Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt command

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt command

From:	Daniel P. Berrange
Subject:	Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt command
Date:	Wed, 14 Sep 2016 15:15:07 +0100
User-agent:	Mutt/1.7.0 (2016-08-17)

On Wed, Sep 14, 2016 at 04:50:51PM +0300, Michael S. Tsirkin wrote:
> On Wed, Sep 14, 2016 at 02:37:49PM +0100, Daniel P. Berrange wrote:
> > On Wed, Sep 14, 2016 at 04:32:44PM +0300, Michael S. Tsirkin wrote:
> > > On Wed, Sep 14, 2016 at 02:23:14PM +0100, Daniel P. Berrange wrote:
> > > > On Wed, Sep 14, 2016 at 03:07:58PM +0200, Paolo Bonzini wrote:
> > > > > 
> > > > > 
> > > > > On 14/09/2016 15:05, Michael S. Tsirkin wrote:
> > > > > > I assumed that with debug on, memory is still encrypted but the
> > > > > > hypervisor can break encryption, and as the cover letter states, the
> > > > > > hypervisor is assumed benign. If true I don't see a need to
> > > > > > give users more rope.
> > > > > 
> > > > > The hypervisor is assumed benign but vulnerable.
> > > > > 
> > > > > So, if somebody breaks the hypervisor, you would like to make it as 
> > > > > hard
> > > > > as possible for the attacker to do evil stuff to the guests.  If the
> > > > > attacker can just ask the secure processor "decrypt some memory for 
> > > > > me",
> > > > > then the encryption is effectively broken.
> > > > 
> > > > So there's going to be a tradeoff here between use of SEV and use of
> > > > certain other features. eg, it seems that if you're using SEV, then
> > > > any concept of creating & analysing guest core dumps from the host
> > > > is out.
> > > 
> > > I don't see why - as long as we don't trigger dumps, there's no leak :)
> > 
> > If the facility to trigger dumps is available, then the memory
> > encryption feature of SEV is as useful as a chocolate teapot,
> > as the would be attacker can simply trigger a dump
> 
> If attacker can trigger things, IOW execute code in hypervisor,
> then encrypting memory is not useful anyway.

The presentation at KVM forum claimed it *would* protect against
this, and that things like core dump of unencrypted memory would
not be permitted, so there's a disconnect between that preso and
what you're saying.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt command, (continued)

Prev by Date: Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt command
Next by Date: Re: [Qemu-devel] [PATCH qemu v2] tap: Allow specifying a bridge
Previous by thread: Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt command
Next by thread: Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt command
Index(es):
- Date
- Thread