Lines Matching +full:guest +full:- +full:side
17 the kernel through various networking or limited HW-specific exposed
46 integrity for the VM's guest memory and execution state (vCPU registers),
47 more tightly controlled guest interrupt injection, as well as some
48 additional mechanisms to control guest-host page mapping. More details on
49 the x86-specific solutions can be found in
51 …https://www.amd.com/system/files/techdocs/sev-snp-strengthening-vm-isolation-with-integrity-protec…
53 The basic CoCo guest layout includes the host, guest, the interfaces that
54 communicate guest and host, a platform capable of supporting CoCo VMs, and
55 a trusted intermediary between the guest VM and the underlying platform
56 that acts as a security manager. The host-side virtual machine monitor
58 is still in charge of the guest lifecycle, i.e. create or destroy a CoCo
63 In the following diagram, the "<--->" lines represent bi-directional
65 the rest of the components (data flow for guest, host, hardware) ::
67 +-------------------+ +-----------------------+
68 | CoCo guest VM |<---->| |
69 +-------------------+ | |
71 +-------------------+ | |
72 | Host VMM |<---->| |
73 +-------------------+ | |
75 +--------------------+ | |
76 | CoCo platform |<--->| |
77 +--------------------+ +-----------------------+
88 +-----------------------+ +-------------------+
89 | |<---->| Userspace |
90 | | +-------------------+
92 | vectors | +-------------------+
93 | |<---->| Linux Kernel |
94 | | +-------------------+
95 +-----------------------+ +-------------------+
97 +-------------------+
98 +-------------------+
100 +-------------------+
122 kernel attacks include the vulnerabilities CVE-2019-19524, CVE-2022-0435
123 and CVE-2020-24490.
136 (in contrast to a remote network attacker) and has control over the guest
139 +------------------------+
140 | CoCo guest VM |
141 +-----------------------+ | +-------------------+ |
142 | |<--->| | Userspace | |
143 | | | +-------------------+ |
145 | vectors | | +-------------------+ |
146 | |<--->| | Linux Kernel | |
147 | | | +-------------------+ |
148 +-----------------------+ | +-------------------+ |
150 +-----------------------+ | +-------------------+ |
151 | |<--->+------------------------+
153 | | +------------------------+
154 | CoCo security |<--->| Host/Host-side VMM |
155 | manager | +------------------------+
156 | | +------------------------+
157 | |<--->| CoCo platform |
158 +-----------------------+ +------------------------+
160 While traditionally the host has unlimited access to guest data and can
161 leverage this access to attack the guest, the CoCo systems mitigate such
162 attacks by adding security features like guest data confidentiality and
168 1. Preserve the confidentiality and integrity of CoCo guest's private
171 2. Prevent privileged escalation from a host into a CoCo guest Linux kernel.
172 While it is true that the host (and host-side VMM) requires some level of
173 privilege to create, destroy, or pause the guest, part of the goal of
175 provide a pathway for attackers to gain access to the guest's kernel.
180 1. Guest kernel execution context.
181 2. Guest kernel private memory.
183 The host retains full control over the CoCo guest resources, and can deny
185 that the guest can consume, network bandwidth, etc. Because of this, the
190 guest Linux kernel towards an untrusted host that is not covered by the
192 side-channels, as well as transient execution side channels. Examples of
193 explicit (not side-channel) interfaces include accesses to port I/O, MMIO
194 and DMA interfaces, access to PCI configuration space, VMM-specific
195 hypercalls (towards Host-side VMM), access to shared memory pages,
196 interrupts allowed to be injected into the guest kernel by the host, as
197 well as CoCo technology-specific hypercalls, if present. Additionally, the
199 guest: it has a method to load into a guest the firmware and bootloader
204 The table below shows a threat matrix for the CoCo guest Linux kernel but
206 CoCo-specific versions of the guest, host and platform.
208 .. list-table:: CoCo Linux guest kernel threat matrix
211 :header-rows: 1
213 * - Threat name
214 - Threat description
216 * - Guest malicious configuration
217 - A misbehaving host modifies one of the following guest's
220 1. Guest firmware or bootloader
222 2. Guest kernel or module binaries
224 3. Guest command line parameters
227 inside a CoCo guest, and violates the CoCo security objectives.
229 * - CoCo guest data attacks
230 - A misbehaving host retains full control of the CoCo guest's data
231 in-transit between the guest and the host-managed physical or
235 * - Malformed runtime input
236 - A misbehaving host injects malformed input via any communication
237 interface used by the guest's kernel code. If the code is not
239 --> guest kernel privilege escalation. This includes traditional
240 side-channel and/or transient execution attack vectors.
242 * - Malicious runtime input
243 - A misbehaving host injects a specific input value via any
244 communication interface used by the guest's kernel code. The
247 impact the guest's kernel security. Examples of such inputs include
248 providing a malicious time to the guest or the entropy to the guest
250 be an attack vector on its own, if it results in a particular guest
251 kernel action (i.e. processing of a host-injected interrupt).