Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active

From: Tom Lendacky
Date: Thu Sep 22 2016 - 14:48:27 EST


On 09/22/2016 09:45 AM, Paolo Bonzini wrote:
>
>
> On 22/09/2016 16:35, Borislav Petkov wrote:
>>>> @@ -230,6 +230,10 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
>>>> efi_scratch.efi_pgt = (pgd_t *)__sme_pa(efi_pgd);
>>>> pgd = efi_pgd;
>>>>
>>>> + flags = _PAGE_NX | _PAGE_RW;
>>>> + if (sev_active)
>>>> + flags |= _PAGE_ENC;
>> So this is confusing me. There's this patch which says EFI data is
>> accessed in the clear:
>>
>> https://lkml.kernel.org/r/20160822223738.29880.6909.stgit@xxxxxxxxxxxxxxxxxxxxxxxxx
>>
>> but now here it is encrypted when SEV is enabled.
>>
>> Do you mean, it is encrypted here because we're in the guest kernel?
>
> I suspect this patch is untested, and also wrong. :)

Yes, it is untested but not sure that it is wrong... It all depends on
how we add SEV support to the guest UEFI BIOS. My take would be to have
the EFI data and ACPI tables encrypted.

>
> The main difference between the SME and SEV encryption, from the point
> of view of the kernel, is that real-mode always writes unencrypted in
> SME and always writes encrypted in SEV. But UEFI can run in 64-bit mode
> and learn about the C bit, so EFI boot data should be unprotected in SEV
> guests.
>
> Because the firmware volume is written to high memory in encrypted form,
> and because the PEI phase runs in 32-bit mode, the firmware code will be
> encrypted; on the other hand, data that is placed in low memory for the
> kernel can be unencrypted, thus limiting differences between SME and SEV.

I like the idea of limiting the differences but it would leave the EFI
data and ACPI tables exposed and able to be manipulated.

>
> Important: I don't know what you guys are doing for SEV and
> Windows guests, but if you are doing something I would really
> appreciate doing things in the open. If Linux and Windows end
> up doing different things with EFI boot data, ACPI tables, etc.
> it will be a huge pain. On the other hand, if we can enjoy
> being first, that's great.

We haven't discussed Windows guests under SEV yet, but as you say, we
need to do things the same.

Thanks,
Tom

>
> In fact, I have suggested in the QEMU list that SEV guests should always
> use UEFI; because BIOS runs in real-mode or 32-bit non-paging protected
> mode, BIOS must always write encrypted data, which becomes painful in
> the kernel.
>
> And regarding the above "important" point, all I know is that Microsoft
> for sure will be happy to restrict SEV to UEFI guests. :)
>
> There are still some differences, mostly around the real mode trampoline
> executed by the kernel, but they should be much smaller.
>
> Paolo
>