Re: [PATCH v4 1/2] sev/i386: Introduce sev_add_kernel_loader_hashes for measured linux boot

[Dov Murik <dovmurik@linux.ibm.com>]

On 28/10/2021 11:41, Dov Murik wrote:
> 
> 
> On 27/10/2021 22:43, Brijesh Singh wrote:
>> Hi Dov,
>>
>> Sorry for coming a bit late on it but I am seeing another issue with
>> this patch. The hash build logic looks for a SEV_HASH_TABLE_RV_GUID in
>> the GUID list. If found, it uses the base address to store the hash'es.
>> Looking at the OVMF, it seems that base address for this GUID is zero.
> 
> Yes, I managed to reproduce this.  With the OvmfPkgX64 build I see that
> the GUID exists but base=0 and size=0.  That size should be illegal
> anyway for QEMU to fill.
> 
> 
>> It seems that by default the Base Address is non-zero for the AmdSev
>> Package build only.
>>
>> Can we add a check in the sev_add_kernel_loader_hashes() to verify that
>> base address is non-zero and at the same time improve OVMF to update
>> *.fdf to reserve this page in the MEMFD ?
> 
> I'll prepare QEMU fixes:
> 
> 1. (reported by Tom) when no SEV_HASH_TABLE_RV_GUID entry is found -
> just warn and continue boot.
> 2. (reported by Brijesh) verify that base != 0 (supposedly GPA 0 is a
> valid address, but I'm willing to take a chance here and not allow it)
> and size is big enough for the hashes table structure+padding. If not,
> warn and continue boot.

I submitted this small series [1].  Tom, Brijesh, I hope this solves
the issues you're experiencing and allows you to boot (and
displays a QEMU warning during launch).

[1] https://lore.kernel.org/qemu-devel/20211101102136.1706421-1-dovmurik@linux.ibm.com/


-Dov


> 
> Separately I'll try to solve the issue in the other OVMF *.fdf's.
> 
> 
> 
> Thanks for reporting this.
> 
> -Dov
> 
> 
>>
>> Thanks
>> Brijesh
>>
>> On 10/20/21 10:26 AM, Tom Lendacky wrote:
>>> On 10/19/21 1:18 AM, Dov Murik wrote:
>>>> On 18/10/2021 21:02, Tom Lendacky wrote:
>>>>> On 9/30/21 12:49 AM, Dov Murik wrote:
>>>>>
>>>>> ...
>>>>>
>>>>>> +/*
>>>>>> + * Add the hashes of the linux kernel/initrd/cmdline to an encrypted
>>>>>> guest page
>>>>>> + * which is included in SEV's initial memory measurement.
>>>>>> + */
>>>>>> +bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error
>>>>>> **errp)
>>>>>> +{
>>>>>> +    uint8_t *data;
>>>>>> +    SevHashTableDescriptor *area;
>>>>>> +    SevHashTable *ht;
>>>>>> +    uint8_t cmdline_hash[HASH_SIZE];
>>>>>> +    uint8_t initrd_hash[HASH_SIZE];
>>>>>> +    uint8_t kernel_hash[HASH_SIZE];
>>>>>> +    uint8_t *hashp;
>>>>>> +    size_t hash_len = HASH_SIZE;
>>>>>> +    int aligned_len;
>>>>>> +
>>>>>> +    if (!pc_system_ovmf_table_find(SEV_HASH_TABLE_RV_GUID, &data,
>>>>>> NULL)) {
>>>>>> +        error_setg(errp, "SEV: kernel specified but OVMF has no hash
>>>>>> table guid");
>>>>>> +        return false;
>>>>>> +    }
>>>>>
>>>>> This breaks backwards compatibility with an older OVMF image. Any older
>>>>> OVMF image with SEV support that doesn't have the hash table GUID will
>>>>> now fail to boot using -kernel/-initrd/-append, where it used to be
>>>>> able
>>>>> to boot before.
>>>>>
>>>>
>>>>
>>>> Thanks Tom for noticing this.
>>>>
>>>> Just so we're on the same page: this patch is already merged.
>>>
>>> Right, just not in a release, yet.
>>>
>>>>
>>>>
>>>> We're dealing with a scenario of launching a guest with SEV enabled and
>>>> with -kernel.  The behaviours are:
>>>>
>>>>
>>>> A. With current QEMU:
>>>>
>>>> A1. New AmdSev OVMF build: OVMF will verify the hashes and boot
>>>> correctly.
>>>> A2. New Generic OvmfPkgX64 build: No verification but will boot
>>>> correctly.
>>>>
>>>> A3. Old AmdSev OVMF build: QEMU aborts the launch because there's no
>>>> hash table GUID.
>>>> A4. Old Generic OvmfPkgX64 build: QEMU aborts the launch because there's
>>>> no hash table GUID.
>>>>
>>>>
>>>> B. With older QEMU (before this patch was merged):
>>>>
>>>> B1. New AmdSev OVMF build: OVMF will try to verify the hashes but they
>>>> are not populated; boot aborted.
>>>> B2. New Generic OvmfPkgX64 build: No verification but will boot
>>>> correctly.
>>>>
>>>> B3. Old AmdSev OVMF build: OVMF aborts the launch because -kernel is not
>>>> supported at all.
>>>> B4. Old Generic OvmfPkgX64 build: No verification but will boot
>>>> correctly.
>>>>
>>>>
>>>> So the problem you are raising is scenario A4 (as opposed to previous
>>>> behaviour B4).
>>>
>>> Correct, scenario A4.
>>>
>>>>
>>>>
>>>>
>>>>> Is that anything we need to be concerned about?
>>>>>
>>>>
>>>> Possible solutions:
>>>>
>>>> 1. Do nothing. For users that encounter this: tell them to upgrade OVMF.
>>>> 2. Modify the code: remove the line: error_setg(errp, "SEV: kernel
>>>> specified but OVMF has no hash table guid")
>>>>
>>>> I think that option 2 will not degrade security *if* the Guest Owner
>>>> verifies the measurement (which is mandatory anyway; otherwise the
>>>> untrusted host can replace OVMF with a "malicious" version that doesn't
>>>> verify the hashes). Skipping silently might make debugging a bit harder.
>>>> Maybe we can print a warning and return, and then the guest launch will
>>>> continue?
>>>
>>> That sounds like it might be the best approach if there are no
>>> security concerns. I agree with printing a message, either
>>> informational or warning is ok by me.
>>>
>>> Lets see if anyone else has some thoughts/ideas.
>>>
>>> Thanks,
>>> Tom
>>>
>>>>
>>>> Other ideas?
>>>>
>>>>
>>>> -Dov
>>>>