Re: Linux guest kernel threat model for Confidential Computing

From: Greg Kroah-Hartman
Date: Wed Jan 25 2023 - 07:44:02 EST

Next message: Oleg Nesterov: "Re: [RFC PATCH v2] posix-timers: Support delivery of signals to the current thread"
Previous message: Rajat Khandelwal: "[PATCH v2] platform/x86/intel/pmc: core: Add support to show LTR-ignored components"
In reply to: Reshetova, Elena: "Linux guest kernel threat model for Confidential Computing"
Next in thread: Dr. David Alan Gilbert: "Re: Linux guest kernel threat model for Confidential Computing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 25, 2023 at 12:28:13PM +0000, Reshetova, Elena wrote:
> Hi Greg,
>
> You mentioned couple of times (last time in this recent thread:
> https://lore.kernel.org/all/Y80WtujnO7kfduAZ@xxxxxxxxx/) that we ought to start
> discussing the updated threat model for kernel, so this email is a start in this direction.

Any specific reason you didn't cc: the linux-hardening mailing list?
This seems to be in their area as well, right?

> As we have shared before in various lkml threads/conference presentations
> ([1], [2], [3] and many others), for the Confidential Computing guest kernel, we have a
> change in the threat model where guest kernel doesn’t anymore trust the hypervisor.

That is, frankly, a very funny threat model. How realistic is it really
given all of the other ways that a hypervisor can mess with a guest?

So what do you actually trust here? The CPU? A device? Nothing?

> This is a big change in the threat model and requires both careful assessment of the
> new (hypervisor <-> guest kernel) attack surface, as well as careful design of mitigations
> and security validation techniques. This is the activity that we have started back at Intel
> and the current status can be found in
>
> 1) Threat model and potential mitigations:
> https://intel.github.io/ccc-linux-guest-hardening-docs/security-spec.html

So you trust all of qemu but not Linux? Or am I misreading that
diagram?

> 2) One of the described in the above doc mitigations is "hardening of the enabled
> code". What we mean by this, as well as techniques that are being used are
> described in this document:
> https://intel.github.io/ccc-linux-guest-hardening-docs/tdx-guest-hardening.html

I hate the term "hardening". Please just say it for what it really is,
"fixing bugs to handle broken hardware". We've done that for years when
dealing with PCI and USB and even CPUs doing things that they shouldn't
be doing. How is this any different in the end?

So what you also are saying here now is "we do not trust any PCI
devices", so please just say that (why do you trust USB devices?) If
that is something that you all think that Linux should support, then
let's go from there.

> 3) All the tools are open-source and everyone can start using them right away even
> without any special HW (readme has description of what is needed).
> Tools and documentation is here:
> https://github.com/intel/ccc-linux-guest-hardening

Again, as our documentation states, when you submit patches based on
these tools, you HAVE TO document that. Otherwise we think you all are
crazy and will get your patches rejected. You all know this, why ignore
it?

> 4) all not yet upstreamed linux patches (that we are slowly submitting) can be found
> here: https://github.com/intel/tdx/commits/guest-next

Random github trees of kernel patches are just that, sorry.

> So, my main question before we start to argue about the threat model, mitigations, etc,
> is what is the good way to get this reviewed to make sure everyone is aligned?
> There are a lot of angles and details, so what is the most efficient method?
> Should I split the threat model from https://intel.github.io/ccc-linux-guest-hardening-docs/security-spec.html
> into logical pieces and start submitting it to mailing list for discussion one by one?

Yes, start out by laying out what you feel the actual problem is, what
you feel should be done for it, and the patches you have proposed to
implement this, for each and every logical piece.

Again, nothing new here, that's how Linux is developed, again, you all
know this, it's not anything I should have to say.

> Any other methods?
>
> The original plan we had in mind is to start discussing the relevant pieces when submitting the code,
> i.e. when submitting the device filter patches, we will include problem statement, threat model link,
> data, alternatives considered, etc.

As always, we can't do anything without actual working changes to the
code, otherwise it's just a pipe dream and we can't waste our time on it
(neither would you want us to).

thanks, and good luck!

greg k-h

Next message: Oleg Nesterov: "Re: [RFC PATCH v2] posix-timers: Support delivery of signals to the current thread"
Previous message: Rajat Khandelwal: "[PATCH v2] platform/x86/intel/pmc: core: Add support to show LTR-ignored components"
In reply to: Reshetova, Elena: "Linux guest kernel threat model for Confidential Computing"
Next in thread: Dr. David Alan Gilbert: "Re: Linux guest kernel threat model for Confidential Computing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]