From: Hans-Jörg Höxer <hshoexer@genua.de>
Subject: AMD SEV: confidential autoconf whitelist
To: <tech@openbsd.org>
Date: Mon, 21 Jul 2025 16:03:12 +0200

Hi,

When running confidential -- ie. SEV-* is active -- disable all
autoconf attached devices except a set of white listed devices.
This is similar to disabling devices using UKC.
    
Running on a hypervisor puts emphasis on device drives as attack
surface. Thus we want to reduce that surface in a confidential
setting.

Take care,
Hans-Joerg

-- 
commit 653bf04dfd955a4b746c556fb1f909d0efde33f8
Author: Hans-Joerg Hoexer <hshoexer@genua.de>
Date:   Wed Jul 16 11:45:00 2025 +0200

    AMD SEV: confidential autoconf whitelist
    
    When running confidential -- ie. SEV-* is active -- disable all
    autoconf attached devices except a set of white listed devices.
    This is similar to disabling devices using UKC.
    
    Running on a hypervisor puts emphasis on device drives as attack
    surface. Thus we want to reduce that surface in a confidential
    setting.

diff --git a/sys/arch/amd64/amd64/machdep.c b/sys/arch/amd64/amd64/machdep.c
index 991dd2cbeb6..5fdb3ad08e3 100644
--- a/sys/arch/amd64/amd64/machdep.c
+++ b/sys/arch/amd64/amd64/machdep.c
@@ -276,6 +276,7 @@ void	map_tramps(void);
 void	init_x86_64(paddr_t);
 void	(*cpuresetfn)(void);
 void	enter_shared_special_pages(void);
+void	filter_autoconf(void);
 
 #ifdef APERTURE
 int allowaperture = 0;
@@ -319,6 +320,8 @@ cpu_startup(void)
 
 	bufinit();
 
+	filter_autoconf();
+
 	if (boothowto & RB_CONFIG) {
 #ifdef BOOT_CONFIG
 		user_config();
@@ -2212,3 +2215,46 @@ delay_fini(void (*fn)(int))
 		amd64_delay_quality = 0;
 	}
 }
+
+/*
+ * When running confidential, enable only trusted device drivers.
+ */
+void
+filter_autoconf(void)
+{
+	int i, j, disable;
+	const char *wlist[] = {
+	    /* These are sufficient for running on vmm(4)/vmd(8) */
+	    "mainbus", "cpu", "pvbus", "pvclock", "pci", "virtio", "viornd",
+	    "vio", "vioblk", "scsibus", "sd", "vmmci", "isa", "com",
+	    "softraid", "mpath", "vscsi",
+	    /* These are additionally required for qemu and Linux/KVM */
+	    "ppb", "ioapic", "bios", "acpi", "acpimadt",
+	    NULL };
+
+	if (!ISSET(cpu_sev_guestmode, SEV_STAT_ENABLED))
+		return;
+
+	i = 0;
+	while (cfdata[i].cf_attach != NULL) {
+		j = 0;
+		disable = 1;
+		while (wlist[j] != NULL) {
+			if (strcmp(wlist[j], cfdata[i].cf_driver->cd_name)
+			    == 0) {
+				disable = 0;
+				break;
+			}
+			j++;
+		}
+		if (!disable) {
+			i++;
+			continue;
+		}
+		if (cfdata[i].cf_fstate == FSTATE_NOTFOUND)
+			cfdata[i].cf_fstate = FSTATE_DNOTFOUND;
+		if (cfdata[i].cf_fstate == FSTATE_STAR)
+			cfdata[i].cf_fstate = FSTATE_DSTAR;
+		i++;
+	}
+}