[edk2-devel] [PATCH v3 0/6] SEV Encrypted Boot for Ovmf

James Bottomley jejb at linux.ibm.com
Mon Nov 30 20:28:13 UTC 2020


- More grub and boot stripping (I think I got everything out, but
  there may be something that strayed in the boot panic resolution).
- grub.sh tidy up with tabs->spaces.
- Move the reset vector GUIDisation patch to the front so it can be
  applied independently
- Update the .dsc and .fdf files for variable policy


- Strip more out of AmdSev image (networking, secure boot, smm)
- give sev reset block a generic table guid and use it for boot secret area
- separate secret patches and make grub script more robust
- Add copyrights and fix formatting issues


Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077

This patch series is modelled on the structure of the Bhyve patches
for Ovmf, since it does somewhat similar things.  This patch series
creates a separate build for an AmdSev OVMF.fd that does nothing
except combine with grub and boot straight through the internal grub
to try to mount an encrypted volume.

Concept: SEV Secure Encrypted Images

The SEV patches in Linux and OVMF allow for the booting of SEV VMs in
an encrypted state, but don't really show how this could be done with
an encrypted image.  Since the key used to decrypt the image must be
maintained within the SEV encryption envelope, encrypted QCOW is not
an option because the key would then have to be known to QEMU which is
outside the encryption envelope.  The proposal here is that an
encrypted image should be a QCOW image consisting of two partitions,
the normal unencrypted EFI partition (Identifying it as an OVMF
bootable image) and a luks encrypted root partition.  The kernel would
be inside the encrypted root in the /boot directory.  The secret
injected securely through QEMU is extracted by OVMF and passed to grub
which uses it to mount the encrypted root and boot the kernel
normally.  The creator of the secret bundle must be satisfied with the
SEV attestation before the secret is constructed.  Unfortunately, the
SEV attestation can only be on the first QEMU firmware volume and
nothing else, so this patch series builds grub itself into a firmware
volume and places it inside OVMF so that the entire boot system can be
attested.  In a normal OVMF KVM system, the variable store is on the
second flash volume (which is read/write).  Unfortunately, this
mutable configuration provided by the variables is outside the
attestation envelope and can significantly alter the boot path,
possibly leading to secret leak, so encrypted image boot should only
be done with the OVMF.fd that combines both the code and variables.
the OVMF.fd is constructed so that it becomes impossible to interrupt
the boot sequence after attestation and the system will either boot
the image or fail. The boot sequence runs the grub.efi embedded in the
OVMF firmware volume so the encrypted image owner knows their own
version of grub is the only one that will boot before injecting the
secret.  Note this boot path actually ignores the unencrypted EFI
partition.  However, as part of this design, the encrypted image may be
booted by a standard OVMF KVM boot and in that case, the user will
have to type the encryption password.  This standard boot will be
insecure but it might be used by the constructor of the encrypted
images on their own private laptop, for instance.  The standard boot
path will use the unencrypted EFI partition.

Patches Required Outside of OVMF

There is a patch set to grub which allows it to extract the SEV secret
area from the configuration table and use the secret as a password to
do a luks crypto mount of root (this is the sevsecret grub module):


There is also a patch to qemu which allows it to search through the
OVMF.fd and find the SEV secret area which is now described inside the
Reset Vector using the existing SEV_ES reset block.  This area is the
place QEMU will inject the encrypted SEV secret bundle.

Security of the System

Since Grub is now part of the attested OVMF.fd bundle, the VM owner
knows absolutely that it will proceed straight to partition decryption
inside the attested code and boot the kernel off the encrypted
partition.  Even if a different QCOW image is substituted, the boot
will fail without revealing the secret because the system is designed
to fail hard in that case and because the secret is always contained
within the encrypted envelope it should be impossible for the cloud
operator to obtain it even if they can pause the boot and examine the
machine memory.

Putting it All Together

This is somewhat hard.  You must first understand how to boot a QEMU
system so as to have the VM pause after firmware loading (-S option)
and use the qmp port to request an attestation.  Only if the
attestation corresponds to the expected sha256sum of OVMF.fd should
the secret bundle be constructed and injected using qmp.  The tools
for constructing the secret bundle are in




James Bottomley (6):
  OvmfPkg/ResetVector: convert SEV-ES Reset Block structure to be GUIDed
  OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF
  OvmfPkg/AmdSev: add Grub Firmware Volume Package
  OvmfPkg: create a SEV secret area in the AmdSev memfd
  OvmfPkg/AmdSev: assign and protect the Sev Secret area
  OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table

 OvmfPkg/OvmfPkg.dec                           |    8 +
 OvmfPkg/AmdSev/AmdSevX64.dsc                  |  844 ++++++++++
 OvmfPkg/AmdSev/AmdSevX64.fdf                  |  456 +++++
 OvmfPkg/AmdSev/Grub/Grub.inf                  |   39 +
 OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf        |   37 +
 OvmfPkg/AmdSev/SecretPei/SecretPei.inf        |   35 +
 .../PlatformBootManagerLibGrub.inf            |   71 +
 OvmfPkg/ResetVector/ResetVector.inf           |    4 +
 OvmfPkg/Include/Guid/SevLaunchSecret.h        |   28 +
 .../PlatformBootManagerLibGrub/BdsPlatform.h  |  175 ++
 OvmfPkg/AmdSev/SecretDxe/SecretDxe.c          |   26 +
 OvmfPkg/AmdSev/SecretPei/SecretPei.c          |   25 +
 .../PlatformBootManagerLibGrub/BdsPlatform.c  | 1482 +++++++++++++++++
 .../PlatformBootManagerLibGrub/PlatformData.c |  214 +++
 OvmfPkg/AmdSev/Grub/.gitignore                |    1 +
 OvmfPkg/AmdSev/Grub/grub.cfg                  |   46 +
 OvmfPkg/AmdSev/Grub/grub.sh                   |   93 ++
 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm  |   70 +-
 OvmfPkg/ResetVector/ResetVector.nasmb         |    2 +
 19 files changed, 3645 insertions(+), 11 deletions(-)
 create mode 100644 OvmfPkg/AmdSev/AmdSevX64.dsc
 create mode 100644 OvmfPkg/AmdSev/AmdSevX64.fdf
 create mode 100644 OvmfPkg/AmdSev/Grub/Grub.inf
 create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
 create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.inf
 create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf
 create mode 100644 OvmfPkg/Include/Guid/SevLaunchSecret.h
 create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h
 create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
 create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.c
 create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
 create mode 100644 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformData.c
 create mode 100644 OvmfPkg/AmdSev/Grub/.gitignore
 create mode 100644 OvmfPkg/AmdSev/Grub/grub.cfg
 create mode 100644 OvmfPkg/AmdSev/Grub/grub.sh


Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#68087): https://edk2.groups.io/g/devel/message/68087
Mute This Topic: https://groups.io/mt/78617825/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]

More information about the edk2-devel-archive mailing list