| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 May 2018 10:14:48 -0400
From: Tony Krowiak <akrowiak@...ux.vnet.ibm.com>
To: Pierre Morel <pmorel@...ux.vnet.ibm.com>,
linux-s390@...r.kernel.org, linux-kernel@...r.kernel.org,
kvm@...r.kernel.org
Cc: freude@...ibm.com, schwidefsky@...ibm.com,
heiko.carstens@...ibm.com, borntraeger@...ibm.com,
cohuck@...hat.com, kwankhede@...dia.com,
bjsdjshi@...ux.vnet.ibm.com, pbonzini@...hat.com,
alex.williamson@...hat.com, alifm@...ux.vnet.ibm.com,
mjrosato@...ux.vnet.ibm.com, jjherne@...ux.vnet.ibm.com,
thuth@...hat.com, pasic@...ux.vnet.ibm.com, berrange@...hat.com,
fiuczy@...ux.vnet.ibm.com, buendgen@...ibm.com
Subject: Re: [PATCH v4 08/15] KVM: s390: interfaces to (de)configure guest's
AP matrix
On 05/03/2018 12:01 PM, Pierre Morel wrote:
> On 03/05/2018 16:41, Tony Krowiak wrote:
>> On 05/02/2018 10:57 AM, Pierre Morel wrote:
>>> On 25/04/2018 18:21, Tony Krowiak wrote:
>>>> On 04/23/2018 09:46 AM, Pierre Morel wrote:
>>>>> On 15/04/2018 23:22, Tony Krowiak wrote:
>>>>>> Provides interfaces to assign AP adapters, usage domains
>>>>>> and control domains to a KVM guest.
> ...
>> The kvm_ap_configure_matrix(kvm, matrix) interface configures the
>> APM, AQM and ADM in the
>> guest's CRYCB which implies AP instructions are being interpreted.
>> There is nothing in SIE
>> precluding the sharing of AP queues between guests using SIE to
>> interpret AP instructions,
>> it is my opinion - along with several others - that this is not
>> advisable given the
>> results are not predictable, not to mention the security concerns. If
>> the protocol to access
>> queues changes, then we create a different interface. The other
>> option is to include a flag
>> on the kvm_ap_configure_matrix(kvm, matrix) interface to indicate
>> whether sharing is
>> allowed. I don't like this, because we have no way of knowing if the
>> caller has taken the
>> proper care to ensure the VM sharing the queue should be allowed
>> access. Besides, when
>> queue sharing is implemented, it is my opinion that we will intercept
>> the AP instructions
>> and the matrix will not be configured in the CRYCB. I stick by my
>> response above.
>
> I mean, validating the queue sharing is a mater of the VFIO driver.
> This code is not needed if the VFIO driver is not used.
> But it is not very important.
Yes, this check could have been implemented in the VFIO driver, but as I
stated above, that
would require the driver to "know" the internals of KVM. I think the KVM
logic should
be encapsulated in KVM. If we want to allow sharing of interpreted AP
devices, then we
can always add a flag to the interface.
>
>
>>
>>>
>>>>>> +static int kvm_ap_matrix_apm_create(struct kvm_ap_matrix
>>>>>> *ap_matrix,
>>>>>> + struct ap_config_info *config)
>>>>>> +{
>>>>>> + int apm_max = (config && config->apxa) ? config->Na + 1 : 16;
>>>>>
>>>>> At this moment you already know the format of the crycb.
>>>>
>>>> How?
>>>
>>> you calculated this in kvm_ap_build_crycbd() which is called from
>>> kvm_s390_crypto_init()
>>> itself called from kvm_arch_init_vm().
>>> It is when starting the VM.
>>
>> This structure is used by the vfio_ap driver to store the mediated
>> matrix device's matrix
>> configuration as well as to configure the CRYCB. The mediated
>> device's matrix is
>> configured before the guest is started ... it is the means for
>> configuring the guest's
>> matrix after all. The bottom line is, this function will be called
>> long before the
>> kvm_ap_build_crycbd() function is called.
>
> you are right, I was thinking about open, should have take more
> attention.
> Sorry.
>
> Pierre
>
Powered by blists - more mailing lists