lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <15687374550.b5d3c.30742@host>
Date:   Tue, 17 Sep 2019 19:24:15 +0300
From:   Adalbert Lazăr <alazar@...defender.com>
To:     Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
        Yang Weijiang <weijiang.yang@...el.com>
Cc:     kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
        pbonzini@...hat.com, sean.j.christopherson@...el.com,
        mst@...hat.com, rkrcmar@...hat.com, jmattson@...gle.com,
        yu.c.zhang@...el.com
Subject: Re: [PATCH v5 0/9] Enable Sub-page Write Protection Support

On Tue, 17 Sep 2019 08:59:04 -0400, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com> wrote:
> On Tue, Sep 17, 2019 at 04:52:55PM +0800, Yang Weijiang wrote:
> > EPT-Based Sub-Page write Protection(SPP)is a HW capability which allows
> > Virtual Machine Monitor(VMM) to specify write-permission for guest
> > physical memory at a sub-page(128 byte) granularity. When this
> > capability is enabled, the CPU enforces write-access check for sub-pages
> > within a 4KB page.
> > 
> > The feature is targeted to provide fine-grained memory protection for
> > usages such as device virtualization, memory check-point and VM
> > introspection etc.
> > 
> > SPP is active when the "sub-page write protection" (bit 23) is 1 in
> > Secondary VM-Execution Controls. The feature is backed with a Sub-Page
> > Permission Table(SPPT), SPPT is referenced via a 64-bit control field
> > called Sub-Page Permission Table Pointer (SPPTP) which contains a
> > 4K-aligned physical address.
> > 
> > To enable SPP for certain physical page, the gfn should be first mapped
> > to a 4KB entry, then set bit 61 of the corresponding EPT leaf entry. 
> > While HW walks EPT, if bit 61 is set, it traverses SPPT with the guset
> > physical address to find out the sub-page permissions at the leaf entry.
> > If the corresponding bit is set, write to sub-page is permitted,
> > otherwise, SPP induced EPT violation is generated.
> > 
> > This patch serial passed SPP function test and selftest on Ice-Lake platform.
> > 
> > Please refer to the SPP introduction document in this patch set and
> > Intel SDM for details:
> > 
> > Intel SDM:
> > https://software.intel.com/sites/default/files/managed/39/c5/325462-sdm-vol-1-2abcd-3abcd.pdf
> > 
> > SPP selftest patch:
> > https://lkml.org/lkml/2019/6/18/1197
> > 
> > Previous patch:
> > https://lkml.org/lkml/2019/8/14/97
> 
> I saw the patches as part of the introspection patch-set.
> Are you all working together on this?

Weijiang helped us to start using the SPP feature with the introspection
API and tested the integration when we didn't had the hardware
available. I've included the SPP patches in the introspection patch
series in order to "show the full picture".

> Would it be possible for some of the bitdefender folks who depend on this
> to provide Tested-by adn could they also take the time to review this patch-set?

Sure. Once we rebase the introspection patches on 5.3, we'll replace
the previous version this new one in our tree and test it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ