From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Reshetova, Elena" <elena.reshetova@intel.com>,
"Shishkin, Alexander" <alexander.shishkin@intel.com>,
"Shutemov, Kirill" <kirill.shutemov@intel.com>,
"Kuppuswamy,
Sathyanarayanan" <sathyanarayanan.kuppuswamy@intel.com>,
"Kleen, Andi" <andi.kleen@intel.com>,
"Hansen, Dave" <dave.hansen@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
"Wunner, Lukas" <lukas.wunner@intel.com>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Jason Wang <jasowang@redhat.com>,
"Poimboe, Josh" <jpoimboe@redhat.com>,
"aarcange@redhat.com" <aarcange@redhat.com>,
Cfir Cohen <cfir@google.com>, Marc Orr <marcorr@google.com>,
"jbachmann@google.com" <jbachmann@google.com>,
"pgonda@google.com" <pgonda@google.com>,
"keescook@chromium.org" <keescook@chromium.org>,
James Morris <jmorris@namei.org>,
Michael Kelley <mikelley@microsoft.com>,
"Lange, Jon" <jlange@microsoft.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: Linux guest kernel threat model for Confidential Computing
Date: Wed, 25 Jan 2023 15:29:00 +0000 [thread overview]
Message-ID: <Y9FKvOYlOv3I24yD@work-vm> (raw)
In-Reply-To: <Y9E5Cg7mreDx737N@redhat.com>
* Daniel P. Berrangé (berrange@redhat.com) wrote:
> On Wed, Jan 25, 2023 at 01:42:53PM +0000, Dr. David Alan Gilbert wrote:
> > * Greg Kroah-Hartman (gregkh@linuxfoundation.org) wrote:
> > > On Wed, Jan 25, 2023 at 12:28:13PM +0000, Reshetova, Elena wrote:
> > > > Hi Greg,
> > > >
> > > > You mentioned couple of times (last time in this recent thread:
> > > > https://lore.kernel.org/all/Y80WtujnO7kfduAZ@kroah.com/) that we ought to start
> > > > discussing the updated threat model for kernel, so this email is a start in this direction.
> > >
> > > Any specific reason you didn't cc: the linux-hardening mailing list?
> > > This seems to be in their area as well, right?
> > >
> > > > As we have shared before in various lkml threads/conference presentations
> > > > ([1], [2], [3] and many others), for the Confidential Computing guest kernel, we have a
> > > > change in the threat model where guest kernel doesn’t anymore trust the hypervisor.
> > >
> > > That is, frankly, a very funny threat model. How realistic is it really
> > > given all of the other ways that a hypervisor can mess with a guest?
> >
> > It's what a lot of people would like; in the early attempts it was easy
> > to defeat, but in TDX and SEV-SNP the hypervisor has a lot less that it
> > can mess with - remember that not just the memory is encrypted, so is
> > the register state, and the guest gets to see changes to mapping and a
> > lot of control over interrupt injection etc.
> >
> > > So what do you actually trust here? The CPU? A device? Nothing?
> >
> > We trust the actual physical CPU, provided that it can prove that it's a
> > real CPU with the CoCo hardware enabled. Both the SNP and TDX hardware
> > can perform an attestation signed by the CPU to prove to someone
> > external that the guest is running on a real trusted CPU.
> >
> > Note that the trust is limited:
> > a) We don't trust that we can make forward progress - if something
> > does something bad it's OK for the guest to stop.
> > b) We don't trust devices, and we don't trust them by having the guest
> > do normal encryption; e.g. just LUKS on the disk and normal encrypted
> > networking. [There's a lot of schemes people are working on about how
> > the guest gets the keys etc for that)
>
> I think we need to more precisely say what we mean by 'trust' as it
> can have quite a broad interpretation.
>
> As a baseline requirement, in the context of confidential computing the
> guest would not trust the hypervisor with data that needs to remain
> confidential, but would generally still expect it to provide a faithful
> implementation of a given device.
>
> IOW, the guest would expect the implementation of virtio-blk devices to
> be functionally correct per the virtio-blk specification, but would not
> trust the host to protect confidentiality any stored data in the disk.
>
> Any virtual device exposed to the guest that can transfer potentially
> sensitive data needs to have some form of guest controlled encryption
> applied. For disks this is easy with FDE like LUKS, for NICs this is
> already best practice for services by using TLS. Other devices may not
> have good existing options for applying encryption.
>
> If the guest has a virtual keyboard, mouse and graphical display, which
> is backed by a VNC/RDP server in the host, then all that is visible to the
> host. There's no pre-existing solutions I know can could offer easy
> confidentiality for basic console I/O from the start of guest firmware
> onwards. The best is to spawn a VNC/RDP server in the guest at some
> point during boot. Means you can't login to the guest in single user
> mode with your root password though, without compromising it.
>
> The problem also applies for common solutions today where the host passes
> in config data to the guest, for consumption by tools like cloud-init.
> This is used in the past to inject an SSH key for example, or set the
> guest root password. Such data received from the host can no longer be
> trusted, as the host can see the data, or subsitute its own SSH key(s)
> in order to gain access. Cloud-init needs to get its config data from
> a trusted source, likely an external attestation server
>
>
> A further challenge surrounds handling of undesirable devices. A goal
> of OS development has been to ensure that both coldplugged and hotplugged
> devices "just work" out of the box with zero guest admin config required.
> To some extent this is contrary to what a confidential guest will want.
> It doesn't want a getty spawned on any console exposed, it doesn't want
> to use a virtio-rng exposed by the host which could be feeding non-random.
>
>
> Protecting against malicious implementations of devices is conceivably
> interesting, as a hardening task. A malicious host may try to take
> advantage of the guest OS device driver impl to exploit the guest OS
> kernel with an end goal of getting into a state where it can be made
> to reveal confidential data that was otherwise protected.
I think this is really what the Intel stuff is trying to protect
against.
Dave
> With regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o- https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2023-01-25 15:30 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-25 12:28 Linux guest kernel threat model for Confidential Computing Reshetova, Elena
2023-01-25 12:43 ` Greg Kroah-Hartman
2023-01-25 13:42 ` Dr. David Alan Gilbert
2023-01-25 14:13 ` Daniel P. Berrangé
2023-01-25 15:29 ` Dr. David Alan Gilbert [this message]
2023-01-26 14:23 ` Richard Weinberger
2023-01-26 14:58 ` Dr. David Alan Gilbert
2023-01-26 15:13 ` Richard Weinberger
2023-01-26 15:22 ` Dr. David Alan Gilbert
2023-01-26 15:55 ` Daniel P. Berrangé
2023-01-27 9:02 ` Jörg Rödel
2023-01-26 15:43 ` Daniel P. Berrangé
2023-01-27 11:23 ` Reshetova, Elena
2023-01-30 11:30 ` Christophe de Dinechin
2023-01-25 14:22 ` Greg Kroah-Hartman
2023-01-25 14:30 ` James Bottomley
2023-01-25 14:57 ` Dr. David Alan Gilbert
2023-01-25 15:16 ` Greg Kroah-Hartman
2023-01-25 15:45 ` Michael S. Tsirkin
2023-01-25 16:02 ` Kirill A. Shutemov
2023-01-25 17:47 ` Michael S. Tsirkin
2023-01-25 15:50 ` Dr. David Alan Gilbert
2023-01-25 18:47 ` Jiri Kosina
2023-01-26 9:19 ` Jörg Rödel
2023-01-25 21:53 ` Lukas Wunner
2023-01-26 10:48 ` Dr. David Alan Gilbert
2023-01-26 11:24 ` Jonathan Cameron
2023-01-26 13:32 ` Samuel Ortiz
[not found] ` <CAGXJix9-cXNW7EwJf0PVzj_Qmt5fmQvBX1KvXfRX5NAeEpnMvw@mail.gmail.com>
2023-01-26 10:58 ` Jonathan Cameron
2023-01-26 13:15 ` Samuel Ortiz
2023-01-26 16:07 ` Jonathan Cameron
2023-01-27 7:02 ` Samuel Ortiz
2023-01-26 15:44 ` Lukas Wunner
2023-01-26 16:25 ` Michael S. Tsirkin
2023-01-26 21:41 ` Lukas Wunner
2023-01-27 7:17 ` Samuel Ortiz
2023-01-25 20:13 ` Jiri Kosina
2023-01-26 13:13 ` Reshetova, Elena
2023-01-25 15:29 ` Reshetova, Elena
2023-01-25 16:40 ` Theodore Ts'o
2023-01-26 8:08 ` Reshetova, Elena
2023-01-26 11:19 ` Leon Romanovsky
2023-01-26 11:29 ` Reshetova, Elena
2023-01-26 12:30 ` Leon Romanovsky
2023-01-26 13:28 ` Reshetova, Elena
2023-01-26 13:50 ` Leon Romanovsky
2023-01-26 20:54 ` Theodore Ts'o
2023-01-27 19:24 ` James Bottomley
2023-01-30 7:42 ` Reshetova, Elena
2023-01-30 12:40 ` James Bottomley
2023-01-31 11:31 ` Reshetova, Elena
2023-01-31 13:28 ` James Bottomley
2023-01-31 15:14 ` Christophe de Dinechin
2023-01-31 17:39 ` Michael S. Tsirkin
2023-02-01 10:52 ` Christophe de Dinechin Dupont de Dinechin
2023-02-01 11:01 ` Michael S. Tsirkin
2023-02-01 13:15 ` Christophe de Dinechin Dupont de Dinechin
2023-02-01 16:02 ` Michael S. Tsirkin
2023-02-01 17:13 ` Christophe de Dinechin
2023-02-06 18:58 ` Dr. David Alan Gilbert
2023-02-02 3:24 ` Jason Wang
2023-02-01 10:24 ` Christophe de Dinechin
2023-01-31 16:34 ` Reshetova, Elena
2023-01-31 17:49 ` James Bottomley
2023-02-02 14:51 ` Jeremi Piotrowski
2023-02-03 14:05 ` Reshetova, Elena
2023-01-27 9:32 ` Jörg Rödel
2023-01-26 13:58 ` Dr. David Alan Gilbert
2023-01-26 17:48 ` Reshetova, Elena
2023-01-26 18:06 ` Leon Romanovsky
2023-01-26 18:14 ` Dr. David Alan Gilbert
2023-01-26 16:29 ` Michael S. Tsirkin
2023-01-27 8:52 ` Reshetova, Elena
2023-01-27 10:04 ` Michael S. Tsirkin
2023-01-27 12:25 ` Reshetova, Elena
2023-01-27 14:32 ` Michael S. Tsirkin
2023-01-27 20:51 ` Carlos Bilbao
2023-01-30 11:36 ` Christophe de Dinechin
2023-01-30 12:00 ` Kirill A. Shutemov
2023-01-30 15:14 ` Michael S. Tsirkin
2023-01-31 10:06 ` Reshetova, Elena
2023-01-31 16:52 ` Christophe de Dinechin
2023-02-02 11:31 ` Reshetova, Elena
2023-02-07 0:27 ` Carlos Bilbao
2023-02-07 6:03 ` Greg Kroah-Hartman
2023-02-07 19:53 ` Carlos Bilbao
2023-02-07 21:55 ` Michael S. Tsirkin
2023-02-08 1:51 ` Theodore Ts'o
2023-02-08 9:31 ` Michael S. Tsirkin
2023-02-08 10:44 ` Reshetova, Elena
2023-02-08 10:58 ` Greg Kroah-Hartman
2023-02-08 16:19 ` Christophe de Dinechin
2023-02-08 17:29 ` Greg Kroah-Hartman
2023-02-08 18:02 ` Dr. David Alan Gilbert
2023-02-08 18:58 ` Thomas Gleixner
2023-02-09 19:48 ` Dr. David Alan Gilbert
2023-02-08 13:00 ` Michael S. Tsirkin
2023-02-08 13:42 ` Theodore Ts'o
2023-02-08 7:19 ` Greg Kroah-Hartman
2023-02-08 10:16 ` Reshetova, Elena
2023-02-08 13:15 ` Michael S. Tsirkin
2023-02-09 14:30 ` Reshetova, Elena
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9FKvOYlOv3I24yD@work-vm \
--to=dgilbert@redhat.com \
--cc=aarcange@redhat.com \
--cc=alexander.shishkin@intel.com \
--cc=andi.kleen@intel.com \
--cc=berrange@redhat.com \
--cc=cfir@google.com \
--cc=dave.hansen@intel.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=jbachmann@google.com \
--cc=jlange@microsoft.com \
--cc=jmorris@namei.org \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kirill.shutemov@intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.wunner@intel.com \
--cc=marcorr@google.com \
--cc=mika.westerberg@linux.intel.com \
--cc=mikelley@microsoft.com \
--cc=mst@redhat.com \
--cc=peterz@infradead.org \
--cc=pgonda@google.com \
--cc=sathyanarayanan.kuppuswamy@intel.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).