[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] x86: add SEV hashing to fw_cfg for kernel/initrd/cmdline
From: |
Michael S. Tsirkin |
Subject: |
Re: [PATCH] x86: add SEV hashing to fw_cfg for kernel/initrd/cmdline |
Date: |
Sun, 4 Jul 2021 02:29:22 -0400 |
On Sun, Jul 04, 2021 at 09:16:59AM +0300, Dov Murik wrote:
> Hi Michael,
>
> [+cc Connor, Dave]
>
> On 03/07/2021 19:42, Michael S. Tsirkin wrote:
> > On Tue, May 25, 2021 at 06:59:31AM +0000, Dov Murik wrote:
> >> From: James Bottomley <jejb@linux.ibm.com>
> >>
> >> If the VM is using memory encryption and also specifies a kernel/initrd
> >> or appended command line, calculate the hashes and add them to the
> >> encrypted data. For this to work, OVMF must support an encrypted area
> >> to place the data which is advertised via a special GUID in the OVMF
> >> reset table (if the GUID doesn't exist, the user isn't allowed to pass
> >> in the kernel/initrd/cmdline via the fw_cfg interface).
> >
> > Sorry about asking basic questions so late in the game.
>
> No worries. Please noice there's a newer version:
>
> https://lore.kernel.org/qemu-devel/20210624102040.2015280-1-dovmurik@linux.ibm.com/
>
>
> > I'm a bit curious why this feature makes sense. If someone can play
> > with a Linux kernel command line isn't it pretty much game over security
> > wise? What protections does Linux have against malicious actors
> > manipulating the command line?
> >
>
> You're right -- if the host can modify the kernel command-line it's a game
> over.
>
> This is why this patch (together with the corresponding OVMF patches; still
> under review) measures and verifies the content of the kernel blob and
> the initrd blob *and* the command-line blob.
>
> Any modification/omission of any of them by the host will make the expected
> SEV PSP measurement invalid, which should then indicate to the Guest Owner
> that
> something is wrong with this guest. At that point the Guest Owner should
> refuse to inject secrets into the guest (and also complain to the Cloud
> Service Provider).
>
> -Dov
Got it, thanks!
--
MST