~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/security/snp-tdx-threat-model.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/security/snp-tdx-threat-model.rst (Version linux-6.12-rc7) and /Documentation/security/snp-tdx-threat-model.rst (Version linux-5.17.15)


  1 ==============================================    
  2 Confidential Computing in Linux for x86 virtua    
  3 ==============================================    
  4                                                   
  5 .. contents:: :local:                             
  6                                                   
  7 By: Elena Reshetova <elena.reshetova@intel.com>    
  8                                                   
  9 Motivation                                        
 10 ==========                                        
 11                                                   
 12 Kernel developers working on confidential comp    
 13 environments in x86 operate under a set of ass    
 14 kernel threat model that differ from the tradi    
 15 the Linux threat model acknowledges attackers     
 16 well as a limited set of external attackers th    
 17 the kernel through various networking or limit    
 18 interfaces (USB, thunderbolt). The goal of thi    
 19 additional attack vectors that arise in the co    
 20 and discuss the proposed protection mechanisms    
 21                                                   
 22 Overview and terminology                          
 23 ========================                          
 24                                                   
 25 Confidential Computing (CoCo) is a broad term     
 26 security technologies that aim to protect the     
 27 of data in use (vs. data at rest or data in tr    
 28 solutions provide a Trusted Execution Environm    
 29 processing can be performed and, as a result,     
 30 classified into different subtypes depending o    
 31 to be run in TEE. This document focuses on a s    
 32 that are targeting virtualized environments an    
 33 Machines (VM) inside TEE. From now on in this     
 34 to this subclass of CoCo as 'Confidential Comp    
 35 virtualized environments (VE)'.                   
 36                                                   
 37 CoCo, in the virtualization context, refers to    
 38 technologies that allow for stronger security     
 39 inside a CoCo VM. Namely, confidential computi    
 40 confirm the trustworthiness of all SW pieces t    
 41 Trusted Computing Base (TCB) given its ability    
 42 trusted components.                               
 43                                                   
 44 While the concrete implementation details diff    
 45 available mechanisms aim to provide increased     
 46 integrity for the VM's guest memory and execut    
 47 more tightly controlled guest interrupt inject    
 48 additional mechanisms to control guest-host pa    
 49 the x86-specific solutions can be found in        
 50 :doc:`Intel Trust Domain Extensions (TDX) </ar    
 51 `AMD Memory Encryption <https://www.amd.com/sy    
 52                                                   
 53 The basic CoCo guest layout includes the host,    
 54 communicate guest and host, a platform capable    
 55 a trusted intermediary between the guest VM an    
 56 that acts as a security manager. The host-side    
 57 (VMM) typically consists of a subset of tradit    
 58 is still in charge of the guest lifecycle, i.e    
 59 VM, manage its access to system resources, etc    
 60 typically stays out of CoCo VM TCB, its access    
 61 security objectives.                              
 62                                                   
 63 In the following diagram, the "<--->" lines re    
 64 communication channels or interfaces between t    
 65 the rest of the components (data flow for gues    
 66                                                   
 67     +-------------------+      +--------------    
 68     | CoCo guest VM     |<---->|                  
 69     +-------------------+      |                  
 70       | Interfaces |           | CoCo security    
 71     +-------------------+      |                  
 72     | Host VMM          |<---->|                  
 73     +-------------------+      |                  
 74                                |                  
 75     +--------------------+     |                  
 76     | CoCo platform      |<--->|                  
 77     +--------------------+     +--------------    
 78                                                   
 79 The specific details of the CoCo security mana    
 80 technologies. For example, in some cases, it w    
 81 while in others it may be pure SW.                
 82                                                   
 83 Existing Linux kernel threat model                
 84 ==================================                
 85                                                   
 86 The overall components of the current Linux ke    
 87                                                   
 88      +-----------------------+      +---------    
 89      |                       |<---->| Userspac    
 90      |                       |      +---------    
 91      |   External attack     |         | Inter    
 92      |       vectors         |      +---------    
 93      |                       |<---->| Linux Ke    
 94      |                       |      +---------    
 95      +-----------------------+      +---------    
 96                                     | Bootload    
 97                                     +---------    
 98                                     +---------    
 99                                     | HW platf    
100                                     +---------    
101                                                   
102 There is also communication between the bootlo    
103 the boot process, but this diagram does not re    
104 "Interfaces" box represents the various interf    
105 communication between kernel and userspace. Th    
106 kernel APIs, device drivers, etc.                 
107                                                   
108 The existing Linux kernel threat model typical    
109 trusted HW platform with all of the firmware a    
110 its TCB. The primary attacker resides in the u    
111 coming from there is generally considered untr    
112 privileged enough to perform trusted actions.     
113 attackers are typically considered, including     
114 external networks (e.g. Ethernet, Wireless, Bl    
115 interfaces (e.g. USB, Thunderbolt), and the ab    
116 of disks offline.                                 
117                                                   
118 Regarding external attack vectors, it is inter    
119 cases external attackers will try to exploit v    
120 first, but that it is possible for an attacker    
121 kernel; particularly if the host has physical     
122 kernel attacks include the vulnerabilities CVE    
123 and CVE-2020-24490.                               
124                                                   
125 Confidential Computing threat model and its se    
126 ==============================================    
127                                                   
128 Confidential Computing adds a new type of atta    
129 potentially misbehaving host (which can also i    
130 traditional VMM or all of it), which is typica    
131 CoCo VM TCB due to its large SW attack surface    
132 that this doesn’t imply that the host or VMM    
133 malicious, but that there exists a security va    
134 VM TCB. This new type of adversary may be view    
135 of external attacker, as it resides locally on    
136 (in contrast to a remote network attacker) and    
137 kernel communication with most of the HW::        
138                                                   
139                                  +------------    
140                                  |    CoCo gue    
141    +-----------------------+     |  +---------    
142    |                       |<--->|  | Userspac    
143    |                       |     |  +---------    
144    |   External attack     |     |     | Inter    
145    |       vectors         |     |  +---------    
146    |                       |<--->|  | Linux Ke    
147    |                       |     |  +---------    
148    +-----------------------+     |  +---------    
149                                  |  | Bootload    
150    +-----------------------+     |  +---------    
151    |                       |<--->+------------    
152    |                       |          | Interf    
153    |                       |     +------------    
154    |     CoCo security     |<--->| Host/Host-s    
155    |      manager          |     +------------    
156    |                       |     +------------    
157    |                       |<--->|   CoCo plat    
158    +-----------------------+     +------------    
159                                                   
160 While traditionally the host has unlimited acc    
161 leverage this access to attack the guest, the     
162 attacks by adding security features like guest    
163 integrity protection. This threat model assume    
164 available and intact.                             
165                                                   
166 The **Linux kernel CoCo VM security objectives    
167                                                   
168 1. Preserve the confidentiality and integrity     
169 memory and registers.                             
170                                                   
171 2. Prevent privileged escalation from a host i    
172 While it is true that the host (and host-side     
173 privilege to create, destroy, or pause the gue    
174 preventing privileged escalation is to ensure     
175 provide a pathway for attackers to gain access    
176                                                   
177 The above security objectives result in two pr    
178 VM assets**:                                      
179                                                   
180 1. Guest kernel execution context.                
181 2. Guest kernel private memory.                   
182                                                   
183 The host retains full control over the CoCo gu    
184 access to them at any time. Examples of resour    
185 that the guest can consume, network bandwidth,    
186 host Denial of Service (DoS) attacks against C    
187 scope of this threat model.                       
188                                                   
189 The **Linux CoCo VM attack surface** is any in    
190 guest Linux kernel towards an untrusted host t    
191 CoCo technology SW/HW protection. This include    
192 side-channels, as well as transient execution     
193 explicit (not side-channel) interfaces include    
194 and DMA interfaces, access to PCI configuratio    
195 hypercalls (towards Host-side VMM), access to     
196 interrupts allowed to be injected into the gue    
197 well as CoCo technology-specific hypercalls, i    
198 host in a CoCo system typically controls the p    
199 guest: it has a method to load into a guest th    
200 images, the kernel image together with the ker    
201 data should also be considered untrusted until    
202 authenticity is established via attestation.      
203                                                   
204 The table below shows a threat matrix for the     
205 does not discuss potential mitigation strategi    
206 CoCo-specific versions of the guest, host and     
207                                                   
208 .. list-table:: CoCo Linux guest kernel threat    
209    :widths: auto                                  
210    :align: center                                 
211    :header-rows: 1                                
212                                                   
213    * - Threat name                                
214      - Threat description                         
215                                                   
216    * - Guest malicious configuration              
217      - A misbehaving host modifies one of the     
218        configuration:                             
219                                                   
220        1. Guest firmware or bootloader            
221                                                   
222        2. Guest kernel or module binaries         
223                                                   
224        3. Guest command line parameters           
225                                                   
226        This allows the host to break the integ    
227        inside a CoCo guest, and violates the C    
228                                                   
229    * - CoCo guest data attacks                    
230      - A misbehaving host retains full control    
231        in-transit between the guest and the ho    
232        virtual devices. This allows any attack    
233        integrity or freshness of such data.       
234                                                   
235    * - Malformed runtime input                    
236      - A misbehaving host injects malformed in    
237        interface used by the guest's kernel co    
238        prepared to handle this input correctly    
239        --> guest kernel privilege escalation.     
240        side-channel and/or transient execution    
241                                                   
242    * - Malicious runtime input                    
243      - A misbehaving host injects a specific i    
244        communication interface used by the gue    
245        difference with the previous attack vec    
246        is that this input is not malformed, bu    
247        impact the guest's kernel security. Exa    
248        providing a malicious time to the guest    
249        random number generator. Additionally,     
250        be an attack vector on its own, if it r    
251        kernel action (i.e. processing of a hos    
252        resistant to supplied host input.          
253                                                   
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php