On 27/10/2021 22:43, Brijesh Singh wrote:
> Hi Dov,
>
> Sorry for coming a bit late on it but I am seeing another issue with
> this patch. The hash build logic looks for a SEV_HASH_TABLE_RV_GUID in
> the GUID list. If found, it uses the base address to store the hash'es.
> Looking at the OVMF, it seems that base address for this GUID is zero.
Yes, I managed to reproduce this. With the OvmfPkgX64 build I see that
the GUID exists but base=0 and size=0. That size should be illegal
anyway for QEMU to fill.
> It seems that by default the Base Address is non-zero for the AmdSev
> Package build only.
>
> Can we add a check in the sev_add_kernel_loader_hashes() to verify that
> base address is non-zero and at the same time improve OVMF to update
> *.fdf to reserve this page in the MEMFD ?
I'll prepare QEMU fixes:
1. (reported by Tom) when no SEV_HASH_TABLE_RV_GUID entry is found -
just warn and continue boot.
2. (reported by Brijesh) verify that base != 0 (supposedly GPA 0 is a
valid address, but I'm willing to take a chance here and not allow it)
and size is big enough for the hashes table structure+padding. If not,
warn and continue boot.
Separately I'll try to solve the issue in the other OVMF *.fdf's.
Thanks for reporting this.
-Dov
>
> Thanks
> Brijesh
>
> On 10/20/21 10:26 AM, Tom Lendacky wrote:
>> On 10/19/21 1:18 AM, Dov Murik wrote:
>>> On 18/10/2021 21:02, Tom Lendacky wrote:
>>>> On 9/30/21 12:49 AM, Dov Murik wrote:
>>>>
>>>> ...
>>>>
>>>>> +/*
>>>>> + * Add the hashes of the linux kernel/initrd/cmdline to an encrypted
>>>>> guest page
>>>>> + * which is included in SEV's initial memory measurement.
>>>>> + */
>>>>> +bool sev_add_kernel_loader_hashes(SevKernelLoaderContext *ctx, Error
>>>>> **errp)
>>>>> +{
>>>>> + uint8_t *data;
>>>>> + SevHashTableDescriptor *area;
>>>>> + SevHashTable *ht;
>>>>> + uint8_t cmdline_hash[HASH_SIZE];
>>>>> + uint8_t initrd_hash[HASH_SIZE];
>>>>> + uint8_t kernel_hash[HASH_SIZE];
>>>>> + uint8_t *hashp;
>>>>> + size_t hash_len = HASH_SIZE;
>>>>> + int aligned_len;
>>>>> +
>>>>> + if (!pc_system_ovmf_table_find(SEV_HASH_TABLE_RV_GUID, &data,
>>>>> NULL)) {
>>>>> + error_setg(errp, "SEV: kernel specified but OVMF has no hash
>>>>> table guid");
>>>>> + return false;
>>>>> + }
>>>>
>>>> This breaks backwards compatibility with an older OVMF image. Any older
>>>> OVMF image with SEV support that doesn't have the hash table GUID will
>>>> now fail to boot using -kernel/-initrd/-append, where it used to be
>>>> able
>>>> to boot before.
>>>>
>>>
>>>
>>> Thanks Tom for noticing this.
>>>
>>> Just so we're on the same page: this patch is already merged.
>>
>> Right, just not in a release, yet.
>>
>>>
>>>
>>> We're dealing with a scenario of launching a guest with SEV enabled and
>>> with -kernel. The behaviours are:
>>>
>>>
>>> A. With current QEMU:
>>>
>>> A1. New AmdSev OVMF build: OVMF will verify the hashes and boot
>>> correctly.
>>> A2. New Generic OvmfPkgX64 build: No verification but will boot
>>> correctly.
>>>
>>> A3. Old AmdSev OVMF build: QEMU aborts the launch because there's no
>>> hash table GUID.
>>> A4. Old Generic OvmfPkgX64 build: QEMU aborts the launch because there's
>>> no hash table GUID.
>>>
>>>
>>> B. With older QEMU (before this patch was merged):
>>>
>>> B1. New AmdSev OVMF build: OVMF will try to verify the hashes but they
>>> are not populated; boot aborted.
>>> B2. New Generic OvmfPkgX64 build: No verification but will boot
>>> correctly.
>>>
>>> B3. Old AmdSev OVMF build: OVMF aborts the launch because -kernel is not
>>> supported at all.
>>> B4. Old Generic OvmfPkgX64 build: No verification but will boot
>>> correctly.
>>>
>>>
>>> So the problem you are raising is scenario A4 (as opposed to previous
>>> behaviour B4).
>>
>> Correct, scenario A4.
>>
>>>
>>>
>>>
>>>> Is that anything we need to be concerned about?
>>>>
>>>
>>> Possible solutions:
>>>
>>> 1. Do nothing. For users that encounter this: tell them to upgrade OVMF.
>>> 2. Modify the code: remove the line: error_setg(errp, "SEV: kernel
>>> specified but OVMF has no hash table guid")
>>>
>>> I think that option 2 will not degrade security *if* the Guest Owner
>>> verifies the measurement (which is mandatory anyway; otherwise the
>>> untrusted host can replace OVMF with a "malicious" version that doesn't
>>> verify the hashes). Skipping silently might make debugging a bit harder.
>>> Maybe we can print a warning and return, and then the guest launch will
>>> continue?
>>
>> That sounds like it might be the best approach if there are no
>> security concerns. I agree with printing a message, either
>> informational or warning is ok by me.
>>
>> Lets see if anyone else has some thoughts/ideas.
>>
>> Thanks,
>> Tom
>>
>>>
>>> Other ideas?
>>>
>>>
>>> -Dov
>>>
