[edk2-devel] [PATCH v2 15/15] OvfmPkg/VmgExitLib: Validate #VC MMIO is to un-encrypted memory
Lendacky, Thomas
thomas.lendacky at amd.com
Thu Jan 7 17:33:22 UTC 2021
On 1/7/21 11:27 AM, Laszlo Ersek via groups.io wrote:
> On 01/06/21 22:21, Lendacky, Thomas wrote:
>> From: Tom Lendacky <thomas.lendacky at amd.com>
>>
>> BZ: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3108&data=04%7C01%7Cthomas.lendacky%40amd.com%7Cbb067ba9ec7d47a785b108d8b33192f1%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637456372789618447%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4gBvuWLwJxtPwahzl%2BjC6sNb%2FEgb0WmGscSwSdKBPOQ%3D&reserved=0
>>
>> When SEV-ES is active, and MMIO operation will trigger a #VC and the
>> VmgExitLib exception handler will process this MMIO operation.
>>
>> A malicious hypervisor could try to extract information from encrypted
>> memory by setting a reserved bit in the guests nested page tables for
>> a non-MMIO area. This can result in the encrypted data being copied into
>> the GHCB shared buffer area and accessed by the hypervisor.
>>
>> Prevent this by ensuring that the MMIO source/destination is un-encrypted
>> memory. For the APIC register space, access is allowed in general.
>>
>> Cc: Jordan Justen <jordan.l.justen at intel.com>
>> Cc: Laszlo Ersek <lersek at redhat.com>
>> Cc: Ard Biesheuvel <ard.biesheuvel at arm.com>
>> Cc: Brijesh Singh <brijesh.singh at amd.com>
>> Acked-by: Laszlo Ersek <lersek at redhat.com>
>> Signed-off-by: Tom Lendacky <thomas.lendacky at amd.com>
>> ---
>> OvmfPkg/AmdSev/AmdSevX64.dsc | 1 +
>> OvmfPkg/OvmfPkgX64.dsc | 1 +
>> OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf | 2 +-
>> OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 2 +
>> OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 2 +
>> OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 81 ++++++++++++++++++++
>> 6 files changed, 88 insertions(+), 1 deletion(-)
>
> Looks OK, thanks.
Thanks for the review, Laszlo! I've applied all of your comments for this
series should a v3 need to be submitted.
Thanks,
Tom
> Laszlo
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#69942): https://edk2.groups.io/g/devel/message/69942
Mute This Topic: https://groups.io/mt/79485098/1813853
Mute #vc:https://edk2.groups.io/g/devel/mutehashtag/vc
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list