On 11/5/21 1:32 PM, Dov Murik wrote:
On 02/11/2021 16:48, Brijesh Singh wrote:
On 11/2/21 8:22 AM, Dov Murik wrote:
On 02/11/2021 12:52, Brijesh Singh wrote:
Hi Dov,
Overall the patch looks good, only question I have is that now we are
enforce qemu to hash the kernel, initrd and cmdline unconditionally for
any of the SEV guest launches. This requires anyone wanting to
calculating the expected measurement need to account for it. Should we
make the hash page build optional ?
The problem with adding a -enable-add-kernel-hashes QEMU option (or
suboption) is yet another complexity for the user. I'd also argue that
adding these hashes can lead to a more secure VM boot process, so it
makes sense for it to be the default (and maybe introduce a
-allow-insecure-unmeasured-kernel-via-fw-cfg option to prevent the
measurement from changing due to addition of hashes?).
Maybe, on the other hand, OVMF should "report" whether it supports
hashes verification. If it does, it should have the GUID in the table
(near the reset vector), like the current OvmfPkg/AmdSev edk2 build. If
it doesn't support that, then the entry should not appear at all, and
then QEMU won't add the hashes (with patch 1 from this series). This
means that in edk2 we need to remove the SEV Hash Table block from the
ResetVectorVtf0.asm for OvmfPkg, but include it in the AmdSev build.
By leaving it ON is conveying a wrong message to the user. The library
used for verifying the hash is a NULL library for all the builds of Ovmf
except the AmdSev package. In the NULL library case, OVMF does not
perform any checks and hash table is useless. I will raise this on
concern on your Ovmf patch series.
IMHO, if you want to turn it ON by default then make sure all the OVMF
package builds supports validating the hash.
But the problem with this approach is that it prevents the future
unification of AmdSev and OvmfPkg, which is a possibility we discussed
(at least with Dave Gilbert), though not sure it's a good/feasible goal.
This is my exact concern, we are auto enabling the features in Qemu that
is supported by AmdSev package only.
I am thinking this more for the SEV-SNP guest. As you may be aware that
with SEV-SNP the attestation is performed by the guest, and its possible
for the launch flow to pass 512-bits of host_data that gets included in
the report. If a user wants to do the hash'e checks for the SNP then
they can pass a hash of kernel, initrd and cmdline through a
launch_finish.ID_BLOCK.host_data and does not require a special hash
page. This it will simplify the expected hash calculation.
That is a new measured boot "protocol" that we can discuss, and see
whether it's better/easier than the existing one at hand that works on
SEV and SEV-ES.
What I don't understand in your suggestion is who performs a SHA256 of
the fw_cfg blobs (kernel/initrd/cmdline) so they can later be verified
(though ideally earlier is better). Can you describe the details
(step-by-step) of an SNP VM boot with -kernel/-initrd/-append and how
the measurement/attestation is performed?
There are a multiple ways on how you can do a measured boot with the SNP.
1) VMPL0 (SVSM) can provide a complete vTPM (see the MSFT proposal on
SNP mailing list).
2) Use your existing hashing approach with some changes to provide a bit
more flexibility.
3) Use your existing hashing approach but zero out the hash page when
-kernel is not used.
Let me expand #2.
While launching the SNP guest, a guest owner can provide a ID block that
KVM will pass to the PSP during the guest launch flow. In the ID block
there is a field called "host_data". A guest owner can do a hash of
kernel/initrd/cmdline and include it in the "host_data" field. During
the hash verification, the OVMF can call the SNP_GET_REPORT. The PSP
will includes the "host_data" passed in the launch process in the report
and OVMF can use it for the verification. Unlike the current
implementation, this enables a guest owner to provides the hash without
requiring any changes in the Qemu and thus affecting the measurement.
Is there a way (in the current NP patches for OVMF) for OVMF to call
SNP_GET_REPORT? Or is this something we need to add support for? Will it
mess up the sequence numbers that are later going to be used by the
kernel as well when managing SNP guest requests?
The current OVMF patches does not add a library to query the attestation
report yet. If required it should be possible to add such a libraries.
The VMGEXIT is available to both Guest OS and Guest BIOS. The sequence
number should not be an issue. As per the GHCB spec, the guest BIOS will
save the sequence number in the secrets page reserved area and guest
kernel can picked the next number from that region (its same as the
kexec approach).
One thing to note that both #2 and #3 requires ovmf to connect to guest
owner to validate the report before using the "host_data" or "hash page".
For direct boot (with -kernel/-initrd), I don't understand why OVMF
needs to contact the GO. If OVMF can fetch the host_data field, and use
that to verify the blobs delivered from QEMU via fw_cfg, it should be
enough.
Well, I am trying to match with the current model in which the Hash's
are provided through the secrets injection for the comparision. In other
words, the attestation is completed before OVMF does the hash
comparison. So, if you want to have the same security property then you
need to perform the attestation before comparing the hash'es because a
malicious HV may bypass the guid check.
thanks
Later in userspace a user program will contact the GO with the
attestation report (which measures host_data and the OVMF memory). If
the measurement is not what the GO expects, then it won't release the
secret (which should be necessary for the actual meaningful workload
performed in the guest).
This should mitigate the following attacks:
1. Rogue CSP replaces OVMF with a rogue-OVMF that doesn't actually check
the hashes (the GO won't release the secret due to wrong measurement in
attestation report).
2. Rogue CSP uses "good" host_data content (kernel hash) but delivers
malicious kernel via fw_cfg (stopped by OVMF verifying the hashes).
3. Rogue CSP uses malicious kernel and its hashes in host_data (the GO
won't release the secret due to wrong host_data in attestation report).
-Dov
