qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Michael S. Tsirkin" <mst@redhat.com>
To: Dov Murik <dovmurik@linux.ibm.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
	Ashish Kalra <ashish.kalra@amd.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Eduardo Habkost <ehabkost@redhat.com>,
	Connor Kuehl <ckuehl@redhat.com>,
	Tobin Feldman-Fitzthum <tobin@ibm.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Richard Henderson <richard.henderson@linaro.org>,
	qemu-devel@nongnu.org,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Hubertus Franke <frankeh@us.ibm.com>,
	Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
	Jim Cadden <jcadden@ibm.com>, Paolo Bonzini <pbonzini@redhat.com>,
	Laszlo Ersek <lersek@redhat.com>
Subject: Re: [PATCH] x86: add SEV hashing to fw_cfg for kernel/initrd/cmdline
Date: Sun, 4 Jul 2021 02:29:22 -0400	[thread overview]
Message-ID: <20210704022842-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <0f36d5a0-c063-4ba7-ceca-f09d8f37fb3e@linux.ibm.com>

On Sun, Jul 04, 2021 at 09:16:59AM +0300, Dov Murik wrote:
> Hi Michael,
> 
> [+cc Connor, Dave]
> 
> On 03/07/2021 19:42, Michael S. Tsirkin wrote:
> > On Tue, May 25, 2021 at 06:59:31AM +0000, Dov Murik wrote:
> >> From: James Bottomley <jejb@linux.ibm.com>
> >>
> >> If the VM is using memory encryption and also specifies a kernel/initrd
> >> or appended command line, calculate the hashes and add them to the
> >> encrypted data.  For this to work, OVMF must support an encrypted area
> >> to place the data which is advertised via a special GUID in the OVMF
> >> reset table (if the GUID doesn't exist, the user isn't allowed to pass
> >> in the kernel/initrd/cmdline via the fw_cfg interface).
> > 
> > Sorry about asking basic questions so late in the game.
> 
> No worries. Please noice there's a newer version:
> 
> https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-dovmurik@linux.ibm.com/
> 
> 
> > I'm a bit curious why this feature makes sense. If someone can play
> > with a Linux kernel command line isn't it pretty much game over security
> > wise? What protections does Linux have against malicious actors
> > manipulating the command line?
> > 
> 
> You're right -- if the host can modify the kernel command-line it's a game over.
> 
> This is why this patch (together with the corresponding OVMF patches; still
> under review) measures and verifies the content of the kernel blob and
> the initrd blob *and* the command-line blob.
> 
> Any modification/omission of any of them by the host will make the expected
> SEV PSP measurement invalid, which should then indicate to the Guest Owner that
> something is wrong with this guest.  At that point the Guest Owner should
> refuse to inject secrets into the guest (and also complain to the Cloud
> Service Provider).
> 
> -Dov

Got it, thanks!

-- 
MST



      reply	other threads:[~2021-07-04  6:30 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-25  6:59 [PATCH] x86: add SEV hashing to fw_cfg for kernel/initrd/cmdline Dov Murik
2021-05-25 13:10 ` Dov Murik
2021-06-14  7:08 ` Dov Murik
2021-06-15 15:20 ` Eduardo Habkost
2021-06-15 19:53   ` Philippe Mathieu-Daudé
2021-06-17 12:48     ` Dov Murik
2021-06-17 15:48       ` Philippe Mathieu-Daudé
2021-06-21  8:44         ` Thomas Huth
2021-06-21  9:15           ` Philippe Mathieu-Daudé
2021-06-21  9:42             ` Philippe Mathieu-Daudé
2021-06-17 17:22       ` Eduardo Habkost
2021-06-17 19:16         ` Dov Murik
2021-06-17 20:35           ` Eduardo Habkost
2021-06-16 12:04   ` Dov Murik
2021-07-03 16:42 ` Michael S. Tsirkin
2021-07-04  6:16   ` Dov Murik
2021-07-04  6:29     ` Michael S. Tsirkin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210704022842-mutt-send-email-mst@kernel.org \
    --to=mst@redhat.com \
    --cc=ashish.kalra@amd.com \
    --cc=brijesh.singh@amd.com \
    --cc=ckuehl@redhat.com \
    --cc=dgilbert@redhat.com \
    --cc=dovmurik@linux.ibm.com \
    --cc=ehabkost@redhat.com \
    --cc=frankeh@us.ibm.com \
    --cc=jcadden@ibm.com \
    --cc=jejb@linux.ibm.com \
    --cc=lersek@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=richard.henderson@linaro.org \
    --cc=thomas.lendacky@amd.com \
    --cc=tobin@ibm.com \
    --cc=tobin@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).