Author Topic: Ultravisor state and/or FlexVer as a substitute for confidential/trustworthy rem  (Read 10936 times)

AbstractConcept

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
I have been occasionally reading the Signal blog,
https://signal.org/blog/secure-value-recovery/
and now that they are once again bringing up SGX as a possible solution to confidential/trustworthy remote processing, I am curious if POWER9’s Ultravisor mode along with Flexver could act as a replacement for SGX.
https://wiki.raptorcs.com/wiki/Power_ISA/Privilege_States#Ultravisor_State

To be honest, I do not fully understand the three (SGX, Flexver, or P9’s Ultravisor), but what Integricloud seems to be claiming to do with FlexVer in terms of allowing a user to verify code running remotely, seems awfully similar to how Signal is trying to use SGX to run code on the users behalf remotely without allowing the SGX server to see the inputs or outputs of the code being executed. From what I have read about Ultravisor state, IBM is certainly positioning it as an alternative to SGX and AMD’S Secure Processor memory encryption.
https://developer.ibm.com/articles/l-support-protected-computing/
https://www.kernel.org/doc/html/latest/powerpc/ultravisor.html

As Signal is pretty much the only messaging program I have significant trust in, part of my interest here is that I would like to see Signal using something other than a DRM mechanism to do private remote processing.

Though regardless, the promise of being able to perform confidential processing remotely is intriguing by itself, especially when done without placing absolute and irrevocable trust in the manufacturer.
« Last Edit: January 11, 2020, 01:55:42 pm by AbstractConcept »

ClassicHasClass

  • Sr. Member
  • ****
  • Posts: 467
  • Karma: +35/-0
  • Talospace Earth Orbit
    • View Profile
    • Floodgap
I'm doing research for a future Talospace article on the ultravisor, but while it should do something conceptually similar I don't think it's an exact replacement for SGX.

Flexver seems to have a little different scope and involves tamper protection as well AIUI, but @madscientist159 could say more about that.

madscientist159

  • Raptor Staff
  • *****
  • Posts: 47
  • Karma: +11/-0
    • View Profile
I'm doing research for a future Talospace article on the ultravisor, but while it should do something conceptually similar I don't think it's an exact replacement for SGX.

Flexver seems to have a little different scope and involves tamper protection as well AIUI, but @madscientist159 could say more about that.

Yes, FlexVer is the technology required to basically harden the systems against direct physical attack.  Since we consider permanent vendor control via e.g. vendor signing keys absolutely unacceptable, some other scheme is required to prevent physical access from silently becoming root / hypervisor root.  That's where FlexVer sits.

We have a few papers online, e.g. https://www.raptorengineering.com/TALOS/documentation/flexver_intro.pdf and https://www.raptorengineering.com/TALOS/documentation/integrimon_intro.pdf .  There's also some information at http://integricloud.com/content/base/service_intro.html , and I'd be happy to answer any direct questions you have.

Since Ultravisor is owner controlled, we'd generally say FlexVer is needed to make sure the Ultravisor image you think you loaded was actually loaded if a hostile physical environment is in play.

@AbstractConcept My standard answer to anyone promoting SGX as a "secure" solution is to ask, do you have an SLA with Intel that will pay out all damages incurred if SGX is implemented wrong, has a firmware bug that allows malicious access, if Intel abuses their keys to gain access to your data (including under court order / with warrant), etc.?  If not, you're just blindly trusting a third party to act in your interests at all times for no real reason.  Not a place I'd like to be, and definitely nothing I'd call "secure".  ;)
« Last Edit: January 12, 2020, 11:27:02 pm by madscientist159 »

rjzak

  • Newbie
  • *
  • Posts: 34
  • Karma: +6/-0
    • View Profile
    • Personal site
So for the sake of clarify, the "v2" POWER9 chips do support the Ultravisor, correct?

The Wiki says POWER9 2.3 does support Ultravisor: https://wiki.raptorcs.com/wiki/POWER9#Steppings
And the Wiki says that Ultravisor does not exist in POWER9: https://wiki.raptorcs.com/wiki/Power_ISA/Privilege_States

I also ask because I'm working on a project (Enarx) which runs workloads in trusted execution environments, such as Intel SGX. I'd like to support POWER9's Ultravisor/PEF if it's available on a Talos II system, and functional (and hopefully documented enough to figure out!).
« Last Edit: August 01, 2022, 05:35:51 pm by rjzak »

SiteAdmin

  • Administrator
  • *****
  • Posts: 41
  • Karma: +15/-0
  • RCS Staff
    • View Profile
So for the sake of clarify, the "v2" POWER9 chips do support the Ultravisor, correct?

That is correct, yes.  We're very interested in anything you are able to do with the Ultravisor mode to enhance system security under owner control!

rjzak

  • Newbie
  • *
  • Posts: 34
  • Karma: +6/-0
    • View Profile
    • Personal site
According to IBM’s paper, the Ultravisor uses a TPM and IBM recommends Nuvoton. https://dl.acm.org/doi/10.1145/3447786.3456243

I also noticed there isn’t anything on the Forum or Wiki about supported TPMs. Sorry if this is a dumb question, as I’ve never used them before, but is there any reason as to why this one wouldn’t work?
ASRock TPM2-S TPM Module Motherboard (V2.0) https://a.co/acA1yDL

rjzak

  • Newbie
  • *
  • Posts: 34
  • Karma: +6/-0
    • View Profile
    • Personal site
After checking the docs, the Talos & Blackbird boards use the 20-pin TPM. So maybe these would work:

* https://a.co/d/91veo25 (Generic brand? not too comfortable with that, unknown chip)
* https://a.co/d/4QA7amk (looks exactly like the one above, same marketing images, not a well-known brand, unknown chip)
* https://a.co/d/etHR62A (SuperMicro, Infineon chip)
* https://a.co/d/bD90lpO (Another no-name brand, unknown chip)

AdamJoseph

  • Newbie
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
I always found very weird that the rev 2.3 ~~hypervisor~~ (edit: ultravisor) can't virtualize the hardware random number generator.

In other words, unprivileged code always has direct access to the HWRNG, and the OS/hypervisor/ultravisor can't do anything to change that.

So very strange.
« Last Edit: September 08, 2022, 02:56:05 pm by AdamJoseph »

ClassicHasClass

  • Sr. Member
  • ****
  • Posts: 467
  • Karma: +35/-0
  • Talospace Earth Orbit
    • View Profile
    • Floodgap
Why would you do otherwise? Since it's a source of entropy, virtualizing it would potentially compromise the cryptographic security of the guest. RDRAND on recent (Ivy Bridge at least) x86_64 is the same way. See https://lwn.net/Articles/887207/ for an example of when this goes wrong.

AdamJoseph

  • Newbie
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
Why would you do otherwise?

Allow the ultravisor to trap if it chooses to (or not, if it chooses to).  The fact that the choice is taken away for this one particular device function is extremely weird.

RDRAND on recent (Ivy Bridge at least) x86_64 is the same way.

No; on x86_64 the hypervisor can trap-and-emulate RDRAND if it chooses to do so: https://patchwork.kernel.org/project/kvm/patch/20170821192640.30817-1-jmattson@google.com/

Since it's a source of entropy, virtualizing it would potentially compromise the cryptographic security of the guest.

Ultravisors can always compromise the security of their guests.