RE: [RFC] Randomness on confidential computing platforms

From: Reshetova, Elena
Date: Tue Jan 30 2024 - 03:01:54 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH 1/5] dt-bindings: display/msm: document MDSS on X1E80100"
Previous message: Krzysztof Kozlowski: "Re: [PATCH 2/5] dt-bindings: display/msm: Document the DPU for X1E80100"
In reply to: Reshetova, Elena: "RE: [RFC] Randomness on confidential computing platforms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
> Sent: Monday, January 29, 2024 11:33 PM
> To: Hansen, Dave <dave.hansen@xxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>; Ingo Molnar <mingo@xxxxxxxxxx>;
> Borislav Petkov <bp@xxxxxxxxx>; Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>; H.
> Peter Anvin <hpa@xxxxxxxxx>; x86@xxxxxxxxxx; Theodore Ts'o <tytso@xxxxxxx>;
> Jason A. Donenfeld <Jason@xxxxxxxxx>; Kuppuswamy Sathyanarayanan
> <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx>; Reshetova, Elena
> <elena.reshetova@xxxxxxxxx>; Nakajima, Jun <jun.nakajima@xxxxxxxxx>; Tom
> Lendacky <thomas.lendacky@xxxxxxx>; Kalra, Ashish <ashish.kalra@xxxxxxx>;
> Sean Christopherson <seanjc@xxxxxxxxxx>; linux-coco@xxxxxxxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx
> Subject: Re: [RFC] Randomness on confidential computing platforms
>
> On Mon, Jan 29, 2024 at 01:04:23PM -0800, Dave Hansen wrote:
> > On 1/29/24 12:26, Kirill A. Shutemov wrote:
> > >>> Do we care?
> > >> I want to make sure I understand the scenario:
> > >>
> > >> 1. We're running in a guest under TDX (or SEV-SNP)
> > >> 2. The VMM (or somebody) is attacking the guest by eating all the
> > >> hardware entropy and RDRAND is effectively busted
> > >> 3. Assuming kernel-based panic_on_warn and WARN_ON() rdrand_long()
> > >> failure, that rdrand_long() never gets called.
> > > Never gets called during attack. It can be used before and after.
> > >
> > >> 4. Userspace is using RDRAND output in some critical place like key
> > >> generation and is not checking it for failure, nor mixing it with
> > >> entropy from any other source
> > >> 5. Userspace uses the failed RDRAND output to generate a key
> > >> 6. Someone exploits the horrible key
> > >>
> > >> Is that it?
> > > Yes.
> >
> > Is there something that fundamentally makes this a VMM vs. TDX guest
> > problem? If a malicious VMM can exhaust RDRAND, why can't malicious
> > userspace do the same?

Let's be more concrete here: the main problem we are trying to fix here is
to make sure Linux RNG has entropy source(s) that are not under attacker control.
In case of userspace attacking kernel, yes, it can exhaust RDRAND/RDSEED,
but kernel has other entropy sources (interrupts) that are not under full userspace
control or fully observable.
What makes the confidential VM story different is after VMM has exhausted
RDRAND/RDSEED, guest Linux RNG will fall back to the entropy sources that
are under observance/control of VMM and this is what we try to avoid.

> >
> > Let's assume buggy userspace exists. Is that userspace *uniquely*
> > exposed to a naughty VMM or is that VMM just added to the list of things
> > that can attack buggy userspace?

Good behaving userspace will ask for its cryptographic randomness from
Linux RNG (some might do direct RDRAND/RDSEED calls, but most will
rely on Linux RNG). When it does ask for it, it is going to get a number
from it. The fact that that number doesn’t have adequate security is not
visible for userspace in any way. I don’t think anyone will go to dmesg and
check the warning logs to determine this.
So, I don’t see how warning helps here in practice.

Best Regards,
Elena

Next message: Krzysztof Kozlowski: "Re: [PATCH 1/5] dt-bindings: display/msm: document MDSS on X1E80100"
Previous message: Krzysztof Kozlowski: "Re: [PATCH 2/5] dt-bindings: display/msm: Document the DPU for X1E80100"
In reply to: Reshetova, Elena: "RE: [RFC] Randomness on confidential computing platforms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]