lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Mar 2019 08:28:35 -0800 From: Sean Christopherson <sean.j.christopherson@...el.com> To: Yang Weijiang <weijiang.yang@...el.com> Cc: pbonzini@...hat.com, rkrcmar@...hat.com, jmattson@...gle.com, linux-kernel@...r.kernel.org, kvm@...r.kernel.org, mst@...hat.com, yu-cheng.yu@...el.com, Zhang Yi Z <yi.z.zhang@...ux.intel.com>, wei.w.wang@...el.com, weijiang.yang@...e.com Subject: Re: [PATCH v3 6/8] KVM:VMX: Load Guest CET via VMCS when CET is enabled in Guest On Mon, Mar 04, 2019 at 08:36:55PM +0800, Yang Weijiang wrote: > On Mon, Mar 04, 2019 at 07:12:02PM -0800, Sean Christopherson wrote: > > On Mon, Mar 04, 2019 at 05:56:40PM +0800, Yang Weijiang wrote: > > > Cannot agree with you more! > > > This is some design limitation, but from my point of view, once vmm > > > exposes CET capability to guest via CPUID, it grants the guest kernel freedom to choose > > > which features to be enabled, we don't need to add extra constraints on > > > the usage. > > > > But if KVM allows SHSTK and IBT to be toggled independently then the VMM > > has only exposed SHSTK or IBT, not CET as whole. > > > > Even if SHSTK and IBT are bundled together the guest still has to opt-in > > to enabling each feature. I don't see what we gain by pretending that > > SHSTK/IBT can be individually exposed to the guest, and on the flip side > > doing so creates a virtualization hole. > you almost convinced me ;-), maybe I'll make the feature as a bundle in > next release after check with kernel team. BTW, what do you mean by > saying "create a virtualization hole"? Is it what you stated in above > reply? By "virtualization hole" I mean the guest would be able to use a feature that the virtual CPU model says isn't supported. After rereading the XSS architecture, there's a marginally less crappy option for handling XRSTOR as we could use the XSS_EXIT_BITMAP to intercept XRSTOR if SHSTK != IBT and the guest is restoring CET state, e.g. to ensure the guest isn't setting IA32_PL*_SSP if !SHSTK and isn't setting bits that are effectively reserved in IA32_U_CET. But practically speaking that'd be the same as intercepting XRSTORS unconditionally when the guest is using CET, i.e. it's still going to tank the performance of a guest that uses CET+XSAVES/XRSTORS.
Powered by blists - more mailing lists