| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Oct 2013 08:43:55 +0300 From: Gleb Natapov <gleb@...hat.com> To: Benjamin Herrenschmidt <benh@...nel.crashing.org> Cc: Alexander Graf <agraf@...e.de>, Paolo Bonzini <pbonzini@...hat.com>, Paul Mackerras <paulus@...ba.org>, Michael Ellerman <michael@...erman.id.au>, linux-kernel@...r.kernel.org, mpm@...enic.com, herbert@...dor.hengli.com.au, linuxppc-dev@...abs.org, kvm@...r.kernel.org, kvm-ppc@...r.kernel.org, tytso@....edu Subject: Re: [PATCH 3/3] KVM: PPC: Book3S: Add support for hwrng found on some powernv systems On Thu, Oct 03, 2013 at 08:02:20AM +1000, Benjamin Herrenschmidt wrote: > On Wed, 2013-10-02 at 13:02 +0300, Gleb Natapov wrote: > > > Yes, I alluded to it in my email to Paul and Paolo asked also. How this > > interface is disabled? Also hwrnd is MMIO in a host why guest needs to > > use hypercall instead of emulating the device (in kernel or somewhere > > else?). > > Migration will have to be dealt with one way or another, I suppose we > will indeed need a qemu fallback. > So at least from amount of code perspective userspace and kernel space solutions are on par since later will require former anyway. What about other direction? Migration from KVM that does not have the hypercall to one that has? We try to not change HW under a guest. > As for why hypercall instead of MMIO, well, you'd have to ask the folks > who wrote the PAPR spec :-) It's specified as a hypercall and > implemented as such in pHyp (PowerVM). The existing guests expect it > that way. OK. > > It might have to do with the required whitening done by the hypervisor > (H_RANDOM output is supposed to be clean). It also abstracts us from the > underlying HW implementation which could in theory change. > But I guess bare metal OS has to know how to do whitening and deal with HW change already. Anyway this is not the place to discuss PAPR decisions. Thanks for insights. > > Another things is that on a host hwrnd is protected from > > direct userspace access by virtue of been a device, but guest code (event > > kernel mode) is userspace as far as hosts security model goes, so by > > implementing this hypercall in a way that directly access hwrnd you > > expose hwrnd to a userspace unconditionally. Why is this a good idea? > > Why would this be a bad idea ? > When you elevate privilege you need to explain why it is not harmful and why the privilege was restricted in the first place. /dev/hwrng that first patch created gives access only to root, this patch changes it to whoever can create a guest. Why it can be a bad idea? User can drain hwrng continuously making other users of it much slower, or even worse, making them fall back to another much less reliable, source of entropy. -- Gleb. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists