Re: [PATCH V4] virt: sev: Prevent IV reuse in SNP guest driver
From: Peter Gonda
Date: Wed Nov 16 2022 - 12:57:49 EST
On Wed, Nov 16, 2022 at 10:28 AM Borislav Petkov <bp@xxxxxxx> wrote:
>
> On Wed, Nov 16, 2022 at 10:10:58AM -0700, Peter Gonda wrote:
> > I think another comment above the first snp_issue_guest_request()
> > could help too. Saying once we call this function we either need to
> > increment the sequence number or wipe the VMPCK to ensure the
> > encryption scheme is safe.
>
> And make that explicit pls:
>
> /*
> * If the extended guest request fails due to having to small of a
> * certificate data buffer retry the same guest request without the
> * extended data request...
>
> ... in order to not have to reuse the IV.
>
>
> I have to admit, the flow in that function is still not optimal but I
> haven't stared at it long enough to have a better idea...
Thanks for all the feedback Tom and Boris. I've sent out a V5. I hope
I've gotten the grammar correct in these comments.