Re: Linux guest kernel threat model for Confidential Computing

From: James Bottomley
Date: Wed Jan 25 2023 - 09:31:52 EST

Next message: Matthias Brugger: "Re: [PATCH 1/2] arm64: dts: mediatek: mt7622: drop serial clock-names"
Previous message: Nicolas Dufresne: "Re: [PATCH] hantro: Fix JPEG encoder ENUM_FRAMESIZE on RK3399"
In reply to: Greg Kroah-Hartman: "Re: Linux guest kernel threat model for Confidential Computing"
Next in thread: Dr. David Alan Gilbert: "Re: Linux guest kernel threat model for Confidential Computing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2023-01-25 at 15:22 +0100, Greg Kroah-Hartman wrote:
> On Wed, Jan 25, 2023 at 01:42:53PM +0000, Dr. David Alan Gilbert
> wrote:
> > * Greg Kroah-Hartman (gregkh@xxxxxxxxxxxxxxxxxxx) wrote:
> > > On Wed, Jan 25, 2023 at 12:28:13PM +0000, Reshetova, Elena wrote:
> > > > Hi Greg,
> > > >
> > > > You mentioned couple of times (last time in this recent thread:
> > > > https://lore.kernel.org/all/Y80WtujnO7kfduAZ@xxxxxxxxx/) that
> > > > we ought to start
> > > > discussing the updated threat model for kernel, so this email
> > > > is a start in this direction.
> > >
> > > Any specific reason you didn't cc: the linux-hardening mailing
> > > list? This seems to be in their area as well, right?
> > >
> > > > As we have shared before in various lkml threads/conference
> > > > presentations ([1], [2], [3] and many others), for the
> > > > Confidential Computing guest kernel, we have a change in the
> > > > threat model where guest kernel doesn’t anymore trust the
> > > > hypervisor.
> > >
> > > That is, frankly, a very funny threat model. How realistic is it
> > > really given all of the other ways that a hypervisor can mess
> > > with a guest?
> >
> > It's what a lot of people would like; in the early attempts it was
> > easy to defeat, but in TDX and SEV-SNP the hypervisor has a lot
> > less that it can mess with - remember that not just the memory is
> > encrypted, so is the register state, and the guest gets to see
> > changes to mapping and a lot of control over interrupt injection
> > etc.
>
> And due to the fact that SEV and TDX really do not work, how is
> anyone expecting any of this to work? As one heckler on IRC recently
> put it, if you squint hard enough, you can kind of ignore the real-
> world issues here, so perhaps this should all be called "squint-
> puting" in order to feel like you have a "confidential" system? :)

There's a difference between no trust, which requires defeating all
attacks as they occur and limited trust, which merely means you want to
detect an attack from the limited trust entity to show that trust was
violated. Trying to achieve the former with CC is a good academic
exercise, but not required for the technology to be useful. Most cloud
providers are working towards the latter ... we know there are holes,
but as long as the guest can always detect interference they can be
confident in their trust in the CSP not to attack them via various
hypervisor mechanisms.

James

Next message: Matthias Brugger: "Re: [PATCH 1/2] arm64: dts: mediatek: mt7622: drop serial clock-names"
Previous message: Nicolas Dufresne: "Re: [PATCH] hantro: Fix JPEG encoder ENUM_FRAMESIZE on RK3399"
In reply to: Greg Kroah-Hartman: "Re: Linux guest kernel threat model for Confidential Computing"
Next in thread: Dr. David Alan Gilbert: "Re: Linux guest kernel threat model for Confidential Computing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]