lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b612922d-c27d-a6f5-f2e5-fb935bd4c6fb@redhat.com>
Date:   Fri, 4 Aug 2017 16:42:02 +0200
From:   David Hildenbrand <david@...hat.com>
To:     Bandan Das <bsd@...hat.com>, kvm@...r.kernel.org
Cc:     pbonzini@...hat.com, rkrcmar@...hat.com, jmattson@...gle.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v7 3/3] KVM: nVMX: Emulate EPTP switching for the L1
 hypervisor

Looks very good to me now. :)

>  	/*
> @@ -7820,6 +7834,88 @@ static int handle_preemption_timer(struct kvm_vcpu *vcpu)
>  	return 1;
>  }
>  
> +static bool valid_ept_address(struct kvm_vcpu *vcpu, u64 address)
> +{
> +	struct vcpu_vmx *vmx = to_vmx(vcpu);
> +	u64 mask = address & 0x7;
> +	int maxphyaddr = cpuid_maxphyaddr(vcpu);
> +
> +	/* Check for memory type validity */
> +	switch (mask) {
> +	case 0:
> +		if (!(vmx->nested.nested_vmx_ept_caps & VMX_EPTP_UC_BIT))
> +			return false;
> +		break;
> +	case 6:
> +		if (!(vmx->nested.nested_vmx_ept_caps & VMX_EPTP_WB_BIT))
> +			return false;
> +		break;

KVM always sets 6 without checking. But there is also a TODO left in
construct_eptp(). But we could hit this case probably only in very
strange environments (e.g. revoking it for our L1, so it cannot use WB
memory for L2). So we should be safe by requiring WB for now.


>From 0ac06e7242d25ba1b66e4e6e2b20dbfa21ba4308 Mon Sep 17 00:00:00 2001
From: David Hildenbrand <david@...hat.com>
Date: Fri, 4 Aug 2017 16:40:32 +0200
Subject: [PATCH v1] KVM: VMX: require EPT WB (Write Back) memory type
support

Signed-off-by: David Hildenbrand <david@...hat.com>
---
 arch/x86/kvm/vmx.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 78c66a7..a2f8475 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1192,6 +1192,11 @@ static inline bool cpu_has_vmx_ept_4levels(void)
 	return vmx_capability.ept & VMX_EPT_PAGE_WALK_4_BIT;
 }

+static inline bool cpu_has_vmx_ept_wb_bit(void)
+{
+	return vmx_capability.ept & VMX_EPTP_WB_BIT;
+}
+
 static inline bool cpu_has_vmx_ept_ad_bits(void)
 {
 	return vmx_capability.ept & VMX_EPT_AD_BIT;
@@ -4260,7 +4265,6 @@ static u64 construct_eptp(struct kvm_vcpu *vcpu,
unsigned long root_hpa)
 {
 	u64 eptp;

-	/* TODO write the value reading from MSR */
 	eptp = VMX_EPT_DEFAULT_MT |
 		VMX_EPT_DEFAULT_GAW << VMX_EPT_GAW_EPTP_SHIFT;
 	if (enable_ept_ad_bits &&
@@ -6579,7 +6583,8 @@ static __init int hardware_setup(void)
 		init_vmcs_shadow_fields();

 	if (!cpu_has_vmx_ept() ||
-	    !cpu_has_vmx_ept_4levels()) {
+	    !cpu_has_vmx_ept_4levels() ||
+	    !cpu_has_vmx_ept_wb_bit()) {
 		enable_ept = 0;
 		enable_unrestricted_guest = 0;
 		enable_ept_ad_bits = 0;
-- 
2.9.4


-- 

Thanks,

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ