Re: [PATCH V4] virt: sev: Prevent IV reuse in SNP guest driver

From: Borislav Petkov
Date: Fri Nov 11 2022 - 11:46:28 EST

Next message: Gustavo A. R. Silva: "Re: [PATCH v3 6/7] bna: Avoid clashing function prototypes"
Previous message: Andy Shevchenko: "Re: [PATCH v4 tty-next 3/3] 8250: microchip: pci1xxxx: Add power management functions to quad-uart driver"
Next in thread: Peter Gonda: "Re: [PATCH V4] virt: sev: Prevent IV reuse in SNP guest driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Nov 03, 2022 at 08:23:18AM -0700, Peter Gonda wrote:
> The ASP and an SNP guest use a series of AES-GCM keys called VMPCKs to

ASP?

That must be the AMD Secure Processor or so but pls write it out.

> communicate securely with each other. The IV to this scheme is a
> sequence number that both the ASP and the guest track. Currently this
> sequence number in a guest request must exactly match the sequence
> number tracked by the ASP. This means that if the guest sees an error
> from the host during a request it can only retry that exact request or
> disable the VMPCK to prevent an IV reuse. AES-GCM cannot tolerate IV
> reuse see:
> https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf

Right, how stable will that link be?

IOW, perhaps quote the paper name and authors so that people can find it
on their own.

> To handle userspace querying the cert_data length handle_guest_request()
> now: saves the number of pages required by the host, retries the request

This needs to sound like this:

"In order to address this, save the number of pages ..."

IOW, as the docs say:

"Describe your changes in imperative mood, e.g. "make xyzzy do frotz"
instead of "[This patch] makes xyzzy do frotz" or "[I] changed xyzzy
to do frotz", as if you are giving orders to the codebase to change
its behaviour."

> without requesting the extended data, then returns the number of pages
> required.
>
> Fixes: fce96cf044308 ("virt: Add SEV-SNP guest driver")

I'm guessing this needs to go to stable?

> Signed-off-by: Peter Gonda <pgonda@xxxxxxxxxx>
> Reported-by: Peter Gonda <pgonda@xxxxxxxxxx>
> Cc: Dionna Glaze <dionnaglaze@xxxxxxxxxx>
> Cc: Borislav Petkov <bp@xxxxxxx>
> Cc: Tom Lendacky <thomas.lendacky@xxxxxxx>
> Cc: Michael Roth <michael.roth@xxxxxxx>
> Cc: Haowen Bai <baihaowen@xxxxxxxxx>
> Cc: Yang Yingliang <yangyingliang@xxxxxxxxxx>
> Cc: Marc Orr <marcorr@xxxxxxxxxx>
> Cc: David Rientjes <rientjes@xxxxxxxxxx>
> Cc: Ashish Kalra <Ashish.Kalra@xxxxxxx>
> Cc: linux-kernel@xxxxxxxxxxxxxxx
> Cc: kvm@xxxxxxxxxxxxxxx
> ---
> Tested by placing each of the guest requests: attestation quote,
> extended attestation quote, and get key. Then tested the extended
> attestation quote certificate length querying.
>
> V4
> * As suggested by Dionna moved the extended request retry logic into
> the driver.
> * Due to big change in patch dropped any reviewed-by tags.
>
> ---
> drivers/virt/coco/sev-guest/sev-guest.c | 70 +++++++++++++++++++------
> 1 file changed, 53 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/virt/coco/sev-guest/sev-guest.c b/drivers/virt/coco/sev-guest/sev-guest.c
> index f422f9c58ba79..7dd6337ebdd5b 100644
> --- a/drivers/virt/coco/sev-guest/sev-guest.c
> +++ b/drivers/virt/coco/sev-guest/sev-guest.c
> @@ -41,7 +41,7 @@ struct snp_guest_dev {
> struct device *dev;
> struct miscdevice misc;
>
> - void *certs_data;
> + u8 (*certs_data)[SEV_FW_BLOB_MAX_SIZE];
> struct snp_guest_crypto *crypto;
> struct snp_guest_msg *request, *response;
> struct snp_secrets_page_layout *layout;
> @@ -67,8 +67,27 @@ static bool is_vmpck_empty(struct snp_guest_dev *snp_dev)
> return true;
> }
>
> +/*
> + * If we receive an error from the host or ASP we have two options. We can

Please use passive voice in your commit message: no "we" or "I", etc,
and describe your changes in imperative mood.

Bottom line is: personal pronouns are ambiguous in text, especially with
so many parties/companies/etc developing the kernel so let's avoid them
please.

> + * either retry the exact same encrypted request or we can discontinue using the
> + * VMPCK.
> + *
> + * This is because in the current encryption scheme GHCB v2 uses AES-GCM to
> + * encrypt the requests. The IV for this scheme is the sequence number. GCM
> + * cannot tolerate IV reuse.
> + *
> + * The ASP FW v1.51 only increments the sequence numbers on a successful
> + * guest<->ASP back and forth and only accepts messages at its exact sequence
> + * number.
> + *
> + * So if we were to reuse the sequence number the encryption scheme is
> + * vulnerable. If we encrypt the sequence number for a fresh IV the ASP will
> + * reject our request.
> + */
> static void snp_disable_vmpck(struct snp_guest_dev *snp_dev)
> {
> + dev_alert(snp_dev->dev, "Disabling vmpck_id: %d to prevent IV reuse.\n",
> + vmpck_id);
> memzero_explicit(snp_dev->vmpck, VMPCK_KEY_LEN);
> snp_dev->vmpck = NULL;
> }
> @@ -323,32 +342,49 @@ static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, in
>
> /* Call firmware to process the request */
> rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err);
> +
> + /*
> + * If the extended guest request fails due to having to small of a

"... too small... "

> + * certificate data buffer retry the same guest request without the
> + * extended data request.
> + */
> + if (exit_code == SVM_VMGEXIT_EXT_GUEST_REQUEST &&
> + err == SNP_GUEST_REQ_INVALID_LEN) {
> + const unsigned int certs_npages = snp_dev->input.data_npages;
> +
> + exit_code = SVM_VMGEXIT_GUEST_REQUEST;
> + rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err);
> +
> + err = SNP_GUEST_REQ_INVALID_LEN;

Huh, why are we overwriting err here?

> + snp_dev->input.data_npages = certs_npages;
> + }
> +
> if (fw_err)
> *fw_err = err;
>
> - if (rc)
> - return rc;
> + if (rc) {
> + dev_alert(snp_dev->dev,
> + "Detected error from ASP request. rc: %d, fw_err: %llu\n",
> + rc, *fw_err);
> + goto disable_vmpck;
> + }
>
> - /*
> - * The verify_and_dec_payload() will fail only if the hypervisor is
> - * actively modifying the message header or corrupting the encrypted payload.
> - * This hints that hypervisor is acting in a bad faith. Disable the VMPCK so that
> - * the key cannot be used for any communication. The key is disabled to ensure
> - * that AES-GCM does not use the same IV while encrypting the request payload.
> - */
> rc = verify_and_dec_payload(snp_dev, resp_buf, resp_sz);
> if (rc) {
> dev_alert(snp_dev->dev,
> - "Detected unexpected decode failure, disabling the vmpck_id %d\n",
> - vmpck_id);
> - snp_disable_vmpck(snp_dev);
> - return rc;
> + "Detected unexpected decode failure from ASP. rc: %d\n",
> + rc);
> + goto disable_vmpck;
> }
>
> /* Increment to new message sequence after payload decryption was successful. */
> snp_inc_msg_seqno(snp_dev);
>
> return 0;
> +
> +disable_vmpck:
> + snp_disable_vmpck(snp_dev);
> + return rc;
> }
>
> static int get_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg)
> @@ -676,7 +712,7 @@ static int __init sev_guest_probe(struct platform_device *pdev)
> if (!snp_dev->response)
> goto e_free_request;
>
> - snp_dev->certs_data = alloc_shared_pages(dev, SEV_FW_BLOB_MAX_SIZE);
> + snp_dev->certs_data = alloc_shared_pages(dev, sizeof(*snp_dev->certs_data));

What's that change for?

I went searching for that ->certs_data only ot realize that it is an
array of size of SEV_FW_BLOB_MAX_SIZE elems.

Thx.

--
Regards/Gruss,
Boris.

SUSE Software Solutions Germany GmbH
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman
(HRB 36809, AG Nürnberg)

Next message: Gustavo A. R. Silva: "Re: [PATCH v3 6/7] bna: Avoid clashing function prototypes"
Previous message: Andy Shevchenko: "Re: [PATCH v4 tty-next 3/3] 8250: microchip: pci1xxxx: Add power management functions to quad-uart driver"
Next in thread: Peter Gonda: "Re: [PATCH V4] virt: sev: Prevent IV reuse in SNP guest driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]