lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 06 Feb 2012 08:00:27 -0600
From:	Anthony Liguori <anthony@...emonkey.ws>
To:	Avi Kivity <avi@...hat.com>
CC:	KVM list <kvm@...r.kernel.org>, qemu-devel <qemu-devel@...gnu.org>,
	Gleb Natapov <gleb@...hat.com>,
	linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [Qemu-devel] [RFC] Next gen kvm api

On 02/06/2012 07:54 AM, Avi Kivity wrote:
> On 02/06/2012 03:33 PM, Anthony Liguori wrote:
>>> Look at arch/x86/kvm/i8254.c:pit_ioport_read() for a counterexample.
>>> There are also interactions with other devices (for example the
>>> apic/ioapic interaction via the apic bus).
>>
>>
>> Hrm, maybe I'm missing it, but the path that would be hot is:
>>
>> if (!status_latched&&  !count_latched) {
>>     value = kpit_elapsed()
>>     // manipulate count based on mode
>>     // mask value depending on read_state
>> }
>>
>> This path is side-effect free, and applies relatively simple math to a
>> time counter.
>
> Do guests always read an unlatched counter?  Doesn't seem reasonable
> since they can't get a stable count this way.

Perhaps.  You could have the latching done by writing to persisted scratch 
memory but then locking becomes an issue.

>> The idea would be to allow the filter to not handle an I/O request
>> depending on existing state.  Anything that's modifies state (like
>> reading the latch counter) would drop to userspace.
>
> This restricts us to a subset of the device which is at the mercy of the
> guest.

Yes, but it provides an elegant solution to having a flexible way to do things 
in the fast path in a generic way without presenting additional security concerns.

A similar, albeit more complex and less elegant, approach would be to make use 
of something like the vtpm optimization to reflect certain exits back into 
injected code into the guest.  But this has the disadvantage of being very 
x86-centric and it's not clear if you can avoid double exits which would hurt 
the slow paths.

> We could define mmio registers for muldiv64, and for communicating over
> the APIC bus.  But then the device model for BPF ends up more
> complicated than the kernel devices we have put together.

Maybe what we really need is NaCL for kernel space :-D

Regards,

Anthony Liguori


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ