SEV - Trammell Hudson's Projects

<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="description" content="Collection of my projects and hacks."> <link rel="canonical" href="https://trmm.net/SEV/"> <link rel="icon" href="../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.4.2, mkdocs-material-9.0.6"> <meta property="og:title" content="SEV"> <meta property="og:site_name" content="Trammell Hudson's Projects"> <meta property="og:url" content="https://trmm.net/SEV/"> <meta property="og:description" content="Collection of my projects and hacks."> <meta property="og:image" content="https://trmm.net/images/logo.png"> <title>SEV - Trammell Hudson's Projects</title> <link rel="stylesheet" href="../assets/stylesheets/main.558e4712.min.css"> <link rel="stylesheet" href="../assets/stylesheets/palette.2505c338.min.css">  <link href="https://fonts.gstatic.com" rel="preconnect" crossorigin /> <link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=IBM+Plex+Serif:300,400,400i,700%7CIBM+Plex+Sans:500,600,700%7CIBM+Plex+Mono&display=fallback" /> <style> body, input { font-family: "IBM Plex Serif", "Helvetica Neue", Helvetica, Arial, sans-serif; } pre, code, kbd { font-family: "IBM Plex Mono", "Courier New", Courier, monospace; } h1, h2, h3, h4, h5, h6 { font-family: "IBM Plex Sans", sans-serif; font-weight: 700 !important; } </style> <link rel="stylesheet" href="../extra.css"> <script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script> </head> <body dir="ltr" data-md-color-scheme="default" data-md-color-primary="black" data-md-color-accent="purple"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#amd-sev-attested-launch" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <header class="md-header" data-md-component="header"> <nav class="md-header__inner md-grid" aria-label="Header"> <a href=".." title="Trammell Hudson's Projects" class="md-header__button md-logo" aria-label="Trammell Hudson's Projects" data-md-component="logo"> <img src="../images/logo.png" alt="logo"> </a> <label class="md-header__button md-icon" for="__drawer"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class="md-header__title" data-md-component="header-title"> <div class="md-header__ellipsis"> <div class="md-header__topic"> <span class="md-ellipsis"> Trammell Hudson's Projects </span> </div> <div class="md-header__topic" data-md-component="header-topic"> <span class="md-ellipsis"> SEV </span> </div> </div> </div> <label class="md-header__button md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class="md-search" data-md-component="search" role="dialog"> <label class="md-search__overlay" for="__search"></label> <div class="md-search__inner" role="search"> <form class="md-search__form" name="search"> <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required> <label class="md-search__icon md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class="md-search__options" aria-label="Search"> <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg> </button> </nav> </form> <div class="md-search__output"> <div class="md-search__scrollwrap" data-md-scrollfix> <div class="md-search-result" data-md-component="search-result"> <div class="md-search-result__meta"> Initializing search </div> <ol class="md-search-result__list" role="presentation"></ol> </div> </div> </div> </div> </div> <div class="md-header__source"> <a href="https://github.com/osresearch/" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> GitHub </div> </a> </div> </nav> </header> <div class="md-container" data-md-component="container"> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href=".." title="Trammell Hudson's Projects" class="md-nav__button md-logo" aria-label="Trammell Hudson's Projects" data-md-component="logo"> <img src="../images/logo.png" alt="logo"> </a> Trammell Hudson's Projects </label> <div class="md-nav__source"> <a href="https://github.com/osresearch/" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> GitHub </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " data-md-toggle="__nav_1" type="checkbox" id="__nav_1" > <label class="md-nav__link" for="__nav_1" tabindex="0" aria-expanded="false"> Categories <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Categories" data-md-level="1"> <label class="md-nav__title" for="__nav_1"> <span class="md-nav__icon md-icon"></span> Categories </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../Category%3ARetrocomputing/" class="md-nav__link"> Retrocomputing </a> </li> <li class="md-nav__item"> <a href="../Category%3AVector_display/" class="md-nav__link"> Vector display </a> </li> <li class="md-nav__item"> <a href="../Category%3ARobots/" class="md-nav__link"> Robots </a> </li> <li class="md-nav__item"> <a href="../Category%3AClocks/" class="md-nav__link"> Clocks </a> </li> <li class="md-nav__item"> <a href="../Category%3A3D_Printing/" class="md-nav__link"> 3D Printing </a> </li> <li class="md-nav__item"> <a href="../Category%3ALaser_cutter/" class="md-nav__link"> Laser cutter </a> </li> <li class="md-nav__item"> <a href="../Category%3ATeensy/" class="md-nav__link"> Teensy </a> </li> <li class="md-nav__item"> <a href="../Category%3AMac/" class="md-nav__link"> Mac </a> </li> <li class="md-nav__item"> <a href="../Category%3APhotography/" class="md-nav__link"> Photography </a> </li> <li class="md-nav__item"> <a href="../Category%3AHobbies/" class="md-nav__link"> Hobbies </a> </li> <li class="md-nav__item"> <a href="../Category%3ALED/" class="md-nav__link"> LED </a> </li> <li class="md-nav__item"> <a href="../Category%3ALEDscape/" class="md-nav__link"> LEDscape </a> </li> <li class="md-nav__item"> <a href="../Category%3AReverse_engineering/" class="md-nav__link"> Reverse engineering </a> </li> <li class="md-nav__item"> <a href="../Category%3ATalks/" class="md-nav__link"> Talks </a> </li> <li class="md-nav__item"> <a href="../Category%3AHacks/" class="md-nav__link"> Hacks </a> </li> <li class="md-nav__item"> <a href="../Category%3ASecurity/" class="md-nav__link"> Security </a> </li> <li class="md-nav__item"> <a href="../Category%3AAircraft/" class="md-nav__link"> Aircraft </a> </li> <li class="md-nav__item"> <a href="../Category%3AArt/" class="md-nav__link"> Art </a> </li> <li class="md-nav__item"> <a href="../Category%3ABiking/" class="md-nav__link"> Biking </a> </li> <li class="md-nav__item"> <a href="../Category%3ALED/" class="md-nav__link"> Blinky </a> </li> <li class="md-nav__item"> <a href="../Category%3ABurning_Man/" class="md-nav__link"> Burning Man </a> </li> <li class="md-nav__item"> <a href="../Category%3AClasses/" class="md-nav__link"> Classes </a> </li> <li class="md-nav__item"> <a href="../Category%3ACoffee/" class="md-nav__link"> Coffee </a> </li> <li class="md-nav__item"> <a href="../Category%3AESP/" class="md-nav__link"> ESP </a> </li> <li class="md-nav__item"> <a href="../Category%3AFont/" class="md-nav__link"> Font </a> </li> <li class="md-nav__item"> <a href="../Category%3AGames/" class="md-nav__link"> Games </a> </li> <li class="md-nav__item"> <a href="../Category%3AInteractive_Show/" class="md-nav__link"> Interactive Show </a> </li> <li class="md-nav__item"> <a href="../Category%3ABeagleBone/" class="md-nav__link"> BeagleBone </a> </li> <li class="md-nav__item"> <a href="../Category%3APRU/" class="md-nav__link"> PRU </a> </li> <li class="md-nav__item"> <a href="../Category%3AMakerfaire/" class="md-nav__link"> Makerfaire </a> </li> <li class="md-nav__item"> <a href="../Category%3ANYCR/" class="md-nav__link"> NYCR </a> </li> <li class="md-nav__item"> <a href="../Category%3AOctober_First/" class="md-nav__link"> October First </a> </li> <li class="md-nav__item"> <a href="../Category%3AOscilloscope/" class="md-nav__link"> Oscilloscope </a> </li> <li class="md-nav__item"> <a href="../Category%3AROM/" class="md-nav__link"> ROM </a> </li> <li class="md-nav__item"> <a href="../Category%3ARadio/" class="md-nav__link"> Radio </a> </li> <li class="md-nav__item"> <a href="../Category%3ARaspberry_Pi/" class="md-nav__link"> Raspberry Pi </a> </li> <li class="md-nav__item"> <a href="../Category%3AShopbot/" class="md-nav__link"> Shopbot </a> </li> <li class="md-nav__item"> <a href="../Category%3ASoftware/" class="md-nav__link"> Software </a> </li> <li class="md-nav__item"> <a href="../Category%3ASparkCore/" class="md-nav__link"> SparkCore </a> </li> <li class="md-nav__item"> <a href="../Category%3AThingiverse/" class="md-nav__link"> Thingiverse </a> </li> <li class="md-nav__item"> <a href="../Category%3AUSB_Devices/" class="md-nav__link"> USB Devices </a> </li> <li class="md-nav__item"> <a href="../Category%3AVideo/" class="md-nav__link"> Video </a> </li> <li class="md-nav__item"> <a href="../Category%3AWearables/" class="md-nav__link"> Wearables </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " data-md-toggle="__nav_2" type="checkbox" id="__nav_2" > <label class="md-nav__link" for="__nav_2" tabindex="0" aria-expanded="false"> Chronological <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Chronological" data-md-level="1"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> Chronological </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../Category%3A2010/" class="md-nav__link"> 2010 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2011/" class="md-nav__link"> 2011 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2012/" class="md-nav__link"> 2012 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2013/" class="md-nav__link"> 2013 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2014/" class="md-nav__link"> 2014 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2015/" class="md-nav__link"> 2015 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2016/" class="md-nav__link"> 2016 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2017/" class="md-nav__link"> 2017 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2018/" class="md-nav__link"> 2018 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2019/" class="md-nav__link"> 2019 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2020/" class="md-nav__link"> 2020 </a> </li> <li class="md-nav__item"> <a href="../Category%3A2021/" class="md-nav__link"> 2021 </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " data-md-toggle="__nav_3" type="checkbox" id="__nav_3" > <label class="md-nav__link" for="__nav_3" tabindex="0" aria-expanded="false"> About <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="About" data-md-level="1"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> About </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../About/" class="md-nav__link"> About Me </a> </li> <li class="md-nav__item"> <a href="../PGP/" class="md-nav__link"> Contact </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#amd-sev-attested-launch" class="md-nav__link"> AMD SEV Attested launch </a> <nav class="md-nav" aria-label="AMD SEV Attested launch"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#manufacturing-time" class="md-nav__link"> Manufacturing time </a> </li> <li class="md-nav__item"> <a href="#provisioning-time" class="md-nav__link"> Provisioning time </a> </li> <li class="md-nav__item"> <a href="#enclave-launch-time" class="md-nav__link"> Enclave launch time </a> </li> <li class="md-nav__item"> <a href="#vm-exit" class="md-nav__link"> VM Exit </a> </li> <li class="md-nav__item"> <a href="#enclave-migration" class="md-nav__link"> Enclave migration </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <h1>SEV</h1> <p><a href="https://www.flickr.com/photos/osr/48299667796/lightbox"><img src="https://live.staticflickr.com/65535/48299667796_1002448fdf_b.jpg" srcset="https://live.staticflickr.com/65535/48299667796_1002448fdf_b.jpg 1024w, https://live.staticflickr.com/65535/48299667796_1002448fdf.jpg 400w" /></a> The AMD Secure Encrypted Virtualization launch process is significantly simpler than SGX, although there are very many keys involved. The goal is to be able to launch a guest VM on a cloud host in a way that allows secrets to be provisioned into the guest without the cloud provider being able to see them, and to encrypt the memory of the guest in a way that the cloud provider can't see the running VM either. Protection from other guests and hardware attacks is also expected, although the firmware running on the AMD PSP is able to see everything in clear text.</p> <p>Resources:</p> <ul> <li><a href="https://arxiv.org/pdf/1908.11680.pdf">"Insecure Until Proven Updated: Analyzing AMD SEV's Remote Attestation"</a> (Buhren, Werling and Siefert, 2019-09)</li> <li><a href="https://www.dcl.hpi.uni-potsdam.de/meetings/ss19/Christian%20Werling%20-%20Security%20Analysis%20of%20the%20AMD%20Secure%20Processor.pdf">Security Analyzing of the AMD Secure Processor</a> (Werling, 2019-06)</li> <li><a href="https://developer.amd.com/wp-content/resources/55766.PDF">AMD's Secure Encrypted Virtualization API</a> (Version 0.22, 2019-07)</li> </ul> <h2 id="amd-sev-attested-launch">AMD SEV Attested launch</h2> <p><a href="/Category:2019"><span style='color:white; background-color:red'>2019</a> <a href="/Category:Security"><span style='color:white; background-color:red'>Security</a></p> <h3 id="manufacturing-time">Manufacturing time</h3> <ul> <li>AMD generates Root Signing Key (<strong>ARK</strong>), which is used for all products</li> <li>AMD generates SEV Signing Key (<strong>ASK</strong>) for each CPU model or family, signed it with <strong>ARK</strong></li> <li>PSP or AMD generates chip endorsement key (<strong>CEK</strong>) and burns it into OTP fuses in the CPU</li> <li>AMD signs <strong>CEK</strong> with the <strong>ASK</strong>, allowing the PSP to prove that it is a valid AMD SEV CPU</li> </ul> <h3 id="provisioning-time">Provisioning time</h3> <ul> <li>PSP generates Platform Endorsement Key (<strong>PEK</strong>), signs it with its own <strong>CEK</strong></li> <li>PSP generates ECDH Platform Diffie-Hellman key (<strong>PDH</strong>), signs it with <strong>PEK</strong></li> <li>Cloud provider installs Owner Certificate Authority Public Key (<strong>OCA</strong>) into the PSP</li> <li>Cloud provider signs <strong>PEK</strong> with <strong>OCA</strong>, sends it into PSP</li> </ul> <h3 id="enclave-launch-time">Enclave launch time</h3> <p><img alt="thumb" src="/images/AMD_SEV.svg" /></p> <ul> <li>PSP sends <strong>PDH</strong> and <strong>PEK</strong> to hypervisor, which sends chain to guest owner</li> <li>Guest owner validates <strong>PDH</strong> with chain of <strong>PEK</strong>, <strong>CEK</strong>, <strong>ASK</strong> and <strong>ARK</strong>, as well as <strong>OCA</strong></li> <li>Guest owner generates ephermeral ECDH key (<strong>GDH</strong>)</li> <li>Guest owner derives shared Key Encryption Key (<strong>KEK</strong>) from private key of <strong>GDH</strong> and public key of <strong>PDH</strong></li> <li>Guest owner generate ephemeral Transport Integrity Key (<strong>TIK</strong>) and Transport Encryption Key (<strong>TEK</strong>), encrypts both with <strong>KEK</strong></li> <li>Guest owner sends public key of <strong>GDH</strong>, encrypted <strong>TIK</strong>/<strong>TEK</strong>, and launch policy to hypervisor</li> <li>Hypervisor calls PSP <code>LAUNCH_START</code> with these parameters (but can't decrypt the <strong>TIK</strong>/<strong>TEK</strong>)</li> <li>PSP derives <strong>KEK</strong> from its private key of <strong>PDH</strong> and the public key of <strong>GDH</strong>, uses <strong>KEK</strong> to decrypt <strong>TIK</strong></li> <li>Hypervisor allocates ASID and calls PSP <code>ACTIVATE</code> to enable guest</li> <li>PSP generates memory encryption key (<strong>VEK</strong>) for this ASID (if the ASID is already in use, the PSP returns <code>ASID_OWNED</code> and won't activate the guest)</li> <li>Guest owner sends <em>clear text</em> kernel and initrd to hypervisor</li> <li>Hypervisor calls PSP <code>LAUNCH_UPDATE_DATA</code> to add the kernel and initrd to the guest</li> <li>PSP hashes clear text of data and encrypts physical pages with <strong>VEK</strong> (*** IS THERE A TOCTOU? ***)</li> <li>Hypervisor calls PSP <code>LAUNCH_UPDATE_VMSA</code> to configure virtualization structures</li> <li>PSP hashes clear text VMSA structures and encrypts them with <strong>VEK</strong></li> <li>Hypervisor calls PSP <code>LAUNCH_MEASURE</code></li> <li>PSP generates liveliness nonce and computes HMAC of the nonce data, vmsa and policy using the <strong>TIK</strong> that only it and the guest owner know</li> <li>Hypervisor sends this measurement HMAC to the guest owner (it can't fake it since it doesn't know <strong>TIK</strong>)</li> <li>Guest owner validates HMAC, trusts that VM has been setup correctly</li> <li>(Hypervisor can't add new pages at this point since the <code>LAUNCH_MEASURE</code> moves the guest into <code>LSECRET</code> mode and disables the <code>LAUNCH_DATA</code> command)</li> <li>Guest owner sends up to 16 KB encrypted with <strong>TEK</strong> and HMAC'ed with <strong>TIK</strong> to the hypervisor. This can contain secrets like disk encryption keys so that the cloud provider can't see them (although the cloud provider was able to see the entire kernel and initrd, so they should not contain secrets).</li> <li>Hypervisor calls PSP <code>LAUNCH_SECRET</code> to add this data to the guest</li> <li>PSP validates HMAC with <strong>TIK</strong>, decrypts with <strong>TEK</strong> and re-encrypts with <strong>VEK</strong> into the guest's memory</li> <li>Hypervisor calls PSP <code>LAUNCH_FINISH</code>, which causes the PSP to forget all of the guest keys except for <strong>VEK</strong></li> <li>Hypervisor invokes <code>VMRUN</code> to start the encrypted guest enclave</li> </ul> <h3 id="vm-exit">VM Exit</h3> <p>To be written. Guest has to protect access to VMSA.</p> <h3 id="enclave-migration">Enclave migration</h3> <p>To be written (using <code>SEND_START</code> etc)</p> <hr> <div class="md-source-file"> <small> Last update: <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 8, 2020</span> </small> </div> </article> </div> </div> </main> <footer class="md-footer"> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> </div> <div class="md-social"> <a href="https://twitter.com/qrs" target="_blank" rel="noopener" title="twitter.com" class="md-social__link"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg> </a> <a href="https://flickr.com/osr" target="_blank" rel="noopener" title="flickr.com" class="md-social__link"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M400 32H48C21.5 32 0 53.5 0 80v352c0 26.5 21.5 48 48 48h352c26.5 0 48-21.5 48-48V80c0-26.5-21.5-48-48-48zM144.5 319c-35.1 0-63.5-28.4-63.5-63.5s28.4-63.5 63.5-63.5 63.5 28.4 63.5 63.5-28.4 63.5-63.5 63.5zm159 0c-35.1 0-63.5-28.4-63.5-63.5s28.4-63.5 63.5-63.5 63.5 28.4 63.5 63.5-28.4 63.5-63.5 63.5z"/></svg> </a> <a href="https://github.com/osresearch" target="_blank" rel="noopener" title="github.com" class="md-social__link"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg> </a> <a href="https://social.v.st/@th" target="_blank" rel="noopener" title="social.v.st" class="md-social__link"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M433 179.11c0-97.2-63.71-125.7-63.71-125.7-62.52-28.7-228.56-28.4-290.48 0 0 0-63.72 28.5-63.72 125.7 0 115.7-6.6 259.4 105.63 289.1 40.51 10.7 75.32 13 103.33 11.4 50.81-2.8 79.32-18.1 79.32-18.1l-1.7-36.9s-36.31 11.4-77.12 10.1c-40.41-1.4-83-4.4-89.63-54a102.54 102.54 0 0 1-.9-13.9c85.63 20.9 158.65 9.1 178.75 6.7 56.12-6.7 105-41.3 111.23-72.9 9.8-49.8 9-121.5 9-121.5zm-75.12 125.2h-46.63v-114.2c0-49.7-64-51.6-64 6.9v62.5h-46.33V197c0-58.5-64-56.6-64-6.9v114.2H90.19c0-122.1-5.2-147.9 18.41-175 25.9-28.9 79.82-30.8 103.83 6.1l11.6 19.5 11.6-19.5c24.11-37.1 78.12-34.8 103.83-6.1 23.71 27.3 18.4 53 18.4 175z"/></svg> </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> <script id="__config" type="application/json">{"base": "..", "features": [], "search": "../assets/javascripts/workers/search.e5c33ebb.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script> <script src="../assets/javascripts/bundle.51d95adb.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/MathJax.js?config=TeX-MML-AM_CHTML"></script> </body> </html>

CINXE.COM

SEV - Trammell Hudson's Projects