lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9e80935f-b572-8210-6ea1-a582b3d05f88@redhat.com>
Date:   Fri, 8 Mar 2019 17:36:50 +0100
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Sean Christopherson <sean.j.christopherson@...el.com>,
        Yang Weijiang <weijiang.yang@...el.com>
Cc:     rkrcmar@...hat.com, jmattson@...gle.com,
        linux-kernel@...r.kernel.org, kvm@...r.kernel.org, mst@...hat.com,
        yu-cheng.yu@...el.com, Zhang Yi Z <yi.z.zhang@...ux.intel.com>,
        wei.w.wang@...el.com, weijiang.yang@...e.com
Subject: Re: [PATCH v3 6/8] KVM:VMX: Load Guest CET via VMCS when CET is
 enabled in Guest

On 08/03/19 17:28, Sean Christopherson wrote:
> On Mon, Mar 04, 2019 at 08:36:55PM +0800, Yang Weijiang wrote:
>> On Mon, Mar 04, 2019 at 07:12:02PM -0800, Sean Christopherson wrote:
>>> On Mon, Mar 04, 2019 at 05:56:40PM +0800, Yang Weijiang wrote:
>>>> Cannot agree with you more!
>>>> This is some design limitation, but from my point of view, once vmm
>>>> exposes CET capability to guest via CPUID, it grants the guest kernel freedom to choose
>>>> which features to be enabled, we don't need to add extra constraints on
>>>> the usage.
>>>
>>> But if KVM allows SHSTK and IBT to be toggled independently then the VMM
>>> has only exposed SHSTK or IBT, not CET as whole.
>>>
>>> Even if SHSTK and IBT are bundled together the guest still has to opt-in
>>> to enabling each feature.  I don't see what we gain by pretending that
>>> SHSTK/IBT can be individually exposed to the guest, and on the flip side
>>> doing so creates a virtualization hole.
>> you almost convinced me ;-), maybe I'll make the feature as a bundle in
>> next release after check with kernel team. BTW, what do you mean by
>> saying "create a virtualization hole"? Is it what you stated in above
>> reply?
> 
> By "virtualization hole" I mean the guest would be able to use a feature
> that the virtual CPU model says isn't supported.

I think it's okay to leave the hole and leave it to userspace to forbid
enabling only one of the bits.

Paolo

> After rereading the XSS architecture, there's a marginally less crappy
> option for handling XRSTOR as we could use the XSS_EXIT_BITMAP to
> intercept XRSTOR if SHSTK != IBT and the guest is restoring CET state,
> e.g. to ensure the guest isn't setting IA32_PL*_SSP if !SHSTK and isn't
> setting bits that are effectively reserved in IA32_U_CET.
> 
> But practically speaking that'd be the same as intercepting XRSTORS
> unconditionally when the guest is using CET, i.e. it's still going to
> tank the performance of a guest that uses CET+XSAVES/XRSTORS.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ