lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <9baa91c4-bb06-a16e-5f7c-c6dacef6e157@linux.vnet.ibm.com>
Date:   Mon, 7 May 2018 10:14:48 -0400
From:   Tony Krowiak <akrowiak@...ux.vnet.ibm.com>
To:     Pierre Morel <pmorel@...ux.vnet.ibm.com>,
        linux-s390@...r.kernel.org, linux-kernel@...r.kernel.org,
        kvm@...r.kernel.org
Cc:     freude@...ibm.com, schwidefsky@...ibm.com,
        heiko.carstens@...ibm.com, borntraeger@...ibm.com,
        cohuck@...hat.com, kwankhede@...dia.com,
        bjsdjshi@...ux.vnet.ibm.com, pbonzini@...hat.com,
        alex.williamson@...hat.com, alifm@...ux.vnet.ibm.com,
        mjrosato@...ux.vnet.ibm.com, jjherne@...ux.vnet.ibm.com,
        thuth@...hat.com, pasic@...ux.vnet.ibm.com, berrange@...hat.com,
        fiuczy@...ux.vnet.ibm.com, buendgen@...ibm.com
Subject: Re: [PATCH v4 08/15] KVM: s390: interfaces to (de)configure guest's
 AP matrix

On 05/03/2018 12:01 PM, Pierre Morel wrote:
> On 03/05/2018 16:41, Tony Krowiak wrote:
>> On 05/02/2018 10:57 AM, Pierre Morel wrote:
>>> On 25/04/2018 18:21, Tony Krowiak wrote:
>>>> On 04/23/2018 09:46 AM, Pierre Morel wrote:
>>>>> On 15/04/2018 23:22, Tony Krowiak wrote:
>>>>>> Provides interfaces to assign AP adapters, usage domains
>>>>>> and control domains to a KVM guest.
> ...
>> The kvm_ap_configure_matrix(kvm, matrix) interface configures the 
>> APM, AQM and ADM in the
>> guest's CRYCB which implies AP instructions are being interpreted. 
>> There is nothing in SIE
>> precluding the sharing of AP queues between guests using SIE to 
>> interpret AP instructions,
>> it is my opinion - along with several others - that this is not 
>> advisable given the
>> results are not predictable, not to mention the security concerns. If 
>> the protocol to access
>> queues changes, then we create a different interface. The other 
>> option is to include a flag
>> on the kvm_ap_configure_matrix(kvm, matrix) interface to indicate 
>> whether sharing is
>> allowed. I don't like this, because we have no way of knowing if the 
>> caller has taken the
>> proper care to ensure the VM sharing the queue should be allowed 
>> access. Besides, when
>> queue sharing is implemented, it is my opinion that we will intercept 
>> the AP instructions
>> and the matrix will not be configured in the CRYCB. I stick by my 
>> response above.
>
> I mean, validating the queue sharing is a mater of the VFIO driver.
> This code is not needed if the VFIO driver is not used.
> But it is not very important.

Yes, this check could have been implemented in the VFIO driver, but as I 
stated above, that
would require the driver to "know" the internals of KVM. I think the KVM 
logic should
be encapsulated in KVM. If we want to allow sharing of interpreted AP 
devices, then we
can always add a flag to the interface.

>
>
>>
>>>
>>>>>> +static int kvm_ap_matrix_apm_create(struct kvm_ap_matrix 
>>>>>> *ap_matrix,
>>>>>> +                    struct ap_config_info *config)
>>>>>> +{
>>>>>> +    int apm_max = (config && config->apxa) ? config->Na + 1 : 16;
>>>>>
>>>>> At this moment you already know the format of the crycb.
>>>>
>>>> How?
>>>
>>> you calculated this in kvm_ap_build_crycbd() which is called from 
>>> kvm_s390_crypto_init()
>>> itself called from kvm_arch_init_vm().
>>> It is when starting the VM.
>>
>> This structure is used by the vfio_ap driver to store the mediated 
>> matrix device's matrix
>> configuration as well as to configure the CRYCB. The mediated 
>> device's matrix is
>> configured before the guest is started ... it is the means for 
>> configuring the guest's
>> matrix after all. The bottom line is, this function will be called 
>> long before the
>> kvm_ap_build_crycbd() function is called.
>
> you are right, I was thinking about open, should have take more 
> attention.
> Sorry.
>
> Pierre
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ