lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 14 Sep 2017 16:56:38 +0200
From:   Borislav Petkov <bp@...e.de>
To:     Brijesh Singh <brijesh.singh@....com>
Cc:     linux-kernel@...r.kernel.org, x86@...nel.org, kvm@...r.kernel.org,
        Thomas Gleixner <tglx@...utronix.de>,
        Joerg Roedel <joro@...tes.org>,
        "Michael S . Tsirkin" <mst@...hat.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        \"Radim Krčmář\" <rkrcmar@...hat.com>,
        Tom Lendacky <thomas.lendacky@....com>
Subject: Re: [RFC Part2 PATCH v3 25/26] KVM: SVM: Do not install #UD
 intercept when SEV is enabled

On Mon, Jul 24, 2017 at 03:03:02PM -0500, Brijesh Singh wrote:
> On #UD, x86_emulate_instruction() fetches the data from guest memory and
> decodes the instruction bytes to assist further. When SEV is enabled, the
> instruction bytes will be encrypted using the guest-specific key, hypervisor

							"... key and the hypervisor... "

> will no longer able to fetch the instruction bytes to assist UD handling.
> By not installing intercept we let the guest receive and handle #UD.
> 
> Signed-off-by: Brijesh Singh <brijesh.singh@....com>
> ---
>  arch/x86/kvm/svm.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
> index 64b9f60..4581d03 100644
> --- a/arch/x86/kvm/svm.c
> +++ b/arch/x86/kvm/svm.c
> @@ -1432,8 +1432,10 @@ static void init_vmcb(struct vcpu_svm *svm)
>  		svm->vmcb->control.virt_ext |= VIRTUAL_VMLOAD_VMSAVE_ENABLE_MASK;
>  	}
>  
> -	if (sev_guest(svm->vcpu.kvm))
> +	if (sev_guest(svm->vcpu.kvm)) {
>  		svm->vmcb->control.nested_ctl |= SVM_NESTED_CTL_SEV_ENABLE;
> +		clr_exception_intercept(svm, UD_VECTOR);
> +	}
>  
>  	mark_all_dirty(svm->vmcb);
>  
> -- 

Otherwise:

Reviewed-by: Borislav Petkov <bp@...e.de>

Btw, if this is really important for the hypervisor to continue to be
able to do decode assist, we probably should think about having the
guest give the hypervisor the couple instruction bytes in a controlled
manner...

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ