Re: [libvirt] [Qemu-devel] libvirt/QEMU/SEV interaction
On Fri, Sep 29, 2017 at 03:07:40PM -0500, Richard Relph wrote:
On 9/29/17 2:48 PM, Richard Relph wrote:
> On 9/29/17 2:34 PM, Michael S. Tsirkin wrote:
> > On Wed, Sep 27, 2017 at 02:06:10PM -0500, Richard Relph wrote:
> > > Whether the "BIOS" is a "static shim" as Michael
suggests, or a
> > > full BIOS,
> > > or even a BIOS+kernel+initrd is really not too significant. What is
> > > significant is that the GO has a basis for trusting all code that is
> > > imported in to their VM by the CP. And that NONE of the code
> > > provided by the
> > > CP is "unknown" and unauditable by the GO. If the CP has a way
to inject
> > > code unknown to the GO in to the guest VM, the trust model is broken and
> > > both GO and CP suffer the consequences.
> >
> > Absolutely.
> >
> > > When the CP needs to update the BIOS image, they will have to
> > > inform the GO
> > > and allow the GO to establish trust in the CP's new BIOS image
somehow.
> >
> > This GO update on every BIOS change is imho is not a workable model. You
> > want something like checking the BIOS signature instead. And since
> > hardware is all hash based, you need the shim to do it in software.
>
> A BIOS "signed" by the CP doesn't meet the security requirement. It
is
> code that is "unknown" to the GO.
>
> The (legitimate) CP does NOT want to be in that position of trust. If
> they are, then some government somewhere is going to insist that they
> sign a BIOS that allows the government to spy on the GO's VMs, and steal
> secrets from it. Or some hacker admin will do it "for fun".
>
> How often do large public CPs really change their BIOSes? My sense is
> that large public CPs prefer stability over "latest and greatest".
>
> And, perhaps more importantly, if a CP are able to sell a "more secure"
> VM, one that justifies a higher price per vCPU hour, wouldn't that
> warrant some changes in the "insecure" model being used today?
Ultimately, I think both approaches are "doable". It will be a CP and GO
decision. If the GO trusts the CP, the shim+signed BIOS will work fine.
I think there's a misunderstanding. A trusted software vendor would
sign the BIOS. GO would verify it. Trusting the CP is not required.
If
GO requires a more secure VM and the CP wants to offer it, the CP will
figure out a way to satisfy the GO's "trust issue" that the BIOS can't
be
used to circumvent SEV's protections. Depending on your level of paranoia,
that may require advance notice of BIOS changes, or even allowing the GO to
provide the BIOS themselves, written to a spec supported by the CP's HV,
and/or based on BIOS code provided by the CP.
We are discussing this on a qemu mailing list, aren't we? And from QEMU
point of view, I think it won't be able to support a requirement
to boot ancient bios versions on new machine types indefinitely
with good performance and also fix security issues in them
in a timely manner somehow.
It's a business decision and I think SEV can support both. That said, AMD
currently has no plans to write a shim that can verify the signature on a
CP-provided BIOS image.
Richard
Someone else will have to work on a supportable solution for QEMU then.
>
> Richard