[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for cap
From: |
Daniel P . Berrangé |
Subject: |
Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities |
Date: |
Wed, 23 Jan 2019 13:10:42 +0000 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Wed, Jan 23, 2019 at 01:55:06PM +0100, Erik Skultety wrote:
> On Fri, Jan 18, 2019 at 12:51:50PM +0000, Singh, Brijesh wrote:
> >
> > On 1/18/19 3:39 AM, Erik Skultety wrote:
> > > Hi,
> > > this is a summary of a private discussion I've had with guys CC'd on this
> > > email
> > > about finding a solution to [1] - basically, the default permissions on
> > > /dev/sev (below) make it impossible to query for SEV platform
> > > capabilities,
> > > since by default we run QEMU as qemu:qemu when probing for capabilities.
> > > It's
> > > worth noting is that this is only relevant to probing, since for a proper
> > > QEMU
> > > VM we create a mount namespace for the process and chown all the nodes
> > > (needs a
> > > SEV fix though).
> > >
> > > # ll /dev/sev
> > > crw-------. 1 root root
> > >
> > > I suggested either force running QEMU as root for probing (despite the
> > > obvious
> > > security implications) or using namespaces for probing too. Dan argued
> > > that
> > > this would have a significant perf impact and suggested we ask systemd to
> > > add a
> > > global udev rule.
> > >
> > > I proceeded with cloning [1] to systemd and creating an udev rule that I
> > > planned
> > > on submitting to systemd upstream - the initial idea was to mimic
> > > /dev/kvm and
> > > make it world accessible to which Brijesh from AMD expressed a concern
> > > that
> > > regular users might deplete the resources (limit on the number of guests
> > > allowed by the platform).
> >
> >
> > During private discussion I didn't realized that we are discussing a
> > probe issue hence things I have said earlier may not be applicable
> > during the probe. The /dev/sev is managed by the CCP (aka PSP) driver.
> > The /dev/sev is used for communicating with the SEV FW running inside
> > the PSP. The SEV FW offers platform and guest specific services. The
> > guest specific services are used during the guest launch, these services
> > are available through KVM driver only. Whereas the platform services can
> > be invoked at anytime. A typical platform specific services are:
> >
> > - importing certificates
> >
> > - exporting certificates
> >
> > - querying the SEV FW version etc etc
> >
> > In case of the probe we are not launch SEV guest hence we should not be
> > worried about depleting the SEV ASID resources.
> >
> > IIRC, libvirt uses QEMP query-sev-capabilities to probe the SEV support.
> > QEMU executes the below sequence to complete the request:
> >
> > 1. Exports the platform certificates (this is when /dev/sev is accessed).
> >
> > 2. Read the host MSR to determine the C-bit and reduced phys-bit position
> >
> > I don't see any reason why we can't give world a 'read' permission to
> > /dev/sev. Anyone should be able to export the certificates and query
>
> Okay, makes sense to me. The problem I see is the sev_platform_ioctl function
> in QEMU which makes an _IOWR request, therefore the file descriptor being
> opened in sev_get_capabilities is O_RDWR. Now, I only understand ioctl from
> what I've read in the man page, so I don't quite understand the need for IOWR
> here - but my honest guess would be that it's because the commands like
> SEV_PDH_CERT_EXPORT or SEV_PLATFORM_STATUS need to be copied from userspace to
> kernel to instruct kernel which services we want, ergo _IOWR, is that right?
I'm not seeing any permissions checks in the sev_ioctl() function in the
kernel, so IIUC, that means any permissions are entirely based on whether
you can open the /dev/sev, once open you can run any ioctl. What, if anything,
enforces which ioctls you can run when the device is only O_RDONLY vs O_RDWR ?
> In any case, a fix of some sort needs to land in QEMU first, because no udev
> rule would fix the current situation. Afterwards, I expect that having a rule
> like this:
>
> KERNEL=="sev", GROUP="kvm", MODE="0644"
>
> and a selinux policy rule adding the kvm_device_t label, we should be fine, do
> we agree on that?
Based on what I think I see above, this looks like a bad idea.
It still looks like we can solve this entirely in libvirt by just giving
the libvirt capabilities probing code CAP_DAC_OVERRIDE. This would make
libvirt work for all currently released SEV support in kernel/qemu.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Erik Skultety, 2019/01/18
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Singh, Brijesh, 2019/01/18
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Erik Skultety, 2019/01/23
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities,
Daniel P . Berrangé <=
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Erik Skultety, 2019/01/23
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Daniel P . Berrangé, 2019/01/23
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Erik Skultety, 2019/01/23
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Daniel P . Berrangé, 2019/01/23
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Singh, Brijesh, 2019/01/23
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Erik Skultety, 2019/01/23
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Erik Skultety, 2019/01/29
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Daniel P . Berrangé, 2019/01/29
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Erik Skultety, 2019/01/30
- Re: [Qemu-devel] AMD SEV's /dev/sev permissions and probing QEMU for capabilities, Daniel P . Berrangé, 2019/01/30