virt: sevguest: Add documentation for SEV-SNP CPUID Enforcement
Update the documentation with information regarding SEV-SNP CPUID Enforcement details and what sort of assurances it provides to guests. Signed-off-by: Michael Roth <michael.roth@amd.com> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Borislav Petkov <bp@suse.de> Link: https://lore.kernel.org/r/20220307213356.2797205-47-brijesh.singh@amd.com
This commit is contained in:
parent
d80b494f71
commit
92a99584d9
|
@ -118,6 +118,35 @@ be updated with the expected value.
|
|||
|
||||
See GHCB specification for further detail on how to parse the certificate blob.
|
||||
|
||||
3. SEV-SNP CPUID Enforcement
|
||||
============================
|
||||
|
||||
SEV-SNP guests can access a special page that contains a table of CPUID values
|
||||
that have been validated by the PSP as part of the SNP_LAUNCH_UPDATE firmware
|
||||
command. It provides the following assurances regarding the validity of CPUID
|
||||
values:
|
||||
|
||||
- Its address is obtained via bootloader/firmware (via CC blob), and those
|
||||
binaries will be measured as part of the SEV-SNP attestation report.
|
||||
- Its initial state will be encrypted/pvalidated, so attempts to modify
|
||||
it during run-time will result in garbage being written, or #VC exceptions
|
||||
being generated due to changes in validation state if the hypervisor tries
|
||||
to swap the backing page.
|
||||
- Attempts to bypass PSP checks by the hypervisor by using a normal page, or
|
||||
a non-CPUID encrypted page will change the measurement provided by the
|
||||
SEV-SNP attestation report.
|
||||
- The CPUID page contents are *not* measured, but attempts to modify the
|
||||
expected contents of a CPUID page as part of guest initialization will be
|
||||
gated by the PSP CPUID enforcement policy checks performed on the page
|
||||
during SNP_LAUNCH_UPDATE, and noticeable later if the guest owner
|
||||
implements their own checks of the CPUID values.
|
||||
|
||||
It is important to note that this last assurance is only useful if the kernel
|
||||
has taken care to make use of the SEV-SNP CPUID throughout all stages of boot.
|
||||
Otherwise, guest owner attestation provides no assurance that the kernel wasn't
|
||||
fed incorrect values at some point during boot.
|
||||
|
||||
|
||||
Reference
|
||||
---------
|
||||
|
||||
|
|
Loading…
Reference in New Issue