| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Jan 2020 17:18:24 -0500
From: "Michael S. Tsirkin" <mst@...hat.com>
To: Peter Xu <peterx@...hat.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
Christophe de Dinechin <dinechin@...hat.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Sean Christopherson <sean.j.christopherson@...el.com>,
Yan Zhao <yan.y.zhao@...el.com>,
Alex Williamson <alex.williamson@...hat.com>,
Jason Wang <jasowang@...hat.com>,
Kevin Kevin <kevin.tian@...el.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
"Dr . David Alan Gilbert" <dgilbert@...hat.com>,
Lei Cao <lei.cao@...atus.com>
Subject: Re: [PATCH v3 12/21] KVM: X86: Implement ring-based dirty memory
tracking
On Thu, Jan 09, 2020 at 03:19:16PM -0500, Peter Xu wrote:
> > > while for virtio, both sides (hypervisor,
> > > and the guest driver) are trusted.
> >
> > What gave you the impression guest is trusted in virtio?
>
> Hmm... maybe when I know virtio can bypass vIOMMU as long as it
> doesn't provide IOMMU_PLATFORM flag? :)
If guest driver does not provide IOMMU_PLATFORM, and device does,
then negotiation fails.
> I think it's logical to trust a virtio guest kernel driver, could you
> guide me on what I've missed?
guest driver is assumed to be part of guest kernel. It can't
do anything kernel can't do anyway.
> >
> >
> > > Above means we need to do these to
> > > change to the new design:
> > >
> > > - Allow the GFN array to be mapped as writable by userspace (so that
> > > userspace can publish bit 2),
> > >
> > > - The userspace must be trusted to follow the design (just imagine
> > > what if the userspace overwrites a GFN when it publishes bit 2
> > > over a valid dirty gfn entry? KVM could wrongly unprotect a page
> > > for the guest...).
> >
> > You mean protect, right? So what?
>
> Yes, I mean with that, more things are uncertain from userspace. It
> seems easier to me that we restrict the userspace with one index.
Donnu how to treat vague statements like this. You need to be specific
with threat models. Otherwise there's no way to tell whether code is
secure.
> >
> > > While if we use the indices, we restrict the userspace to only be able
> > > to write to one index only (which is the reset_index). That's all it
> > > can do to mess things up (and it could never as long as we properly
> > > validate the reset_index when read, which only happens during
> > > KVM_RESET_DIRTY_RINGS and is very rare). From that pov, it seems the
> > > indices solution still has its benefits.
> >
> > So if you mess up index how is this different?
>
> We can't mess up much with that. We simply check fetch_index (sorry I
> meant this when I said reset_index, anyway it's the only index that we
> expose to userspace) to make sure:
>
> reset_index <= fetch_index <= dirty_index
>
> Otherwise we fail the ioctl. With that, we're 100% safe.
safe from what? userspace can mess up guest memory trivially.
for example skip sending some memory or send junk.
> >
> > I agree RO page kind of feels safer generally though.
> >
> > I will have to re-read how does the ring works though,
> > my comments were based on the old assumption of mmaped
> > page with indices.
>
> Yes, sorry again for a bad cover letter.
>
> It's basically the same as before, just that we only have per-vcpu
> ring now, and the indices are exposed from kvm_run so we don't need
> the extra page, but we still expose that via mmap.
So that's why changelogs are useful.
Can you please write a changelog for this version so I don't
need to re-read all of it? Thanks!
> >
> >
> >
> > > >
> > > >
> > > >
> > > > > The larger the ring buffer, the less
> > > > > +likely the ring is full and the VM is forced to exit to userspace. The
> > > > > +optimal size depends on the workload, but it is recommended that it be
> > > > > +at least 64 KiB (4096 entries).
> > > >
> > > > Where's this number coming from? Given you have indices as well,
> > > > 4K size rings is likely to cause cache contention.
> > >
> > > I think we've had some similar discussion in previous versions on the
> > > size of ring. Again imho it's really something that may not have a
> > > direct clue as long as it's big enough (4K should be).
> > >
> > > Regarding to the cache contention: could you explain more?
> >
> > 4K is a whole cache way. 64K 16 ways. If there's anything else is a hot
> > path then you are pushing everything out of cache. To re-read how do
> > indices work so see whether an index is on hot path or not. If yes your
> > structure won't fit in L1 cache which is not great.
>
> I'm not sure whether I get the point correct, but logically we
> shouldn't read the whole ring buffer as a whole, but only partly (just
> like when we say the ring shouldn't even reach soft-full). Even if we
> read the whole ring, I don't see a difference here comparing to when
> we read a huge array of data (e.g. "char buf[65536]") in any program
> that covers 64K range - I don't see a good way to fix this but read
> the whole chunk in. It seems to be common in programs where we have
> big dataset.
>
> [...]
>
> > > > > +int kvm_dirty_ring_reset(struct kvm *kvm, struct kvm_dirty_ring *ring)
> > > > > +{
> > > > > + u32 cur_slot, next_slot;
> > > > > + u64 cur_offset, next_offset;
> > > > > + unsigned long mask;
> > > > > + u32 fetch;
> > > > > + int count = 0;
> > > > > + struct kvm_dirty_gfn *entry;
> > > > > + struct kvm_dirty_ring_indices *indices = ring->indices;
> > > > > + bool first_round = true;
> > > > > +
> > > > > + fetch = READ_ONCE(indices->fetch_index);
> > > >
> > > > So this does not work if the data cache is virtually tagged.
> > > > Which to the best of my knowledge isn't the case on any
> > > > CPU kvm supports. However it might not stay being the
> > > > case forever. Worth at least commenting.
> > >
> > > This is the read side. IIUC even if with virtually tagged archs, we
> > > should do the flushing on the write side rather than the read side,
> > > and that should be enough?
> >
> > No.
> > See e.g. Documentation/core-api/cachetlb.rst
> >
> > ``void flush_dcache_page(struct page *page)``
> >
> > Any time the kernel writes to a page cache page, _OR_
> > the kernel is about to read from a page cache page and
> > user space shared/writable mappings of this page potentially
> > exist, this routine is called.
>
> But I don't understand why. I feel like for such arch even the
> userspace must flush cache after publishing data onto shared memories,
> otherwise if the shared memory is between two userspace processes
> they'll get inconsistent state. Then if with that, I'm confused on
> why the read side needs to flush it again.
>
> >
> >
> > > Also, I believe this is the similar question that Jason has asked in
> > > V2. Sorry I should mention this earlier, but I didn't address that in
> > > this series because if we need to do so we probably need to do it
> > > kvm-wise, rather than only in this series.
> >
> > You need to document these things.
> >
> > > I feel like it's missing
> > > probably only because all existing KVM supported archs do not have
> > > virtual-tagged caches as you mentioned.
> >
> > But is that a fact? ARM has such a variety of CPUs,
> > I can't really tell. Did you research this to make sure?
>
> I didn't. I only tried to find all callers of flush_dcache_page()
> through the whole Linux tree and I cannot see any kvm related code.
> To make this simple, let me address the dcache flushing issue in the
> next post.
>
> Thanks,
>
> --
> Peter Xu
Powered by blists - more mailing lists