~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/security/snp-tdx-threat-model.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/security/snp-tdx-threat-model.rst (Version linux-6.12-rc7) and /Documentation/security/snp-tdx-threat-model.rst (Version linux-6.11.7)


  1 ==============================================      1 ======================================================
  2 Confidential Computing in Linux for x86 virtua      2 Confidential Computing in Linux for x86 virtualization
  3 ==============================================      3 ======================================================
  4                                                     4 
  5 .. contents:: :local:                               5 .. contents:: :local:
  6                                                     6 
  7 By: Elena Reshetova <elena.reshetova@intel.com>      7 By: Elena Reshetova <elena.reshetova@intel.com> and Carlos Bilbao <carlos.bilbao.osdev@gmail.com>
  8                                                     8 
  9 Motivation                                          9 Motivation
 10 ==========                                         10 ==========
 11                                                    11 
 12 Kernel developers working on confidential comp     12 Kernel developers working on confidential computing for virtualized
 13 environments in x86 operate under a set of ass     13 environments in x86 operate under a set of assumptions regarding the Linux
 14 kernel threat model that differ from the tradi     14 kernel threat model that differ from the traditional view. Historically,
 15 the Linux threat model acknowledges attackers      15 the Linux threat model acknowledges attackers residing in userspace, as
 16 well as a limited set of external attackers th     16 well as a limited set of external attackers that are able to interact with
 17 the kernel through various networking or limit     17 the kernel through various networking or limited HW-specific exposed
 18 interfaces (USB, thunderbolt). The goal of thi     18 interfaces (USB, thunderbolt). The goal of this document is to explain
 19 additional attack vectors that arise in the co     19 additional attack vectors that arise in the confidential computing space
 20 and discuss the proposed protection mechanisms     20 and discuss the proposed protection mechanisms for the Linux kernel.
 21                                                    21 
 22 Overview and terminology                           22 Overview and terminology
 23 ========================                           23 ========================
 24                                                    24 
 25 Confidential Computing (CoCo) is a broad term      25 Confidential Computing (CoCo) is a broad term covering a wide range of
 26 security technologies that aim to protect the      26 security technologies that aim to protect the confidentiality and integrity
 27 of data in use (vs. data at rest or data in tr     27 of data in use (vs. data at rest or data in transit). At its core, CoCo
 28 solutions provide a Trusted Execution Environm     28 solutions provide a Trusted Execution Environment (TEE), where secure data
 29 processing can be performed and, as a result,      29 processing can be performed and, as a result, they are typically further
 30 classified into different subtypes depending o     30 classified into different subtypes depending on the SW that is intended
 31 to be run in TEE. This document focuses on a s     31 to be run in TEE. This document focuses on a subclass of CoCo technologies
 32 that are targeting virtualized environments an     32 that are targeting virtualized environments and allow running Virtual
 33 Machines (VM) inside TEE. From now on in this      33 Machines (VM) inside TEE. From now on in this document will be referring
 34 to this subclass of CoCo as 'Confidential Comp     34 to this subclass of CoCo as 'Confidential Computing (CoCo) for the
 35 virtualized environments (VE)'.                    35 virtualized environments (VE)'.
 36                                                    36 
 37 CoCo, in the virtualization context, refers to     37 CoCo, in the virtualization context, refers to a set of HW and/or SW
 38 technologies that allow for stronger security      38 technologies that allow for stronger security guarantees for the SW running
 39 inside a CoCo VM. Namely, confidential computi     39 inside a CoCo VM. Namely, confidential computing allows its users to
 40 confirm the trustworthiness of all SW pieces t     40 confirm the trustworthiness of all SW pieces to include in its reduced
 41 Trusted Computing Base (TCB) given its ability     41 Trusted Computing Base (TCB) given its ability to attest the state of these
 42 trusted components.                                42 trusted components.
 43                                                    43 
 44 While the concrete implementation details diff     44 While the concrete implementation details differ between technologies, all
 45 available mechanisms aim to provide increased      45 available mechanisms aim to provide increased confidentiality and
 46 integrity for the VM's guest memory and execut     46 integrity for the VM's guest memory and execution state (vCPU registers),
 47 more tightly controlled guest interrupt inject     47 more tightly controlled guest interrupt injection, as well as some
 48 additional mechanisms to control guest-host pa     48 additional mechanisms to control guest-host page mapping. More details on
 49 the x86-specific solutions can be found in         49 the x86-specific solutions can be found in
 50 :doc:`Intel Trust Domain Extensions (TDX) </ar     50 :doc:`Intel Trust Domain Extensions (TDX) </arch/x86/tdx>` and
 51 `AMD Memory Encryption <https://www.amd.com/sy     51 `AMD Memory Encryption <https://www.amd.com/system/files/techdocs/sev-snp-strengthening-vm-isolation-with-integrity-protection-and-more.pdf>`_.
 52                                                    52 
 53 The basic CoCo guest layout includes the host,     53 The basic CoCo guest layout includes the host, guest, the interfaces that
 54 communicate guest and host, a platform capable     54 communicate guest and host, a platform capable of supporting CoCo VMs, and
 55 a trusted intermediary between the guest VM an     55 a trusted intermediary between the guest VM and the underlying platform
 56 that acts as a security manager. The host-side     56 that acts as a security manager. The host-side virtual machine monitor
 57 (VMM) typically consists of a subset of tradit     57 (VMM) typically consists of a subset of traditional VMM features and
 58 is still in charge of the guest lifecycle, i.e     58 is still in charge of the guest lifecycle, i.e. create or destroy a CoCo
 59 VM, manage its access to system resources, etc     59 VM, manage its access to system resources, etc. However, since it
 60 typically stays out of CoCo VM TCB, its access     60 typically stays out of CoCo VM TCB, its access is limited to preserve the
 61 security objectives.                               61 security objectives.
 62                                                    62 
 63 In the following diagram, the "<--->" lines re     63 In the following diagram, the "<--->" lines represent bi-directional
 64 communication channels or interfaces between t     64 communication channels or interfaces between the CoCo security manager and
 65 the rest of the components (data flow for gues     65 the rest of the components (data flow for guest, host, hardware) ::
 66                                                    66 
 67     +-------------------+      +--------------     67     +-------------------+      +-----------------------+
 68     | CoCo guest VM     |<---->|                   68     | CoCo guest VM     |<---->|                       |
 69     +-------------------+      |                   69     +-------------------+      |                       |
 70       | Interfaces |           | CoCo security     70       | Interfaces |           | CoCo security manager |
 71     +-------------------+      |                   71     +-------------------+      |                       |
 72     | Host VMM          |<---->|                   72     | Host VMM          |<---->|                       |
 73     +-------------------+      |                   73     +-------------------+      |                       |
 74                                |                   74                                |                       |
 75     +--------------------+     |                   75     +--------------------+     |                       |
 76     | CoCo platform      |<--->|                   76     | CoCo platform      |<--->|                       |
 77     +--------------------+     +--------------     77     +--------------------+     +-----------------------+
 78                                                    78 
 79 The specific details of the CoCo security mana     79 The specific details of the CoCo security manager vastly diverge between
 80 technologies. For example, in some cases, it w     80 technologies. For example, in some cases, it will be implemented in HW
 81 while in others it may be pure SW.                 81 while in others it may be pure SW.
 82                                                    82 
 83 Existing Linux kernel threat model                 83 Existing Linux kernel threat model
 84 ==================================                 84 ==================================
 85                                                    85 
 86 The overall components of the current Linux ke     86 The overall components of the current Linux kernel threat model are::
 87                                                    87 
 88      +-----------------------+      +---------     88      +-----------------------+      +-------------------+
 89      |                       |<---->| Userspac     89      |                       |<---->| Userspace         |
 90      |                       |      +---------     90      |                       |      +-------------------+
 91      |   External attack     |         | Inter     91      |   External attack     |         | Interfaces |
 92      |       vectors         |      +---------     92      |       vectors         |      +-------------------+
 93      |                       |<---->| Linux Ke     93      |                       |<---->| Linux Kernel      |
 94      |                       |      +---------     94      |                       |      +-------------------+
 95      +-----------------------+      +---------     95      +-----------------------+      +-------------------+
 96                                     | Bootload     96                                     | Bootloader/BIOS   |
 97                                     +---------     97                                     +-------------------+
 98                                     +---------     98                                     +-------------------+
 99                                     | HW platf     99                                     | HW platform       |
100                                     +---------    100                                     +-------------------+
101                                                   101 
102 There is also communication between the bootlo    102 There is also communication between the bootloader and the kernel during
103 the boot process, but this diagram does not re    103 the boot process, but this diagram does not represent it explicitly. The
104 "Interfaces" box represents the various interf    104 "Interfaces" box represents the various interfaces that allow
105 communication between kernel and userspace. Th    105 communication between kernel and userspace. This includes system calls,
106 kernel APIs, device drivers, etc.                 106 kernel APIs, device drivers, etc.
107                                                   107 
108 The existing Linux kernel threat model typical    108 The existing Linux kernel threat model typically assumes execution on a
109 trusted HW platform with all of the firmware a    109 trusted HW platform with all of the firmware and bootloaders included on
110 its TCB. The primary attacker resides in the u    110 its TCB. The primary attacker resides in the userspace, and all of the data
111 coming from there is generally considered untr    111 coming from there is generally considered untrusted, unless userspace is
112 privileged enough to perform trusted actions.     112 privileged enough to perform trusted actions. In addition, external
113 attackers are typically considered, including     113 attackers are typically considered, including those with access to enabled
114 external networks (e.g. Ethernet, Wireless, Bl    114 external networks (e.g. Ethernet, Wireless, Bluetooth), exposed hardware
115 interfaces (e.g. USB, Thunderbolt), and the ab    115 interfaces (e.g. USB, Thunderbolt), and the ability to modify the contents
116 of disks offline.                                 116 of disks offline.
117                                                   117 
118 Regarding external attack vectors, it is inter    118 Regarding external attack vectors, it is interesting to note that in most
119 cases external attackers will try to exploit v    119 cases external attackers will try to exploit vulnerabilities in userspace
120 first, but that it is possible for an attacker    120 first, but that it is possible for an attacker to directly target the
121 kernel; particularly if the host has physical     121 kernel; particularly if the host has physical access. Examples of direct
122 kernel attacks include the vulnerabilities CVE    122 kernel attacks include the vulnerabilities CVE-2019-19524, CVE-2022-0435
123 and CVE-2020-24490.                               123 and CVE-2020-24490.
124                                                   124 
125 Confidential Computing threat model and its se    125 Confidential Computing threat model and its security objectives
126 ==============================================    126 ===============================================================
127                                                   127 
128 Confidential Computing adds a new type of atta    128 Confidential Computing adds a new type of attacker to the above list: a
129 potentially misbehaving host (which can also i    129 potentially misbehaving host (which can also include some part of a
130 traditional VMM or all of it), which is typica    130 traditional VMM or all of it), which is typically placed outside of the
131 CoCo VM TCB due to its large SW attack surface    131 CoCo VM TCB due to its large SW attack surface. It is important to note
132 that this doesn’t imply that the host or VMM    132 that this doesn’t imply that the host or VMM are intentionally
133 malicious, but that there exists a security va    133 malicious, but that there exists a security value in having a small CoCo
134 VM TCB. This new type of adversary may be view    134 VM TCB. This new type of adversary may be viewed as a more powerful type
135 of external attacker, as it resides locally on    135 of external attacker, as it resides locally on the same physical machine
136 (in contrast to a remote network attacker) and    136 (in contrast to a remote network attacker) and has control over the guest
137 kernel communication with most of the HW::        137 kernel communication with most of the HW::
138                                                   138 
139                                  +------------    139                                  +------------------------+
140                                  |    CoCo gue    140                                  |    CoCo guest VM       |
141    +-----------------------+     |  +---------    141    +-----------------------+     |  +-------------------+ |
142    |                       |<--->|  | Userspac    142    |                       |<--->|  | Userspace         | |
143    |                       |     |  +---------    143    |                       |     |  +-------------------+ |
144    |   External attack     |     |     | Inter    144    |   External attack     |     |     | Interfaces |     |
145    |       vectors         |     |  +---------    145    |       vectors         |     |  +-------------------+ |
146    |                       |<--->|  | Linux Ke    146    |                       |<--->|  | Linux Kernel      | |
147    |                       |     |  +---------    147    |                       |     |  +-------------------+ |
148    +-----------------------+     |  +---------    148    +-----------------------+     |  +-------------------+ |
149                                  |  | Bootload    149                                  |  | Bootloader/BIOS   | |
150    +-----------------------+     |  +---------    150    +-----------------------+     |  +-------------------+ |
151    |                       |<--->+------------    151    |                       |<--->+------------------------+
152    |                       |          | Interf    152    |                       |          | Interfaces |
153    |                       |     +------------    153    |                       |     +------------------------+
154    |     CoCo security     |<--->| Host/Host-s    154    |     CoCo security     |<--->| Host/Host-side VMM |
155    |      manager          |     +------------    155    |      manager          |     +------------------------+
156    |                       |     +------------    156    |                       |     +------------------------+
157    |                       |<--->|   CoCo plat    157    |                       |<--->|   CoCo platform        |
158    +-----------------------+     +------------    158    +-----------------------+     +------------------------+
159                                                   159 
160 While traditionally the host has unlimited acc    160 While traditionally the host has unlimited access to guest data and can
161 leverage this access to attack the guest, the     161 leverage this access to attack the guest, the CoCo systems mitigate such
162 attacks by adding security features like guest    162 attacks by adding security features like guest data confidentiality and
163 integrity protection. This threat model assume    163 integrity protection. This threat model assumes that those features are
164 available and intact.                             164 available and intact.
165                                                   165 
166 The **Linux kernel CoCo VM security objectives    166 The **Linux kernel CoCo VM security objectives** can be summarized as follows:
167                                                   167 
168 1. Preserve the confidentiality and integrity     168 1. Preserve the confidentiality and integrity of CoCo guest's private
169 memory and registers.                             169 memory and registers.
170                                                   170 
171 2. Prevent privileged escalation from a host i    171 2. Prevent privileged escalation from a host into a CoCo guest Linux kernel.
172 While it is true that the host (and host-side     172 While it is true that the host (and host-side VMM) requires some level of
173 privilege to create, destroy, or pause the gue    173 privilege to create, destroy, or pause the guest, part of the goal of
174 preventing privileged escalation is to ensure     174 preventing privileged escalation is to ensure that these operations do not
175 provide a pathway for attackers to gain access    175 provide a pathway for attackers to gain access to the guest's kernel.
176                                                   176 
177 The above security objectives result in two pr    177 The above security objectives result in two primary **Linux kernel CoCo
178 VM assets**:                                      178 VM assets**:
179                                                   179 
180 1. Guest kernel execution context.                180 1. Guest kernel execution context.
181 2. Guest kernel private memory.                   181 2. Guest kernel private memory.
182                                                   182 
183 The host retains full control over the CoCo gu    183 The host retains full control over the CoCo guest resources, and can deny
184 access to them at any time. Examples of resour    184 access to them at any time. Examples of resources include CPU time, memory
185 that the guest can consume, network bandwidth,    185 that the guest can consume, network bandwidth, etc. Because of this, the
186 host Denial of Service (DoS) attacks against C    186 host Denial of Service (DoS) attacks against CoCo guests are beyond the
187 scope of this threat model.                       187 scope of this threat model.
188                                                   188 
189 The **Linux CoCo VM attack surface** is any in    189 The **Linux CoCo VM attack surface** is any interface exposed from a CoCo
190 guest Linux kernel towards an untrusted host t    190 guest Linux kernel towards an untrusted host that is not covered by the
191 CoCo technology SW/HW protection. This include    191 CoCo technology SW/HW protection. This includes any possible
192 side-channels, as well as transient execution     192 side-channels, as well as transient execution side channels. Examples of
193 explicit (not side-channel) interfaces include    193 explicit (not side-channel) interfaces include accesses to port I/O, MMIO
194 and DMA interfaces, access to PCI configuratio    194 and DMA interfaces, access to PCI configuration space, VMM-specific
195 hypercalls (towards Host-side VMM), access to     195 hypercalls (towards Host-side VMM), access to shared memory pages,
196 interrupts allowed to be injected into the gue    196 interrupts allowed to be injected into the guest kernel by the host, as
197 well as CoCo technology-specific hypercalls, i    197 well as CoCo technology-specific hypercalls, if present. Additionally, the
198 host in a CoCo system typically controls the p    198 host in a CoCo system typically controls the process of creating a CoCo
199 guest: it has a method to load into a guest th    199 guest: it has a method to load into a guest the firmware and bootloader
200 images, the kernel image together with the ker    200 images, the kernel image together with the kernel command line. All of this
201 data should also be considered untrusted until    201 data should also be considered untrusted until its integrity and
202 authenticity is established via attestation.      202 authenticity is established via attestation.
203                                                   203 
204 The table below shows a threat matrix for the     204 The table below shows a threat matrix for the CoCo guest Linux kernel but
205 does not discuss potential mitigation strategi    205 does not discuss potential mitigation strategies. The matrix refers to
206 CoCo-specific versions of the guest, host and     206 CoCo-specific versions of the guest, host and platform.
207                                                   207 
208 .. list-table:: CoCo Linux guest kernel threat    208 .. list-table:: CoCo Linux guest kernel threat matrix
209    :widths: auto                                  209    :widths: auto
210    :align: center                                 210    :align: center
211    :header-rows: 1                                211    :header-rows: 1
212                                                   212 
213    * - Threat name                                213    * - Threat name
214      - Threat description                         214      - Threat description
215                                                   215 
216    * - Guest malicious configuration              216    * - Guest malicious configuration
217      - A misbehaving host modifies one of the     217      - A misbehaving host modifies one of the following guest's
218        configuration:                             218        configuration:
219                                                   219 
220        1. Guest firmware or bootloader            220        1. Guest firmware or bootloader
221                                                   221 
222        2. Guest kernel or module binaries         222        2. Guest kernel or module binaries
223                                                   223 
224        3. Guest command line parameters           224        3. Guest command line parameters
225                                                   225 
226        This allows the host to break the integ    226        This allows the host to break the integrity of the code running
227        inside a CoCo guest, and violates the C    227        inside a CoCo guest, and violates the CoCo security objectives.
228                                                   228 
229    * - CoCo guest data attacks                    229    * - CoCo guest data attacks
230      - A misbehaving host retains full control    230      - A misbehaving host retains full control of the CoCo guest's data
231        in-transit between the guest and the ho    231        in-transit between the guest and the host-managed physical or
232        virtual devices. This allows any attack    232        virtual devices. This allows any attack against confidentiality,
233        integrity or freshness of such data.       233        integrity or freshness of such data.
234                                                   234 
235    * - Malformed runtime input                    235    * - Malformed runtime input
236      - A misbehaving host injects malformed in    236      - A misbehaving host injects malformed input via any communication
237        interface used by the guest's kernel co    237        interface used by the guest's kernel code. If the code is not
238        prepared to handle this input correctly    238        prepared to handle this input correctly, this can result in a host
239        --> guest kernel privilege escalation.     239        --> guest kernel privilege escalation. This includes traditional
240        side-channel and/or transient execution    240        side-channel and/or transient execution attack vectors.
241                                                   241 
242    * - Malicious runtime input                    242    * - Malicious runtime input
243      - A misbehaving host injects a specific i    243      - A misbehaving host injects a specific input value via any
244        communication interface used by the gue    244        communication interface used by the guest's kernel code. The
245        difference with the previous attack vec    245        difference with the previous attack vector (malformed runtime input)
246        is that this input is not malformed, bu    246        is that this input is not malformed, but its value is crafted to
247        impact the guest's kernel security. Exa    247        impact the guest's kernel security. Examples of such inputs include
248        providing a malicious time to the guest    248        providing a malicious time to the guest or the entropy to the guest
249        random number generator. Additionally,     249        random number generator. Additionally, the timing of such events can
250        be an attack vector on its own, if it r    250        be an attack vector on its own, if it results in a particular guest
251        kernel action (i.e. processing of a hos    251        kernel action (i.e. processing of a host-injected interrupt).
252        resistant to supplied host input.          252        resistant to supplied host input.
253                                                   253 
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php