€•”—Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ1/translations/zh_CN/security/snp-tdx-threat-model”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/zh_TW/security/snp-tdx-threat-model”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/it_IT/security/snp-tdx-threat-model”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/ja_JP/security/snp-tdx-threat-model”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/ko_KR/security/snp-tdx-threat-model”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/sp_SP/security/snp-tdx-threat-model”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ6Confidential Computing in Linux for x86 virtualization”h]”hŒ6Confidential Computing in Linux for x86 virtualization”…””}”(hh¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hh£hžhhŸŒK/var/lib/git/docbuild/linux/Documentation/security/snp-tdx-threat-model.rst”h KubhŒtopic”“”)”}”(hhh]”hŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hhh]”hŒ paragraph”“”)”}”(hhh]”hŒ reference”“”)”}”(hhh]”hŒ Motivation”…””}”(hhÍhžhhŸNh Nubah}”(h]”Œid2”ah ]”h"]”h$]”h&]”Œrefid”Œ motivation”uh1hËhhÈubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhhÃubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhh¾ubhÂ)”}”(hhh]”hÇ)”}”(hhh]”hÌ)”}”(hhh]”hŒOverview and terminology”…””}”(hhïhžhhŸNh Nubah}”(h]”Œid3”ah ]”h"]”h$]”h&]”Œrefid”Œoverview-and-terminology”uh1hËhhìubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhhéubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhh¾ubhÂ)”}”(hhh]”hÇ)”}”(hhh]”hÌ)”}”(hhh]”hŒ"Existing Linux kernel threat model”…””}”(hjhžhhŸNh Nubah}”(h]”Œid4”ah ]”h"]”h$]”h&]”Œrefid”Œ"existing-linux-kernel-threat-model”uh1hËhjubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhj ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhh¾ubhÂ)”}”(hhh]”hÇ)”}”(hhh]”hÌ)”}”(hhh]”hŒ?Confidential Computing threat model and its security objectives”…””}”(hj3hžhhŸNh Nubah}”(h]”Œid5”ah ]”h"]”h$]”h&]”Œrefid”Œ?confidential-computing-threat-model-and-its-security-objectives”uh1hËhj0ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhj-ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhh¾ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h¼hh¹hžhhŸNh Nubah}”(h]”Œcontents”ah ]”(Œcontents”Œlocal”eh"]”Œcontents”ah$]”h&]”uh1h·hŸh¶h Khh£hžhubhÇ)”}”(hŒaBy: Elena Reshetova and Carlos Bilbao ”h]”(hŒBy: Elena Reshetova <”…””}”(hj_hžhhŸNh NubhÌ)”}”(hŒelena.reshetova@intel.com”h]”hŒelena.reshetova@intel.com”…””}”(hjghžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œ mailto:elena.reshetova@intel.com”uh1hËhj_ubhŒ> and Carlos Bilbao <”…””}”(hj_hžhhŸNh NubhÌ)”}”(hŒcarlos.bilbao.osdev@gmail.com”h]”hŒcarlos.bilbao.osdev@gmail.com”…””}”(hj{hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œ$mailto:carlos.bilbao.osdev@gmail.com”uh1hËhj_ubhŒ>”…””}”(hj_hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Khh£hžhubh¢)”}”(hhh]”(h§)”}”(hŒ Motivation”h]”hŒ Motivation”…””}”(hj˜hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefid”hÖuh1h¦hj•hžhhŸh¶h K ubhÇ)”}”(hX„Kernel developers working on confidential computing for virtualized environments in x86 operate under a set of assumptions regarding the Linux kernel threat model that differ from the traditional view. Historically, the Linux threat model acknowledges attackers residing in userspace, as well as a limited set of external attackers that are able to interact with the kernel through various networking or limited HW-specific exposed interfaces (USB, thunderbolt). The goal of this document is to explain additional attack vectors that arise in the confidential computing space and discuss the proposed protection mechanisms for the Linux kernel.”h]”hX„Kernel developers working on confidential computing for virtualized environments in x86 operate under a set of assumptions regarding the Linux kernel threat model that differ from the traditional view. Historically, the Linux threat model acknowledges attackers residing in userspace, as well as a limited set of external attackers that are able to interact with the kernel through various networking or limited HW-specific exposed interfaces (USB, thunderbolt). The goal of this document is to explain additional attack vectors that arise in the confidential computing space and discuss the proposed protection mechanisms for the Linux kernel.”…””}”(hj§hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K hj•hžhubeh}”(h]”hÜah ]”h"]”Œ motivation”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K ubh¢)”}”(hhh]”(h§)”}”(hŒOverview and terminology”h]”hŒOverview and terminology”…””}”(hj¿hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j¦høuh1h¦hj¼hžhhŸh¶h KubhÇ)”}”(hXóConfidential Computing (CoCo) is a broad term covering a wide range of security technologies that aim to protect the confidentiality and integrity of data in use (vs. data at rest or data in transit). At its core, CoCo solutions provide a Trusted Execution Environment (TEE), where secure data processing can be performed and, as a result, they are typically further classified into different subtypes depending on the SW that is intended to be run in TEE. This document focuses on a subclass of CoCo technologies that are targeting virtualized environments and allow running Virtual Machines (VM) inside TEE. From now on in this document will be referring to this subclass of CoCo as 'Confidential Computing (CoCo) for the virtualized environments (VE)'.”h]”hX÷Confidential Computing (CoCo) is a broad term covering a wide range of security technologies that aim to protect the confidentiality and integrity of data in use (vs. data at rest or data in transit). At its core, CoCo solutions provide a Trusted Execution Environment (TEE), where secure data processing can be performed and, as a result, they are typically further classified into different subtypes depending on the SW that is intended to be run in TEE. This document focuses on a subclass of CoCo technologies that are targeting virtualized environments and allow running Virtual Machines (VM) inside TEE. From now on in this document will be referring to this subclass of CoCo as ‘Confidential Computing (CoCo) for the virtualized environments (VE)’.”…””}”(hjÍhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Khj¼hžhubhÇ)”}”(hX|CoCo, in the virtualization context, refers to a set of HW and/or SW technologies that allow for stronger security guarantees for the SW running inside a CoCo VM. Namely, confidential computing allows its users to confirm the trustworthiness of all SW pieces to include in its reduced Trusted Computing Base (TCB) given its ability to attest the state of these trusted components.”h]”hX|CoCo, in the virtualization context, refers to a set of HW and/or SW technologies that allow for stronger security guarantees for the SW running inside a CoCo VM. Namely, confidential computing allows its users to confirm the trustworthiness of all SW pieces to include in its reduced Trusted Computing Base (TCB) given its ability to attest the state of these trusted components.”…””}”(hjÛhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K%hj¼hžhubhÇ)”}”(hX]While the concrete implementation details differ between technologies, all available mechanisms aim to provide increased confidentiality and integrity for the VM's guest memory and execution state (vCPU registers), more tightly controlled guest interrupt injection, as well as some additional mechanisms to control guest-host page mapping. More details on the x86-specific solutions can be found in :doc:`Intel Trust Domain Extensions (TDX) ` and `AMD Memory Encryption `_.”h]”(hX‘While the concrete implementation details differ between technologies, all available mechanisms aim to provide increased confidentiality and integrity for the VM’s guest memory and execution state (vCPU registers), more tightly controlled guest interrupt injection, as well as some additional mechanisms to control guest-host page mapping. More details on the x86-specific solutions can be found in ”…””}”(hjéhžhhŸNh Nubh)”}”(hŒ::doc:`Intel Trust Domain Extensions (TDX) `”h]”hŒinline”“”)”}”(hjóh]”hŒ#Intel Trust Domain Extensions (TDX)”…””}”(hj÷hžhhŸNh Nubah}”(h]”h ]”(Œxref”Œstd”Œstd-doc”eh"]”h$]”h&]”uh1jõhjñubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œsecurity/snp-tdx-threat-model”Œ refdomain”jŒreftype”Œdoc”Œ refexplicit”ˆŒrefwarn”ˆŒ reftarget”Œ /arch/x86/tdx”uh1hhŸh¶h K,hjéubhŒ and ”…””}”(hjéhžhhŸNh NubhÌ)”}”(hŒŽ`AMD Memory Encryption `_”h]”hŒAMD Memory Encryption”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒAMD Memory Encryption”Œrefuri”Œshttps://www.amd.com/system/files/techdocs/sev-snp-strengthening-vm-isolation-with-integrity-protection-and-more.pdf”uh1hËhjéubhŒtarget”“”)”}”(hŒv ”h]”h}”(h]”Œamd-memory-encryption”ah ]”h"]”Œamd memory encryption”ah$]”h&]”Œrefuri”j+uh1j,Œ referenced”KhjéubhŒ.”…””}”(hjéhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K,hj¼hžhubhÇ)”}”(hXRThe basic CoCo guest layout includes the host, guest, the interfaces that communicate guest and host, a platform capable of supporting CoCo VMs, and a trusted intermediary between the guest VM and the underlying platform that acts as a security manager. The host-side virtual machine monitor (VMM) typically consists of a subset of traditional VMM features and is still in charge of the guest lifecycle, i.e. create or destroy a CoCo VM, manage its access to system resources, etc. However, since it typically stays out of CoCo VM TCB, its access is limited to preserve the security objectives.”h]”hXRThe basic CoCo guest layout includes the host, guest, the interfaces that communicate guest and host, a platform capable of supporting CoCo VMs, and a trusted intermediary between the guest VM and the underlying platform that acts as a security manager. The host-side virtual machine monitor (VMM) typically consists of a subset of traditional VMM features and is still in charge of the guest lifecycle, i.e. create or destroy a CoCo VM, manage its access to system resources, etc. However, since it typically stays out of CoCo VM TCB, its access is limited to preserve the security objectives.”…””}”(hjFhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K5hj¼hžhubhÇ)”}”(hŒÓIn the following diagram, the "<--->" lines represent bi-directional communication channels or interfaces between the CoCo security manager and the rest of the components (data flow for guest, host, hardware) ::”h]”hŒÔIn the following diagram, the “<--->†lines represent bi-directional communication channels or interfaces between the CoCo security manager and the rest of the components (data flow for guest, host, hardware)”…””}”(hjThžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K?hj¼hžhubhŒ literal_block”“”)”}”(hXF+-------------------+ +-----------------------+ | CoCo guest VM |<---->| | +-------------------+ | | | Interfaces | | CoCo security manager | +-------------------+ | | | Host VMM |<---->| | +-------------------+ | | | | +--------------------+ | | | CoCo platform |<--->| | +--------------------+ +-----------------------+”h]”hXF+-------------------+ +-----------------------+ | CoCo guest VM |<---->| | +-------------------+ | | | Interfaces | | CoCo security manager | +-------------------+ | | | Host VMM |<---->| | +-------------------+ | | | | +--------------------+ | | | CoCo platform |<--->| | +--------------------+ +-----------------------+”…””}”hjdsbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1jbhŸh¶h KChj¼hžhubhÇ)”}”(hŒ²The specific details of the CoCo security manager vastly diverge between technologies. For example, in some cases, it will be implemented in HW while in others it may be pure SW.”h]”hŒ²The specific details of the CoCo security manager vastly diverge between technologies. For example, in some cases, it will be implemented in HW while in others it may be pure SW.”…””}”(hjthžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KOhj¼hžhubeh}”(h]”hþah ]”h"]”Œoverview and terminology”ah$]”h&]”uh1h¡hh£hžhhŸh¶h Kubh¢)”}”(hhh]”(h§)”}”(hŒ"Existing Linux kernel threat model”h]”hŒ"Existing Linux kernel threat model”…””}”(hjŒhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j¦juh1h¦hj‰hžhhŸh¶h KTubhÇ)”}”(hŒEThe overall components of the current Linux kernel threat model are::”h]”hŒDThe overall components of the current Linux kernel threat model are:”…””}”(hjšhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KVhj‰hžhubjc)”}”(hX¬+-----------------------+ +-------------------+ | |<---->| Userspace | | | +-------------------+ | External attack | | Interfaces | | vectors | +-------------------+ | |<---->| Linux Kernel | | | +-------------------+ +-----------------------+ +-------------------+ | Bootloader/BIOS | +-------------------+ +-------------------+ | HW platform | +-------------------+”h]”hX¬+-----------------------+ +-------------------+ | |<---->| Userspace | | | +-------------------+ | External attack | | Interfaces | | vectors | +-------------------+ | |<---->| Linux Kernel | | | +-------------------+ +-----------------------+ +-------------------+ | Bootloader/BIOS | +-------------------+ +-------------------+ | HW platform | +-------------------+”…””}”hj¨sbah}”(h]”h ]”h"]”h$]”h&]”jrjsuh1jbhŸh¶h KXhj‰hžhubhÇ)”}”(hX9There is also communication between the bootloader and the kernel during the boot process, but this diagram does not represent it explicitly. The "Interfaces" box represents the various interfaces that allow communication between kernel and userspace. This includes system calls, kernel APIs, device drivers, etc.”h]”hX=There is also communication between the bootloader and the kernel during the boot process, but this diagram does not represent it explicitly. The “Interfaces†box represents the various interfaces that allow communication between kernel and userspace. This includes system calls, kernel APIs, device drivers, etc.”…””}”(hj¶hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Kfhj‰hžhubhÇ)”}”(hXZThe existing Linux kernel threat model typically assumes execution on a trusted HW platform with all of the firmware and bootloaders included on its TCB. The primary attacker resides in the userspace, and all of the data coming from there is generally considered untrusted, unless userspace is privileged enough to perform trusted actions. In addition, external attackers are typically considered, including those with access to enabled external networks (e.g. Ethernet, Wireless, Bluetooth), exposed hardware interfaces (e.g. USB, Thunderbolt), and the ability to modify the contents of disks offline.”h]”hXZThe existing Linux kernel threat model typically assumes execution on a trusted HW platform with all of the firmware and bootloaders included on its TCB. The primary attacker resides in the userspace, and all of the data coming from there is generally considered untrusted, unless userspace is privileged enough to perform trusted actions. In addition, external attackers are typically considered, including those with access to enabled external networks (e.g. Ethernet, Wireless, Bluetooth), exposed hardware interfaces (e.g. USB, Thunderbolt), and the ability to modify the contents of disks offline.”…””}”(hjÄhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Klhj‰hžhubhÇ)”}”(hXRegarding external attack vectors, it is interesting to note that in most cases external attackers will try to exploit vulnerabilities in userspace first, but that it is possible for an attacker to directly target the kernel; particularly if the host has physical access. Examples of direct kernel attacks include the vulnerabilities CVE-2019-19524, CVE-2022-0435 and CVE-2020-24490.”h]”hXRegarding external attack vectors, it is interesting to note that in most cases external attackers will try to exploit vulnerabilities in userspace first, but that it is possible for an attacker to directly target the kernel; particularly if the host has physical access. Examples of direct kernel attacks include the vulnerabilities CVE-2019-19524, CVE-2022-0435 and CVE-2020-24490.”…””}”(hjÒhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Kvhj‰hžhubeh}”(h]”j ah ]”h"]”Œ"existing linux kernel threat model”ah$]”h&]”uh1h¡hh£hžhhŸh¶h KTubh¢)”}”(hhh]”(h§)”}”(hŒ?Confidential Computing threat model and its security objectives”h]”hŒ?Confidential Computing threat model and its security objectives”…””}”(hjêhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j¦j<uh1h¦hjçhžhhŸh¶h K~ubhÇ)”}”(hX¬Confidential Computing adds a new type of attacker to the above list: a potentially misbehaving host (which can also include some part of a traditional VMM or all of it), which is typically placed outside of the CoCo VM TCB due to its large SW attack surface. It is important to note that this doesn’t imply that the host or VMM are intentionally malicious, but that there exists a security value in having a small CoCo VM TCB. This new type of adversary may be viewed as a more powerful type of external attacker, as it resides locally on the same physical machine (in contrast to a remote network attacker) and has control over the guest kernel communication with most of the HW::”h]”hX«Confidential Computing adds a new type of attacker to the above list: a potentially misbehaving host (which can also include some part of a traditional VMM or all of it), which is typically placed outside of the CoCo VM TCB due to its large SW attack surface. It is important to note that this doesn’t imply that the host or VMM are intentionally malicious, but that there exists a security value in having a small CoCo VM TCB. This new type of adversary may be viewed as a more powerful type of external attacker, as it resides locally on the same physical machine (in contrast to a remote network attacker) and has control over the guest kernel communication with most of the HW:”…””}”(hjøhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K€hjçhžhubjc)”}”(hXh +------------------------+ | CoCo guest VM | +-----------------------+ | +-------------------+ | | |<--->| | Userspace | | | | | +-------------------+ | | External attack | | | Interfaces | | | vectors | | +-------------------+ | | |<--->| | Linux Kernel | | | | | +-------------------+ | +-----------------------+ | +-------------------+ | | | Bootloader/BIOS | | +-----------------------+ | +-------------------+ | | |<--->+------------------------+ | | | Interfaces | | | +------------------------+ | CoCo security |<--->| Host/Host-side VMM | | manager | +------------------------+ | | +------------------------+ | |<--->| CoCo platform | +-----------------------+ +------------------------+”h]”hXh +------------------------+ | CoCo guest VM | +-----------------------+ | +-------------------+ | | |<--->| | Userspace | | | | | +-------------------+ | | External attack | | | Interfaces | | | vectors | | +-------------------+ | | |<--->| | Linux Kernel | | | | | +-------------------+ | +-----------------------+ | +-------------------+ | | | Bootloader/BIOS | | +-----------------------+ | +-------------------+ | | |<--->+------------------------+ | | | Interfaces | | | +------------------------+ | CoCo security |<--->| Host/Host-side VMM | | manager | +------------------------+ | | +------------------------+ | |<--->| CoCo platform | +-----------------------+ +------------------------+”…””}”hjsbah}”(h]”h ]”h"]”h$]”h&]”jrjsuh1jbhŸh¶h K‹hjçhžhubhÇ)”}”(hX6While traditionally the host has unlimited access to guest data and can leverage this access to attack the guest, the CoCo systems mitigate such attacks by adding security features like guest data confidentiality and integrity protection. This threat model assumes that those features are available and intact.”h]”hX6While traditionally the host has unlimited access to guest data and can leverage this access to attack the guest, the CoCo systems mitigate such attacks by adding security features like guest data confidentiality and integrity protection. This threat model assumes that those features are available and intact.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K hjçhžhubhÇ)”}”(hŒNThe **Linux kernel CoCo VM security objectives** can be summarized as follows:”h]”(hŒThe ”…””}”(hj"hžhhŸNh NubhŒstrong”“”)”}”(hŒ,**Linux kernel CoCo VM security objectives**”h]”hŒ(Linux kernel CoCo VM security objectives”…””}”(hj,hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j*hj"ubhŒ can be summarized as follows:”…””}”(hj"hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K¦hjçhžhubhÇ)”}”(hŒ[1. Preserve the confidentiality and integrity of CoCo guest's private memory and registers.”h]”hŒ]1. Preserve the confidentiality and integrity of CoCo guest’s private memory and registers.”…””}”(hjDhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K¨hjçhžhubhÇ)”}”(hXm2. Prevent privileged escalation from a host into a CoCo guest Linux kernel. While it is true that the host (and host-side VMM) requires some level of privilege to create, destroy, or pause the guest, part of the goal of preventing privileged escalation is to ensure that these operations do not provide a pathway for attackers to gain access to the guest's kernel.”h]”hXo2. Prevent privileged escalation from a host into a CoCo guest Linux kernel. While it is true that the host (and host-side VMM) requires some level of privilege to create, destroy, or pause the guest, part of the goal of preventing privileged escalation is to ensure that these operations do not provide a pathway for attackers to gain access to the guest’s kernel.”…””}”(hjRhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K«hjçhžhubhÇ)”}”(hŒTThe above security objectives result in two primary **Linux kernel CoCo VM assets**:”h]”(hŒ4The above security objectives result in two primary ”…””}”(hj`hžhhŸNh Nubj+)”}”(hŒ**Linux kernel CoCo VM assets**”h]”hŒLinux kernel CoCo VM assets”…””}”(hjhhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j*hj`ubhŒ:”…””}”(hj`hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K±hjçhžhubhŒenumerated_list”“”)”}”(hhh]”(hÂ)”}”(hŒGuest kernel execution context.”h]”hÇ)”}”(hj‡h]”hŒGuest kernel execution context.”…””}”(hj‰hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K´hj…ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhj‚hžhhŸh¶h NubhÂ)”}”(hŒGuest kernel private memory. ”h]”hÇ)”}”(hŒGuest kernel private memory.”h]”hŒGuest kernel private memory.”…””}”(hj hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Kµhjœubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhj‚hžhhŸh¶h Nubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œarabic”Œprefix”hŒsuffix”Œ.”uh1j€hjçhžhhŸh¶h K´ubhÇ)”}”(hXAThe host retains full control over the CoCo guest resources, and can deny access to them at any time. Examples of resources include CPU time, memory that the guest can consume, network bandwidth, etc. Because of this, the host Denial of Service (DoS) attacks against CoCo guests are beyond the scope of this threat model.”h]”hXAThe host retains full control over the CoCo guest resources, and can deny access to them at any time. Examples of resources include CPU time, memory that the guest can consume, network bandwidth, etc. Because of this, the host Denial of Service (DoS) attacks against CoCo guests are beyond the scope of this threat model.”…””}”(hj¿hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K·hjçhžhubhÇ)”}”(hXÅThe **Linux CoCo VM attack surface** is any interface exposed from a CoCo guest Linux kernel towards an untrusted host that is not covered by the CoCo technology SW/HW protection. This includes any possible side-channels, as well as transient execution side channels. Examples of explicit (not side-channel) interfaces include accesses to port I/O, MMIO and DMA interfaces, access to PCI configuration space, VMM-specific hypercalls (towards Host-side VMM), access to shared memory pages, interrupts allowed to be injected into the guest kernel by the host, as well as CoCo technology-specific hypercalls, if present. Additionally, the host in a CoCo system typically controls the process of creating a CoCo guest: it has a method to load into a guest the firmware and bootloader images, the kernel image together with the kernel command line. All of this data should also be considered untrusted until its integrity and authenticity is established via attestation.”h]”(hŒThe ”…””}”(hjÍhžhhŸNh Nubj+)”}”(hŒ **Linux CoCo VM attack surface**”h]”hŒLinux CoCo VM attack surface”…””}”(hjÕhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j*hjÍubhX¡ is any interface exposed from a CoCo guest Linux kernel towards an untrusted host that is not covered by the CoCo technology SW/HW protection. This includes any possible side-channels, as well as transient execution side channels. Examples of explicit (not side-channel) interfaces include accesses to port I/O, MMIO and DMA interfaces, access to PCI configuration space, VMM-specific hypercalls (towards Host-side VMM), access to shared memory pages, interrupts allowed to be injected into the guest kernel by the host, as well as CoCo technology-specific hypercalls, if present. Additionally, the host in a CoCo system typically controls the process of creating a CoCo guest: it has a method to load into a guest the firmware and bootloader images, the kernel image together with the kernel command line. All of this data should also be considered untrusted until its integrity and authenticity is established via attestation.”…””}”(hjÍhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h K½hjçhžhubhÇ)”}”(hŒÈThe table below shows a threat matrix for the CoCo guest Linux kernel but does not discuss potential mitigation strategies. The matrix refers to CoCo-specific versions of the guest, host and platform.”h]”hŒÈThe table below shows a threat matrix for the CoCo guest Linux kernel but does not discuss potential mitigation strategies. The matrix refers to CoCo-specific versions of the guest, host and platform.”…””}”(hjíhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KÌhjçhžhubhŒtable”“”)”}”(hhh]”(h§)”}”(hŒ%CoCo Linux guest kernel threat matrix”h]”hŒ%CoCo Linux guest kernel threat matrix”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hŸh¶h KÐhjýubhŒtgroup”“”)”}”(hhh]”(hŒcolspec”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K2uh1jhjubj)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”jK2uh1jhjubhŒthead”“”)”}”(hhh]”hŒrow”“”)”}”(hhh]”(hŒentry”“”)”}”(hhh]”hÇ)”}”(hŒ Threat name”h]”hŒ Threat name”…””}”(hj7hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KÕhj4ubah}”(h]”h ]”h"]”h$]”h&]”uh1j2hj/ubj3)”}”(hhh]”hÇ)”}”(hŒThreat description”h]”hŒThreat description”…””}”(hjNhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KÖhjKubah}”(h]”h ]”h"]”h$]”h&]”uh1j2hj/ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j-hj*ubah}”(h]”h ]”h"]”h$]”h&]”uh1j(hjubhŒtbody”“”)”}”(hhh]”(j.)”}”(hhh]”(j3)”}”(hhh]”hÇ)”}”(hŒGuest malicious configuration”h]”hŒGuest malicious configuration”…””}”(hjyhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KØhjvubah}”(h]”h ]”h"]”h$]”h&]”uh1j2hjsubj3)”}”(hhh]”(hÇ)”}”(hŒGA misbehaving host modifies one of the following guest's configuration:”h]”hŒIA misbehaving host modifies one of the following guest’s configuration:”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KÙhjubj)”}”(hhh]”(hÂ)”}”(hŒGuest firmware or bootloader ”h]”hÇ)”}”(hŒGuest firmware or bootloader”h]”hŒGuest firmware or bootloader”…””}”(hj¥hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KÜhj¡ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhjžubhÂ)”}”(hŒ Guest kernel or module binaries ”h]”hÇ)”}”(hŒGuest kernel or module binaries”h]”hŒGuest kernel or module binaries”…””}”(hj½hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KÞhj¹ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhjžubhÂ)”}”(hŒGuest command line parameters ”h]”hÇ)”}”(hŒGuest command line parameters”h]”hŒGuest command line parameters”…””}”(hjÕhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KàhjÑubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhjžubeh}”(h]”h ]”h"]”h$]”h&]”jºj»j¼hj½j¾uh1j€hjubhÇ)”}”(hŒThis allows the host to break the integrity of the code running inside a CoCo guest, and violates the CoCo security objectives.”h]”hŒThis allows the host to break the integrity of the code running inside a CoCo guest, and violates the CoCo security objectives.”…””}”(hjïhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Kâhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1j2hjsubeh}”(h]”h ]”h"]”h$]”h&]”uh1j-hjpubj.)”}”(hhh]”(j3)”}”(hhh]”hÇ)”}”(hŒCoCo guest data attacks”h]”hŒCoCo guest data attacks”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Kåhj ubah}”(h]”h ]”h"]”h$]”h&]”uh1j2hj ubj3)”}”(hhh]”hÇ)”}”(hŒäA misbehaving host retains full control of the CoCo guest's data in-transit between the guest and the host-managed physical or virtual devices. This allows any attack against confidentiality, integrity or freshness of such data.”h]”hŒæA misbehaving host retains full control of the CoCo guest’s data in-transit between the guest and the host-managed physical or virtual devices. This allows any attack against confidentiality, integrity or freshness of such data.”…””}”(hj&hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Kæhj#ubah}”(h]”h ]”h"]”h$]”h&]”uh1j2hj ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j-hjpubj.)”}”(hhh]”(j3)”}”(hhh]”hÇ)”}”(hŒMalformed runtime input”h]”hŒMalformed runtime input”…””}”(hjFhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KëhjCubah}”(h]”h ]”h"]”h$]”h&]”uh1j2hj@ubj3)”}”(hhh]”hÇ)”}”(hX:A misbehaving host injects malformed input via any communication interface used by the guest's kernel code. If the code is not prepared to handle this input correctly, this can result in a host --> guest kernel privilege escalation. This includes traditional side-channel and/or transient execution attack vectors.”h]”hX<A misbehaving host injects malformed input via any communication interface used by the guest’s kernel code. If the code is not prepared to handle this input correctly, this can result in a host --> guest kernel privilege escalation. This includes traditional side-channel and/or transient execution attack vectors.”…””}”(hj]hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h KìhjZubah}”(h]”h ]”h"]”h$]”h&]”uh1j2hj@ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j-hjpubj.)”}”(hhh]”(j3)”}”(hhh]”hÇ)”}”(hŒMalicious runtime input”h]”hŒMalicious runtime input”…””}”(hj}hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Kòhjzubah}”(h]”h ]”h"]”h$]”h&]”uh1j2hjwubj3)”}”(hhh]”hÇ)”}”(hXmA misbehaving host injects a specific input value via any communication interface used by the guest's kernel code. The difference with the previous attack vector (malformed runtime input) is that this input is not malformed, but its value is crafted to impact the guest's kernel security. Examples of such inputs include providing a malicious time to the guest or the entropy to the guest random number generator. Additionally, the timing of such events can be an attack vector on its own, if it results in a particular guest kernel action (i.e. processing of a host-injected interrupt). resistant to supplied host input.”h]”hXqA misbehaving host injects a specific input value via any communication interface used by the guest’s kernel code. The difference with the previous attack vector (malformed runtime input) is that this input is not malformed, but its value is crafted to impact the guest’s kernel security. Examples of such inputs include providing a malicious time to the guest or the entropy to the guest random number generator. Additionally, the timing of such events can be an attack vector on its own, if it results in a particular guest kernel action (i.e. processing of a host-injected interrupt). resistant to supplied host input.”…””}”(hj”hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÆhŸh¶h Kóhj‘ubah}”(h]”h ]”h"]”h$]”h&]”uh1j2hjwubeh}”(h]”h ]”h"]”h$]”h&]”uh1j-hjpubeh}”(h]”h ]”h"]”h$]”h&]”uh1jnhjubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1jhjýubeh}”(h]”Œid1”ah ]”Œcolwidths-auto”ah"]”h$]”h&]”Œalign”Œcenter”uh1jûhjçhžhhŸNh Nubeh}”(h]”jBah ]”h"]”Œ?confidential computing threat model and its security objectives”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K~ubeh}”(h]”Œ6confidential-computing-in-linux-for-x86-virtualization”ah ]”h"]”Œ6confidential computing in linux for x86 virtualization”ah$]”h&]”uh1h¡hhhžhhŸh¶h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h¶uh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¦NŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”j2Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jöŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h¶Œ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jÑjÎj\jWj¹hÜj†hþj7j4jäj jÉjBuŒ nametypes”}”(jщj\‰j¹‰j†‰j7ˆjä‰jɉuh}”(jÎh£jWh¹hÜj•hþj¼j4j.j j‰jBjçj½jýhÖhÍhøhïjjj<j3uŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”jKs…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nhžhub.