Re: [RFC PATCH 0/3] Allow access to confidential computing secret area

From: Brijesh Singh
Date: Fri May 21 2021 - 12:21:54 EST



On 5/21/21 11:03 AM, James Bottomley wrote:
> On Fri, 2021-05-21 at 10:56 -0500, Brijesh Singh wrote:
> [...]
>> In case of the SEV-SNP and TDX, the guest OS participates during the
>> attestation flow; the driver working on the behalf of userspace and
>> does not have access to the secret, so it cannot populate the file
>> with the secrets in it.
> OK, so for a simple encrypted VM using root on luks, how in SNP does
> the boot loader obtain the disk passphrase?

The GHCB specification v2 provides a new VMGEXIT (GUEST_REQUEST) that be
used either by the guest BIOS or guest kernel to request the attestation
report from the SEV-SNP firmware at any time. In the case of SEV-SNP,
the boot loader need to talk to SEV-SNP firmware to get the attestation
report.

Once the attestation report is available then boot loader need to
connect to guest owner to validate and obtain the secret (i.e disk
decryption key).


> In the non SNP case, it's already upstream: OVMF finds the secret page
> and converts it to an EFI config table, which is passed into grub.
> It's starting to sound like we'll need a new grub module for SNP which
> will do an active attestation and receive the passphrase over some
> channel secure against the cloud provider. Could you give us an
> example of how you think this flow will work?

The flow will be like this:

1. During the guest creation, a hypervsior calls LAUNCH_UPDATE (type
secret) to tell PSP to populate a secret page at a fixed guest address. 
Note that secret page is slightly different compare to what we know from
the SEV and ES. In this case the secret page contains a key used for
protecting the communication channel between the PSP and guest.

2. OVMF will create a EFI configuration table with the location of
secrets page.

3. Boot loader (or any other EFI) app can locate the secret page through
the EFI config lookup.

4. Boot loader can use the key from the secret page to communicate with
the PSP and request for the attestation report.

5. Pass the attestation report to the guest owner.

6. The guest owner validates the attestation report and releases the key
directly to the guest.

7. Boot loader can use the secret to unlock or disk or do whatever it
needs with it.


> Thanks,
>
> James
>
>