2023-03-29 10:53:24 |
Khaled El Mously |
bug |
|
|
added bug |
2023-03-29 10:53:38 |
Khaled El Mously |
bug task added |
|
linux-gcp (Ubuntu) |
|
2023-03-29 10:53:46 |
Khaled El Mously |
bug task deleted |
linux-gcp (Ubuntu) |
|
|
2023-03-29 10:53:59 |
Khaled El Mously |
nominated for series |
|
Ubuntu Kinetic |
|
2023-03-29 10:53:59 |
Khaled El Mously |
bug task added |
|
linux-oracle (Ubuntu Kinetic) |
|
2023-03-29 10:53:59 |
Khaled El Mously |
nominated for series |
|
Ubuntu Lunar |
|
2023-03-29 10:53:59 |
Khaled El Mously |
bug task added |
|
linux-oracle (Ubuntu Lunar) |
|
2023-03-29 10:53:59 |
Khaled El Mously |
nominated for series |
|
Ubuntu Jammy |
|
2023-03-29 10:53:59 |
Khaled El Mously |
bug task added |
|
linux-oracle (Ubuntu Jammy) |
|
2023-03-29 11:10:27 |
Khaled El Mously |
description |
See email about SEV-SNP guest attestation |
From email discussions with Dionna Glazee from Google:
> This email details a critical vulnerability in SEV-SNP attestation
> report integrity protection that must be patched in SEV-SNP-enabled
> kernels.
>
> I'm reaching out since I've been tracking our progress towards a
> stable offering of customer access to SEV-SNP "guest requests". I'd
> like to know how or if y'all test the /dev/sev-guest driver.
>
> The reason I ask is because our host KVM injects failures into the
> guest if requests come too frequently. Test suites that request
> attestation reports in quick succession will fail without very recent
> patches or workaround code in user space.
>
> Technical details, tl;dr
> * Nov 21, 2022: Linux Kernel 6.1 included a security patch 47894e0fa
> that will cause attestation to fail frequently (in GCE). Peter found
> and patched this vulnerability.
>
> Details of security patch 47894e0fa:
> This patch to sev-guest causes more fail-closed situations. All VMM
> errors other than INVALID_LEN will wipe out the VMPCK and close the
> guest's ability to communicate with the security processor.
> Ratelimit failures will also cause a fail-closed situation.
>
> As you may know, guest requests are encrypted by the guest with
> AES_GCM (not AES_GCM_SIV) and then passed through unencrypted memory
> to the host's KVM. KVM forwards that to the crypto/ccp driver to
> deliver to the AMD secure processor to respond to. When the VMM
> returns an error instead of forwarding a request to the secure
> processor, then the guest driver *does not* increment its IV. It can
> therefore reuse an IV on multiple messages with different contents.
> This breaks AES_GCM's security guarantees.
>
> Ratelimiting looks to the guest not as a stalled vCPU, but rather a
> special error response that AMD will include in their next published
> version of the GHCB protocol (I believe v2.02). This allows the guest
> VM to schedule other threads and remain productive while waiting up to
> 2 seconds for a request to be serviced. The special error code to an
> unpatched kernel is just forwarded to the guest as an EIO. User space
> may continue to issue requests, even if it is unsafe to do so. |
|
2023-05-11 05:04:41 |
Khaled El Mously |
bug task added |
|
linux-gcp (Ubuntu) |
|
2023-05-11 05:04:48 |
Khaled El Mously |
bug task deleted |
linux-oracle (Ubuntu) |
|
|
2023-05-11 05:04:54 |
Khaled El Mously |
bug task deleted |
linux-oracle (Ubuntu Jammy) |
|
|
2023-05-11 05:05:00 |
Khaled El Mously |
bug task deleted |
linux-oracle (Ubuntu Kinetic) |
|
|
2023-05-11 05:05:05 |
Khaled El Mously |
bug task deleted |
linux-oracle (Ubuntu Lunar) |
|
|
2023-05-11 05:05:12 |
Khaled El Mously |
bug task deleted |
linux-gcp (Ubuntu Kinetic) |
|
|
2023-05-11 05:05:17 |
Khaled El Mously |
bug task deleted |
linux-gcp (Ubuntu Lunar) |
|
|
2023-05-11 05:50:05 |
Khaled El Mously |
bug task added |
|
linux (Ubuntu) |
|
2023-05-11 05:50:18 |
Khaled El Mously |
nominated for series |
|
Ubuntu Kinetic |
|
2023-05-11 05:50:18 |
Khaled El Mously |
bug task added |
|
linux (Ubuntu Kinetic) |
|
2023-05-11 05:50:18 |
Khaled El Mously |
bug task added |
|
linux-gcp (Ubuntu Kinetic) |
|
2023-05-11 05:50:18 |
Khaled El Mously |
nominated for series |
|
Ubuntu Lunar |
|
2023-05-11 05:50:18 |
Khaled El Mously |
bug task added |
|
linux (Ubuntu Lunar) |
|
2023-05-11 05:50:18 |
Khaled El Mously |
bug task added |
|
linux-gcp (Ubuntu Lunar) |
|
2023-05-11 05:50:27 |
Khaled El Mously |
bug task deleted |
linux-gcp (Ubuntu Kinetic) |
|
|
2023-05-11 05:50:32 |
Khaled El Mously |
bug task deleted |
linux-gcp (Ubuntu Lunar) |
|
|
2023-05-11 06:00:05 |
Ubuntu Kernel Bot |
linux (Ubuntu): status |
New |
Incomplete |
|
2023-05-11 06:14:51 |
Khaled El Mously |
bug task deleted |
linux (Ubuntu Lunar) |
|
|
2023-05-11 07:55:38 |
Stefan Bader |
linux (Ubuntu Kinetic): importance |
Undecided |
Medium |
|
2023-05-12 05:54:11 |
Khaled El Mously |
linux (Ubuntu Kinetic): status |
New |
Fix Committed |
|
2023-05-12 05:54:15 |
Khaled El Mously |
linux-gcp (Ubuntu Jammy): status |
New |
Fix Committed |
|
2023-05-18 02:11:23 |
Ubuntu Kernel Bot |
tags |
|
kernel-spammed-kinetic-linux-gcp verification-needed-kinetic |
|
2023-05-22 09:27:18 |
Launchpad Janitor |
linux-gcp (Ubuntu): status |
New |
Fix Released |
|
2023-05-22 09:27:18 |
Launchpad Janitor |
cve linked |
|
2022-36280 |
|
2023-05-22 09:27:18 |
Launchpad Janitor |
cve linked |
|
2023-1075 |
|
2023-05-22 09:27:18 |
Launchpad Janitor |
cve linked |
|
2023-1118 |
|
2023-05-24 05:51:27 |
Ubuntu Kernel Bot |
tags |
kernel-spammed-kinetic-linux-gcp verification-needed-kinetic |
kernel-spammed-jammy-linux-gcp kernel-spammed-kinetic-linux-gcp verification-needed-jammy verification-needed-kinetic |
|
2023-06-06 13:57:38 |
Khaled El Mously |
tags |
kernel-spammed-jammy-linux-gcp kernel-spammed-kinetic-linux-gcp verification-needed-jammy verification-needed-kinetic |
kernel-spammed-jammy-linux-gcp kernel-spammed-kinetic-linux-gcp verification-done-jammy verification-done-kinetic |
|
2023-06-15 22:18:08 |
Launchpad Janitor |
linux-gcp (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-06-15 22:18:08 |
Launchpad Janitor |
cve linked |
|
2023-1380 |
|
2023-06-15 22:18:08 |
Launchpad Janitor |
cve linked |
|
2023-1670 |
|
2023-06-15 22:18:08 |
Launchpad Janitor |
cve linked |
|
2023-1859 |
|
2023-06-15 22:18:08 |
Launchpad Janitor |
cve linked |
|
2023-2612 |
|
2023-06-15 22:18:08 |
Launchpad Janitor |
cve linked |
|
2023-30456 |
|
2023-06-15 22:18:08 |
Launchpad Janitor |
cve linked |
|
2023-31436 |
|
2023-06-15 22:18:08 |
Launchpad Janitor |
cve linked |
|
2023-32233 |
|
2023-07-08 00:02:01 |
Ubuntu Kernel Bot |
tags |
kernel-spammed-jammy-linux-gcp kernel-spammed-kinetic-linux-gcp verification-done-jammy verification-done-kinetic |
kernel-spammed-jammy-linux-gcp kernel-spammed-kinetic-linux kernel-spammed-kinetic-linux-gcp verification-done-jammy verification-needed-kinetic |
|