Re: [PATCH] x86: add SEV hashing to fw_cfg for kernel/initrd/cmdline

From: Dov Murik <dovmurik@linux.ibm.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>,
	"James Bottomley" <jejb@linux.ibm.com>,
	"Connor Kuehl" <ckuehl@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
	Ashish Kalra <ashish.kalra@amd.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Eduardo Habkost <ehabkost@redhat.com>,
	"Michael S . Tsirkin" <mst@redhat.com>,
	Richard Henderson <richard.henderson@linaro.org>,
	Tobin Feldman-Fitzthum <tobin@ibm.com>,
	qemu-devel@nongnu.org, Hubertus Franke <frankeh@us.ibm.com>,
	Jim Cadden <jcadden@ibm.com>,
	Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Laszlo Ersek <lersek@redhat.com>
Subject: Re: [PATCH] x86: add SEV hashing to fw_cfg for kernel/initrd/cmdline
Date: Thu, 17 Jun 2021 15:48:52 +0300	[thread overview]
Message-ID: <06b28ac7-19ed-edd8-a555-2858e976d964@linux.ibm.com> (raw)
In-Reply-To: <1cff8347-ee38-a0a8-f089-36b28a40b828@redhat.com>

On 15/06/2021 22:53, Philippe Mathieu-Daudé wrote:
> Hi Dov, James,
> 
> +Connor who asked to be reviewer.
> 
> On 6/15/21 5:20 PM, Eduardo Habkost wrote:
>> On Tue, May 25, 2021 at 06:59:31AM +0000, Dov Murik wrote:
>>> From: James Bottomley <jejb@linux.ibm.com>
>>>
>>> If the VM is using memory encryption and also specifies a kernel/initrd
>>> or appended command line, calculate the hashes and add them to the
>>> encrypted data.  For this to work, OVMF must support an encrypted area
>>> to place the data which is advertised via a special GUID in the OVMF
>>> reset table (if the GUID doesn't exist, the user isn't allowed to pass
>>> in the kernel/initrd/cmdline via the fw_cfg interface).
>>>
>>> The hashes of each of the files is calculated (or the string in the case
>>> of the cmdline with trailing '\0' included).  Each entry in the hashes
>>> table is GUID identified and since they're passed through the memcrypt
>>> interface, the hash of the encrypted data will be accumulated by the
>>> PSP.
>>>
>>> Signed-off-by: James Bottomley <jejb@linux.ibm.com>
>>> Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
>>> [dovmurik@linux.ibm.com: use machine->cgs, remove parsing of GUID
>>> strings, remove GCC pragma, fix checkpatch errors]
>>> ---
>>>
>>> OVMF support for handling the table of hashes (verifying that the
>>> kernel/initrd/cmdline passed via the fw_cfg interface indeed correspond
>>> to the measured hashes in the table) will be posted soon to edk2-devel.
>>>
>>> ---
>>>  hw/i386/x86.c | 120 +++++++++++++++++++++++++++++++++++++++++++++++++-
>>>  1 file changed, 119 insertions(+), 1 deletion(-)
>>>
>>
>> This is not an objection to the patch itself, but: can we do
>> something to move all sev-related code to sev.c?  It would make
>> the process of assigning a maintainer and reviewing/merging
>> future patches much simpler.
>>
>> I am not familiar with SEV internals, so my only question is
>> about configurations where SEV is disabled:
>>
>> [...]
>>> diff --git a/hw/i386/x86.c b/hw/i386/x86.c
>>> @@ -778,6 +818,11 @@ void x86_load_linux(X86MachineState *x86ms,
>>>      const char *initrd_filename = machine->initrd_filename;
>>>      const char *dtb_filename = machine->dtb;
>>>      const char *kernel_cmdline = machine->kernel_cmdline;
>>> +    uint8_t buf[HASH_SIZE];
>>> +    uint8_t *hash = buf;
>>> +    size_t hash_len = sizeof(buf);
>>> +    struct sev_hash_table *sev_ht = NULL;
>>> +    int sev_ht_index = 0;
> 
> Can you move all these variable into a structure, and use it as a
> SEV loader context?
> 
> Then each block of code you added can be moved to its own function,
> self-described, working with the previous context.
> 
> The functions can be declared in sev_i386.h and defined in sev.c as
> Eduardo suggested.
> 

Thanks Philippe, I'll try this approach.

I assume you mean that an addition like this:

+    if (sev_ht) {
+        struct sev_hash_table_entry *e = &sev_ht->entries[sev_ht_index++];
+
+        qcrypto_hash_bytes(QCRYPTO_HASH_ALG_SHA256, (char *)kernel_cmdline,
+                           strlen(kernel_cmdline) + 1,
+                           &hash, &hash_len, &error_fatal);
+        memcpy(e->hash, hash, hash_len);
+        e->len = sizeof(*e);
+        memcpy(e->guid, sev_cmdline_entry_guid, sizeof(e->guid));
+    }

will be extracted to a function, and here (in x86_load_linux()) replaced
with a single call:

    sev_kernel_loader_calc_cmdline_hash(&sev_loader_context, kernel_cmdline);

and that function will have an empty stub in non-SEV builds, and a do-
nothing condition (at the beginning) if it's an SEV-disabled VM, and
will do the actual work in SEV VMs.

Right?

Also, should I base my next version on top of the current master, or on
top of your SEV-Housekeeping patch series, or on top of some other tree?

-Dov

>>>  
>>>      /* Align to 16 bytes as a paranoia measure */
>>>      cmdline_size = (strlen(kernel_cmdline) + 16) & ~15;
>>> @@ -799,6 +844,22 @@ void x86_load_linux(X86MachineState *x86ms,
>>>          exit(1);
>>>      }
>>>  
>>> +    if (machine->cgs && machine->cgs->ready) {
>>
>> machine->cgs doesn't seem to be a SEV-specific field.
>> What if machine->cgs->ready is set but SEV is disabled?
>>
>>> +        uint8_t *data;
>>> +        struct sev_hash_table_descriptor *area;
>>> +
>>> +        if (!pc_system_ovmf_table_find(SEV_HASH_TABLE_RV_GUID, &data, NULL)) {
>>> +            fprintf(stderr, "qemu: kernel command line specified but OVMF has "
>>> +                    "no hash table guid\n");
>>> +            exit(1);
>>> +        }
>>> +        area = (struct sev_hash_table_descriptor *)data;
>>> +
>>> +        sev_ht = qemu_map_ram_ptr(NULL, area->base);
>>> +        memcpy(sev_ht->guid, sev_hash_table_header_guid, sizeof(sev_ht->guid));
>>> +        sev_ht->len = sizeof(*sev_ht);
>>> +    }
>>> +
>>>      /* kernel protocol version */
>>>      if (ldl_p(header + 0x202) == 0x53726448) {
>>>          protocol = lduw_p(header + 0x206);
>> [...]
>>
> 