lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200206155508.GC13067@linux.intel.com>
Date:   Thu, 6 Feb 2020 07:55:08 -0800
From:   Sean Christopherson <sean.j.christopherson@...el.com>
To:     Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc:     linux-kernel@...r.kernel.org, x86@...nel.org,
        linux-sgx@...r.kernel.org, akpm@...ux-foundation.org,
        dave.hansen@...el.com, nhorman@...hat.com, npmccallum@...hat.com,
        haitao.huang@...el.com, andriy.shevchenko@...ux.intel.com,
        tglx@...utronix.de, kai.svahn@...el.com, bp@...en8.de,
        josh@...htriplett.org, luto@...nel.org, kai.huang@...el.com,
        rientjes@...gle.com, cedric.xing@...el.com, puiterwijk@...hat.com,
        Serge Ayoun <serge.ayoun@...el.com>
Subject: Re: [PATCH v25 07/21] x86/sgx: Enumerate and track EPC sections

On Thu, Feb 06, 2020 at 05:35:19PM +0200, Jarkko Sakkinen wrote:
> On Wed, Feb 05, 2020 at 11:57:00AM -0800, Sean Christopherson wrote:
> >   3. Breaks on-demand paging when running in a VM, e.g. if the VMM chooses
> >      to allocate a physical EPC page when it's actually accessed by the
> >      VM.  I don't expect this to be a problem any time soon, as all VMMs
> >      will likely preallocate EPC pages until KVM (or any other hypervisor)
> >      gains EPC oversusbscription support, which may or may not ever happen.
> >      But, I'd prefer to simply not have the problem in the first place.
> 
> So wouldn't it be better to revisit this when the VM changes are added.

No, because the guest kernel (this code) and the host hypervisor (KVM code)
are separate assets.  Folks will pick up this code use it for guest kernels
and start deploying it, e.g. for cloud workloads.  At some point after KVM
support lands upstream (assuming we get there), CSPs et al will (in theory)
move to the upstream version of KVM instead of running out-of-tree patches.
But, the guest kernels will stay the same and continue to exhibit the
undesirable behavior.

KVM is also not the only hypervisor that supports SGX, e.g. HyperV already
supports exposing SGX to guests.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ