1 ==============================================
2 Confidential Computing in Linux for x86 virtua
3 ==============================================
4
5 .. contents:: :local:
6
7 By: Elena Reshetova <elena.reshetova@intel.com>
8
9 Motivation
10 ==========
11
12 Kernel developers working on confidential comp
13 environments in x86 operate under a set of ass
14 kernel threat model that differ from the tradi
15 the Linux threat model acknowledges attackers
16 well as a limited set of external attackers th
17 the kernel through various networking or limit
18 interfaces (USB, thunderbolt). The goal of thi
19 additional attack vectors that arise in the co
20 and discuss the proposed protection mechanisms
21
22 Overview and terminology
23 ========================
24
25 Confidential Computing (CoCo) is a broad term
26 security technologies that aim to protect the
27 of data in use (vs. data at rest or data in tr
28 solutions provide a Trusted Execution Environm
29 processing can be performed and, as a result,
30 classified into different subtypes depending o
31 to be run in TEE. This document focuses on a s
32 that are targeting virtualized environments an
33 Machines (VM) inside TEE. From now on in this
34 to this subclass of CoCo as 'Confidential Comp
35 virtualized environments (VE)'.
36
37 CoCo, in the virtualization context, refers to
38 technologies that allow for stronger security
39 inside a CoCo VM. Namely, confidential computi
40 confirm the trustworthiness of all SW pieces t
41 Trusted Computing Base (TCB) given its ability
42 trusted components.
43
44 While the concrete implementation details diff
45 available mechanisms aim to provide increased
46 integrity for the VM's guest memory and execut
47 more tightly controlled guest interrupt inject
48 additional mechanisms to control guest-host pa
49 the x86-specific solutions can be found in
50 :doc:`Intel Trust Domain Extensions (TDX) </ar
51 `AMD Memory Encryption <https://www.amd.com/sy
52
53 The basic CoCo guest layout includes the host,
54 communicate guest and host, a platform capable
55 a trusted intermediary between the guest VM an
56 that acts as a security manager. The host-side
57 (VMM) typically consists of a subset of tradit
58 is still in charge of the guest lifecycle, i.e
59 VM, manage its access to system resources, etc
60 typically stays out of CoCo VM TCB, its access
61 security objectives.
62
63 In the following diagram, the "<--->" lines re
64 communication channels or interfaces between t
65 the rest of the components (data flow for gues
66
67 +-------------------+ +--------------
68 | CoCo guest VM |<---->|
69 +-------------------+ |
70 | Interfaces | | CoCo security
71 +-------------------+ |
72 | Host VMM |<---->|
73 +-------------------+ |
74 |
75 +--------------------+ |
76 | CoCo platform |<--->|
77 +--------------------+ +--------------
78
79 The specific details of the CoCo security mana
80 technologies. For example, in some cases, it w
81 while in others it may be pure SW.
82
83 Existing Linux kernel threat model
84 ==================================
85
86 The overall components of the current Linux ke
87
88 +-----------------------+ +---------
89 | |<---->| Userspac
90 | | +---------
91 | External attack | | Inter
92 | vectors | +---------
93 | |<---->| Linux Ke
94 | | +---------
95 +-----------------------+ +---------
96 | Bootload
97 +---------
98 +---------
99 | HW platf
100 +---------
101
102 There is also communication between the bootlo
103 the boot process, but this diagram does not re
104 "Interfaces" box represents the various interf
105 communication between kernel and userspace. Th
106 kernel APIs, device drivers, etc.
107
108 The existing Linux kernel threat model typical
109 trusted HW platform with all of the firmware a
110 its TCB. The primary attacker resides in the u
111 coming from there is generally considered untr
112 privileged enough to perform trusted actions.
113 attackers are typically considered, including
114 external networks (e.g. Ethernet, Wireless, Bl
115 interfaces (e.g. USB, Thunderbolt), and the ab
116 of disks offline.
117
118 Regarding external attack vectors, it is inter
119 cases external attackers will try to exploit v
120 first, but that it is possible for an attacker
121 kernel; particularly if the host has physical
122 kernel attacks include the vulnerabilities CVE
123 and CVE-2020-24490.
124
125 Confidential Computing threat model and its se
126 ==============================================
127
128 Confidential Computing adds a new type of atta
129 potentially misbehaving host (which can also i
130 traditional VMM or all of it), which is typica
131 CoCo VM TCB due to its large SW attack surface
132 that this doesn’t imply that the host or VMM
133 malicious, but that there exists a security va
134 VM TCB. This new type of adversary may be view
135 of external attacker, as it resides locally on
136 (in contrast to a remote network attacker) and
137 kernel communication with most of the HW::
138
139 +------------
140 | CoCo gue
141 +-----------------------+ | +---------
142 | |<--->| | Userspac
143 | | | +---------
144 | External attack | | | Inter
145 | vectors | | +---------
146 | |<--->| | Linux Ke
147 | | | +---------
148 +-----------------------+ | +---------
149 | | Bootload
150 +-----------------------+ | +---------
151 | |<--->+------------
152 | | | Interf
153 | | +------------
154 | CoCo security |<--->| Host/Host-s
155 | manager | +------------
156 | | +------------
157 | |<--->| CoCo plat
158 +-----------------------+ +------------
159
160 While traditionally the host has unlimited acc
161 leverage this access to attack the guest, the
162 attacks by adding security features like guest
163 integrity protection. This threat model assume
164 available and intact.
165
166 The **Linux kernel CoCo VM security objectives
167
168 1. Preserve the confidentiality and integrity
169 memory and registers.
170
171 2. Prevent privileged escalation from a host i
172 While it is true that the host (and host-side
173 privilege to create, destroy, or pause the gue
174 preventing privileged escalation is to ensure
175 provide a pathway for attackers to gain access
176
177 The above security objectives result in two pr
178 VM assets**:
179
180 1. Guest kernel execution context.
181 2. Guest kernel private memory.
182
183 The host retains full control over the CoCo gu
184 access to them at any time. Examples of resour
185 that the guest can consume, network bandwidth,
186 host Denial of Service (DoS) attacks against C
187 scope of this threat model.
188
189 The **Linux CoCo VM attack surface** is any in
190 guest Linux kernel towards an untrusted host t
191 CoCo technology SW/HW protection. This include
192 side-channels, as well as transient execution
193 explicit (not side-channel) interfaces include
194 and DMA interfaces, access to PCI configuratio
195 hypercalls (towards Host-side VMM), access to
196 interrupts allowed to be injected into the gue
197 well as CoCo technology-specific hypercalls, i
198 host in a CoCo system typically controls the p
199 guest: it has a method to load into a guest th
200 images, the kernel image together with the ker
201 data should also be considered untrusted until
202 authenticity is established via attestation.
203
204 The table below shows a threat matrix for the
205 does not discuss potential mitigation strategi
206 CoCo-specific versions of the guest, host and
207
208 .. list-table:: CoCo Linux guest kernel threat
209 :widths: auto
210 :align: center
211 :header-rows: 1
212
213 * - Threat name
214 - Threat description
215
216 * - Guest malicious configuration
217 - A misbehaving host modifies one of the
218 configuration:
219
220 1. Guest firmware or bootloader
221
222 2. Guest kernel or module binaries
223
224 3. Guest command line parameters
225
226 This allows the host to break the integ
227 inside a CoCo guest, and violates the C
228
229 * - CoCo guest data attacks
230 - A misbehaving host retains full control
231 in-transit between the guest and the ho
232 virtual devices. This allows any attack
233 integrity or freshness of such data.
234
235 * - Malformed runtime input
236 - A misbehaving host injects malformed in
237 interface used by the guest's kernel co
238 prepared to handle this input correctly
239 --> guest kernel privilege escalation.
240 side-channel and/or transient execution
241
242 * - Malicious runtime input
243 - A misbehaving host injects a specific i
244 communication interface used by the gue
245 difference with the previous attack vec
246 is that this input is not malformed, bu
247 impact the guest's kernel security. Exa
248 providing a malicious time to the guest
249 random number generator. Additionally,
250 be an attack vector on its own, if it r
251 kernel action (i.e. processing of a hos
252 resistant to supplied host input.
253
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.