From 7cb96c47a94ea310b151c36380ea8266d21aa12a Mon Sep 17 00:00:00 2001 From: Tom Lendacky Date: Thu, 7 Jan 2021 12:48:13 -0600 Subject: OvmfPkg/ResetVector: Validate the encryption bit position for SEV/SEV-ES BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3108 To help mitigate against ROP attacks, add some checks to validate the encryption bit position that is reported by the hypervisor. The first check is to ensure that the hypervisor reports a bit position above bit 31. After extracting the encryption bit position from the CPUID information, the code checks that the value is above 31. If the value is not above 31, then the bit position is not valid, so the code enters a HLT loop. The second check is specific to SEV-ES guests and is a two step process. The first step will obtain random data using RDRAND and store that data to memory before paging is enabled. When paging is not enabled, all writes to memory are encrypted. The random data is maintained in registers, which are protected. The second step is that, after enabling paging, the random data in memory is compared to the register contents. If they don't match, then the reported bit position is not valid, so the code enters a HLT loop. The third check is after switching to 64-bit long mode. Use the fact that instruction fetches are automatically decrypted, while a memory fetch is decrypted only if the encryption bit is set in the page table. By comparing the bytes of an instruction fetch against a memory read of that same instruction, the encryption bit position can be validated. If the compare is not equal, then SEV/SEV-ES is active but the reported bit position is not valid, so the code enters a HLT loop. To keep the changes local to the OvmfPkg, an OvmfPkg version of the Flat32ToFlat64.asm file has been created based on the UefiCpuPkg file UefiCpuPkg/ResetVector/Vtf0/Ia32/Flat32ToFlat64.asm. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Brijesh Singh Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky Message-Id: --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'OvmfPkg/Include') diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h index a6d82dac7f..dc09c61e58 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -21,10 +21,14 @@ // This structure is also used by assembler files: // OvmfPkg/ResetVector/ResetVector.nasmb // OvmfPkg/ResetVector/Ia32/PageTables64.asm +// OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm // any changes must stay in sync with its usage. // typedef struct _SEC_SEV_ES_WORK_AREA { UINT8 SevEsEnabled; + UINT8 Reserved1[7]; + + UINT64 RandomData; } SEC_SEV_ES_WORK_AREA; /** -- cgit v1.2.3