On Wed, Feb 01, 2023 at 02:15:10PM +0100, Christophe de Dinechin Dupont de Dinechin wrote:
>
>
> > On 1 Feb 2023, at 12:01, Michael S. Tsirkin <mst@redhat.com> wrote:
> >
> > On Wed, Feb 01, 2023 at 11:52:27AM +0100, Christophe de Dinechin Dupont de Dinechin wrote:
> >>
> >>
> >>> On 31 Jan 2023, at 18:39, Michael S. Tsirkin <mst@redhat.com> wrote:
> >>>
> >>> On Tue, Jan 31, 2023 at 04:14:29PM +0100, Christophe de Dinechin wrote:
> >>>> Finally, security considerations that apply irrespective of whether the
> >>>> platform is confidential or not are also outside of the scope of this
> >>>> document. This includes topics ranging from timing attacks to social
> >>>> engineering.
> >>>
> >>> Why are timing attacks by hypervisor on the guest out of scope?
> >>
> >> Good point.
> >>
> >> I was thinking that mitigation against timing attacks is the same
> >> irrespective of the source of the attack. However, because the HV
> >> controls CPU time allocation, there are presumably attacks that
> >> are made much easier through the HV. Those should be listed.
> >
> > Not just that, also because it can and does emulate some devices.
> > For example, are disk encryption systems protected against timing of
> > disk accesses?
> > This is why some people keep saying "forget about emulated devices, require
> > passthrough, include devices in the trust zone".
> >
> >>>
> >>>> </doc>
> >>>>
> >>>> Feel free to comment and reword at will ;-)
> >>>>
> >>>>
> >>>> 3/ PCI-as-a-threat: where does that come from
> >>>>
> >>>> Isn't there a fundamental difference, from a threat model perspective,
> >>>> between a bad actor, say a rogue sysadmin dumping the guest memory (which CC
> >>>> should defeat) and compromised software feeding us bad data? I think there
> >>>> is: at leats inside the TCB, we can detect bad software using measurements,
> >>>> and prevent it from running using attestation. In other words, we first
> >>>> check what we will run, then we run it. The security there is that we know
> >>>> what we are running. The trust we have in the software is from testing,
> >>>> reviewing or using it.
> >>>>
> >>>> This relies on a key aspect provided by TDX and SEV, which is that the
> >>>> software being measured is largely tamper-resistant thanks to memory
> >>>> encryption. In other words, after you have measured your guest software
> >>>> stack, the host or hypervisor cannot willy-nilly change it.
> >>>>
> >>>> So this brings me to the next question: is there any way we could offer the
> >>>> same kind of service for KVM and qemu? The measurement part seems relatively
> >>>> easy. Thetamper-resistant part, on the other hand, seems quite difficult to
> >>>> me. But maybe someone else will have a brilliant idea?
> >>>>
> >>>> So I'm asking the question, because if you could somehow prove to the guest
> >>>> not only that it's running the right guest stack (as we can do today) but
> >>>> also a known host/KVM/hypervisor stack, we would also switch the potential
> >>>> issues with PCI, MSRs and the like from "malicious" to merely "bogus", and
> >>>> this is something which is evidently easier to deal with.
> >>>
> >>> Agree absolutely that's much easier.
> >>>
> >>>> I briefly discussed this with James, and he pointed out two interesting
> >>>> aspects of that question:
> >>>>
> >>>> 1/ In the CC world, we don't really care about *virtual* PCI devices. We
> >>>> care about either virtio devices, or physical ones being passed through
> >>>> to the guest. Let's assume physical ones can be trusted, see above.
> >>>> That leaves virtio devices. How much damage can a malicious virtio device
> >>>> do to the guest kernel, and can this lead to secrets being leaked?
> >>>>
> >>>> 2/ He was not as negative as I anticipated on the possibility of somehow
> >>>> being able to prevent tampering of the guest. One example he mentioned is
> >>>> a research paper [1] about running the hypervisor itself inside an
> >>>> "outer" TCB, using VMPLs on AMD. Maybe something similar can be achieved
> >>>> with TDX using secure enclaves or some other mechanism?
> >>>
> >>> Or even just secureboot based root of trust?
> >>
> >> You mean host secureboot? Or guest?
> >>
> >> If it’s host, then the problem is detecting malicious tampering with
> >> host code (whether it’s kernel or hypervisor).
> >
> > Host. Lots of existing systems do this. As an extreme boot a RO disk,
> > limit which packages are allowed.
>
> Is that provable to the guest?
>
> Consider a cloud provider doing that: how do they prove to their guest:
>
> a) What firmware, kernel and kvm they run
>
> b) That what they booted cannot be maliciouly modified, e.g. by a rogue
> device driver installed by a rogue sysadmin
>
> My understanding is that SecureBoot is only intended to prevent non-verified
> operating systems from booting. So the proof is given to the cloud provider,
> and the proof is that the system boots successfully.
I think I should have said measured boot not secure boot.
>
> After that, I think all bets are off. SecureBoot does little AFAICT
> to prevent malicious modifications of the running system by someone with
> root access, including deliberately loading a malicious kvm-zilog.ko
So disable module loading then or don't allow root access?
>
> It does not mean it cannot be done, just that I don’t think we
> have the tools at the moment.
Phones, chromebooks do this all the time ...
> >
> >> If it’s guest, at the moment at least, the measurements do not extend
> >> beyond the TCB.
> >>
> >>>
> >>> --
> >>> MST
>
next prev parent reply other threads:[~2023-02-01 16:03 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-25 12:28 Linux guest kernel threat model for Confidential Computing Reshetova, Elena
2023-01-25 12:43 ` Greg Kroah-Hartman
2023-01-25 13:42 ` Dr. David Alan Gilbert
2023-01-25 14:13 ` Daniel P. Berrangé
2023-01-25 15:29 ` Dr. David Alan Gilbert
2023-01-26 14:23 ` Richard Weinberger
2023-01-26 14:58 ` Dr. David Alan Gilbert
2023-01-26 15:13 ` Richard Weinberger
2023-01-26 15:22 ` Dr. David Alan Gilbert
2023-01-26 15:55 ` Daniel P. Berrangé
2023-01-27 9:02 ` Jörg Rödel
2023-01-26 15:43 ` Daniel P. Berrangé
2023-01-27 11:23 ` Reshetova, Elena
2023-01-30 11:30 ` Christophe de Dinechin
2023-01-25 14:22 ` Greg Kroah-Hartman
2023-01-25 14:30 ` James Bottomley
2023-01-25 14:57 ` Dr. David Alan Gilbert
2023-01-25 15:16 ` Greg Kroah-Hartman
2023-01-25 15:45 ` Michael S. Tsirkin
2023-01-25 16:02 ` Kirill A. Shutemov
2023-01-25 17:47 ` Michael S. Tsirkin
2023-01-25 15:50 ` Dr. David Alan Gilbert
2023-01-25 18:47 ` Jiri Kosina
2023-01-26 9:19 ` Jörg Rödel
2023-01-25 21:53 ` Lukas Wunner
2023-01-26 10:48 ` Dr. David Alan Gilbert
2023-01-26 11:24 ` Jonathan Cameron
2023-01-26 13:32 ` Samuel Ortiz
[not found] ` <CAGXJix9-cXNW7EwJf0PVzj_Qmt5fmQvBX1KvXfRX5NAeEpnMvw@mail.gmail.com>
2023-01-26 10:58 ` Jonathan Cameron
2023-01-26 13:15 ` Samuel Ortiz
2023-01-26 16:07 ` Jonathan Cameron
2023-01-27 7:02 ` Samuel Ortiz
2023-01-26 15:44 ` Lukas Wunner
2023-01-26 16:25 ` Michael S. Tsirkin
2023-01-26 21:41 ` Lukas Wunner
2023-01-27 7:17 ` Samuel Ortiz
2023-01-25 20:13 ` Jiri Kosina
2023-01-26 13:13 ` Reshetova, Elena
2023-01-25 15:29 ` Reshetova, Elena
2023-01-25 16:40 ` Theodore Ts'o
2023-01-26 8:08 ` Reshetova, Elena
2023-01-26 11:19 ` Leon Romanovsky
2023-01-26 11:29 ` Reshetova, Elena
2023-01-26 12:30 ` Leon Romanovsky
2023-01-26 13:28 ` Reshetova, Elena
2023-01-26 13:50 ` Leon Romanovsky
2023-01-26 20:54 ` Theodore Ts'o
2023-01-27 19:24 ` James Bottomley
2023-01-30 7:42 ` Reshetova, Elena
2023-01-30 12:40 ` James Bottomley
2023-01-31 11:31 ` Reshetova, Elena
2023-01-31 13:28 ` James Bottomley
2023-01-31 15:14 ` Christophe de Dinechin
2023-01-31 17:39 ` Michael S. Tsirkin
2023-02-01 10:52 ` Christophe de Dinechin Dupont de Dinechin
2023-02-01 11:01 ` Michael S. Tsirkin
2023-02-01 13:15 ` Christophe de Dinechin Dupont de Dinechin
2023-02-01 16:02 ` Michael S. Tsirkin [this message]
2023-02-01 17:13 ` Christophe de Dinechin
2023-02-06 18:58 ` Dr. David Alan Gilbert
2023-02-02 3:24 ` Jason Wang
2023-02-01 10:24 ` Christophe de Dinechin
2023-01-31 16:34 ` Reshetova, Elena
2023-01-31 17:49 ` James Bottomley
2023-02-02 14:51 ` Jeremi Piotrowski
2023-02-03 14:05 ` Reshetova, Elena
2023-01-27 9:32 ` Jörg Rödel
2023-01-26 13:58 ` Dr. David Alan Gilbert
2023-01-26 17:48 ` Reshetova, Elena
2023-01-26 18:06 ` Leon Romanovsky
2023-01-26 18:14 ` Dr. David Alan Gilbert
2023-01-26 16:29 ` Michael S. Tsirkin
2023-01-27 8:52 ` Reshetova, Elena
2023-01-27 10:04 ` Michael S. Tsirkin
2023-01-27 12:25 ` Reshetova, Elena
2023-01-27 14:32 ` Michael S. Tsirkin
2023-01-27 20:51 ` Carlos Bilbao
2023-01-30 11:36 ` Christophe de Dinechin
2023-01-30 12:00 ` Kirill A. Shutemov
2023-01-30 15:14 ` Michael S. Tsirkin
2023-01-31 10:06 ` Reshetova, Elena
2023-01-31 16:52 ` Christophe de Dinechin
2023-02-02 11:31 ` Reshetova, Elena
2023-02-07 0:27 ` Carlos Bilbao
2023-02-07 6:03 ` Greg Kroah-Hartman
2023-02-07 19:53 ` Carlos Bilbao
2023-02-07 21:55 ` Michael S. Tsirkin
2023-02-08 1:51 ` Theodore Ts'o
2023-02-08 9:31 ` Michael S. Tsirkin
2023-02-08 10:44 ` Reshetova, Elena
2023-02-08 10:58 ` Greg Kroah-Hartman
2023-02-08 16:19 ` Christophe de Dinechin
2023-02-08 17:29 ` Greg Kroah-Hartman
2023-02-08 18:02 ` Dr. David Alan Gilbert
2023-02-08 18:58 ` Thomas Gleixner
2023-02-09 19:48 ` Dr. David Alan Gilbert
2023-02-08 13:00 ` Michael S. Tsirkin
2023-02-08 13:42 ` Theodore Ts'o
2023-02-08 7:19 ` Greg Kroah-Hartman
2023-02-08 10:16 ` Reshetova, Elena
2023-02-08 13:15 ` Michael S. Tsirkin
2023-02-09 14:30 ` Reshetova, Elena
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230201105305-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=aarcange@redhat.com \
--cc=alexander.shishkin@intel.com \
--cc=andi.kleen@intel.com \
--cc=cdupontd@redhat.com \
--cc=cfir@google.com \
--cc=dave.hansen@intel.com \
--cc=dinechin@redhat.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=jbachmann@google.com \
--cc=jejb@linux.ibm.com \
--cc=jlange@microsoft.com \
--cc=jmorris@namei.org \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@intel.com \
--cc=leon@kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.wunner@intel.com \
--cc=marcorr@google.com \
--cc=mika.westerberg@linux.intel.com \
--cc=mikelley@microsoft.com \
--cc=peterz@infradead.org \
--cc=pgonda@google.com \
--cc=sathyanarayanan.kuppuswamy@intel.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).