From: Tom Lendacky <thomas.lendacky@amd.com>
To: Joerg Roedel <joro@8bytes.org>, x86@kernel.org
Cc: Juergen Gross <jgross@suse.com>,
Martin Radev <martin.b.radev@gmail.com>,
Joerg Roedel <jroedel@suse.de>, Mike Stunes <mstunes@vmware.com>,
Kees Cook <keescook@chromium.org>,
kvm@vger.kernel.org, Peter Zijlstra <peterz@infradead.org>,
Cfir Cohen <cfir@google.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
linux-kernel@vger.kernel.org,
virtualization@lists.linux-foundation.org,
Arvind Sankar <nivedita@alum.mit.edu>,
Masami Hiramatsu <mhiramat@kernel.org>,
Andy Lutomirski <luto@kernel.org>,
hpa@zytor.com, Erdem Aktas <erdemaktas@google.com>,
David Rientjes <rientjes@google.com>,
Dan Williams <dan.j.williams@intel.com>,
Sean Christopherson <seanjc@google.com>,
Jiri Slaby <jslaby@suse.cz>
Subject: Re: [PATCH v3 2/8] x86/sev: Do not require Hypervisor CPUID bit for SEV guests
Date: Wed, 17 Mar 2021 10:04:19 -0500 [thread overview]
Message-ID: <85d933fb-3839-79b6-a151-0c8f9ae44230@amd.com> (raw)
In-Reply-To: <20210312123824.306-3-joro@8bytes.org>
On 3/12/21 6:38 AM, Joerg Roedel wrote:
> From: Joerg Roedel <jroedel@suse.de>
>
> A malicious hypervisor could disable the CPUID intercept for an SEV or
> SEV-ES guest and trick it into the no-SEV boot path, where it could
> potentially reveal secrets. This is not an issue for SEV-SNP guests,
> as the CPUID intercept can't be disabled for those.
>
> Remove the Hypervisor CPUID bit check from the SEV detection code to
> protect against this kind of attack and add a Hypervisor bit equals
> zero check to the SME detection path to prevent non-SEV guests from
> trying to enable SME.
>
> This handles the following cases:
>
> 1) SEV(-ES) guest where CPUID intercept is disabled. The guest
> will still see leaf 0x8000001f and the SEV bit. It can
> retrieve the C-bit and boot normally.
>
> 2) Non-SEV guests with intercepted CPUID will check SEV_STATUS
> MSR and find it 0 and will try to enable SME. This will
> fail when the guest finds MSR_K8_SYSCFG to be zero, as it
> is emulated by KVM. But we can't rely on that, as there
> might be other hypervisors which return this MSR with bit
> 23 set. The Hypervisor bit check will prevent that the
> guest tries to enable SME in this case.
>
> 3) Non-SEV guests on SEV capable hosts with CPUID intercept
> disabled (by a malicious hypervisor) will try to boot into
> the SME path. This will fail, but it is also not considered
> a problem because non-encrypted guests have no protection
> against the hypervisor anyway.
>
> Signed-off-by: Joerg Roedel <jroedel@suse.de>
Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
> ---
> arch/x86/boot/compressed/mem_encrypt.S | 6 -----
> arch/x86/kernel/sev-es-shared.c | 6 +----
> arch/x86/mm/mem_encrypt_identity.c | 35 ++++++++++++++------------
> 3 files changed, 20 insertions(+), 27 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/mem_encrypt.S b/arch/x86/boot/compressed/mem_encrypt.S
> index aa561795efd1..a6dea4e8a082 100644
> --- a/arch/x86/boot/compressed/mem_encrypt.S
> +++ b/arch/x86/boot/compressed/mem_encrypt.S
> @@ -23,12 +23,6 @@ SYM_FUNC_START(get_sev_encryption_bit)
> push %ecx
> push %edx
>
> - /* Check if running under a hypervisor */
> - movl $1, %eax
> - cpuid
> - bt $31, %ecx /* Check the hypervisor bit */
> - jnc .Lno_sev
> -
> movl $0x80000000, %eax /* CPUID to check the highest leaf */
> cpuid
> cmpl $0x8000001f, %eax /* See if 0x8000001f is available */
> diff --git a/arch/x86/kernel/sev-es-shared.c b/arch/x86/kernel/sev-es-shared.c
> index cdc04d091242..387b71669818 100644
> --- a/arch/x86/kernel/sev-es-shared.c
> +++ b/arch/x86/kernel/sev-es-shared.c
> @@ -186,7 +186,6 @@ void __init do_vc_no_ghcb(struct pt_regs *regs, unsigned long exit_code)
> * make it accessible to the hypervisor.
> *
> * In particular, check for:
> - * - Hypervisor CPUID bit
> * - Availability of CPUID leaf 0x8000001f
> * - SEV CPUID bit.
> *
> @@ -194,10 +193,7 @@ void __init do_vc_no_ghcb(struct pt_regs *regs, unsigned long exit_code)
> * can't be checked here.
> */
>
> - if ((fn == 1 && !(regs->cx & BIT(31))))
> - /* Hypervisor bit */
> - goto fail;
> - else if (fn == 0x80000000 && (regs->ax < 0x8000001f))
> + if (fn == 0x80000000 && (regs->ax < 0x8000001f))
> /* SEV leaf check */
> goto fail;
> else if ((fn == 0x8000001f && !(regs->ax & BIT(1))))
> diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c
> index 6c5eb6f3f14f..a19374d26101 100644
> --- a/arch/x86/mm/mem_encrypt_identity.c
> +++ b/arch/x86/mm/mem_encrypt_identity.c
> @@ -503,14 +503,10 @@ void __init sme_enable(struct boot_params *bp)
>
> #define AMD_SME_BIT BIT(0)
> #define AMD_SEV_BIT BIT(1)
> - /*
> - * Set the feature mask (SME or SEV) based on whether we are
> - * running under a hypervisor.
> - */
> - eax = 1;
> - ecx = 0;
> - native_cpuid(&eax, &ebx, &ecx, &edx);
> - feature_mask = (ecx & BIT(31)) ? AMD_SEV_BIT : AMD_SME_BIT;
> +
> + /* Check the SEV MSR whether SEV or SME is enabled */
> + sev_status = __rdmsr(MSR_AMD64_SEV);
> + feature_mask = (sev_status & MSR_AMD64_SEV_ENABLED) ? AMD_SEV_BIT : AMD_SME_BIT;
>
> /*
> * Check for the SME/SEV feature:
> @@ -530,19 +526,26 @@ void __init sme_enable(struct boot_params *bp)
>
> /* Check if memory encryption is enabled */
> if (feature_mask == AMD_SME_BIT) {
> + /*
> + * No SME if Hypervisor bit is set. This check is here to
> + * prevent a guest from trying to enable SME. For running as a
> + * KVM guest the MSR_K8_SYSCFG will be sufficient, but there
> + * might be other hypervisors which emulate that MSR as non-zero
> + * or even pass it through to the guest.
> + * A malicious hypervisor can still trick a guest into this
> + * path, but there is no way to protect against that.
> + */
> + eax = 1;
> + ecx = 0;
> + native_cpuid(&eax, &ebx, &ecx, &edx);
> + if (ecx & BIT(31))
> + return;
> +
> /* For SME, check the SYSCFG MSR */
> msr = __rdmsr(MSR_K8_SYSCFG);
> if (!(msr & MSR_K8_SYSCFG_MEM_ENCRYPT))
> return;
> } else {
> - /* For SEV, check the SEV MSR */
> - msr = __rdmsr(MSR_AMD64_SEV);
> - if (!(msr & MSR_AMD64_SEV_ENABLED))
> - return;
> -
> - /* Save SEV_STATUS to avoid reading MSR again */
> - sev_status = msr;
> -
> /* SEV state cannot be controlled by a command line option */
> sme_me_mask = me_mask;
> sev_enabled = true;
>
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-03-17 15:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-12 12:38 [PATCH v3 0/8] x86/seves: Support 32-bit boot path and other updates Joerg Roedel
2021-03-12 12:38 ` [PATCH v3 1/8] x86/boot/compressed/64: Cleanup exception handling before booting kernel Joerg Roedel
2021-03-12 12:38 ` [PATCH v3 2/8] x86/sev: Do not require Hypervisor CPUID bit for SEV guests Joerg Roedel
2021-03-17 15:04 ` Tom Lendacky [this message]
2021-03-12 12:38 ` [PATCH v3 3/8] x86/boot/compressed/64: Reload CS in startup_32 Joerg Roedel
2021-03-12 12:38 ` [PATCH v3 4/8] x86/boot/compressed/64: Setup IDT in startup_32 boot path Joerg Roedel
2021-03-12 12:38 ` [PATCH v3 5/8] x86/boot/compressed/64: Add 32-bit boot #VC handler Joerg Roedel
2021-03-12 12:38 ` [PATCH v3 6/8] x86/boot/compressed/64: Add CPUID sanity check to 32-bit boot-path Joerg Roedel
2021-03-12 12:38 ` [PATCH v3 7/8] x86/boot/compressed/64: Check SEV encryption in " Joerg Roedel
2021-03-12 12:38 ` [PATCH v3 8/8] x86/sev-es: Replace open-coded hlt-loops with sev_es_terminate() Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=85d933fb-3839-79b6-a151-0c8f9ae44230@amd.com \
--to=thomas.lendacky@amd.com \
--cc=cfir@google.com \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=erdemaktas@google.com \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=joro@8bytes.org \
--cc=jroedel@suse.de \
--cc=jslaby@suse.cz \
--cc=keescook@chromium.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=martin.b.radev@gmail.com \
--cc=mhiramat@kernel.org \
--cc=mstunes@vmware.com \
--cc=nivedita@alum.mit.edu \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=seanjc@google.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).