lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <0d413224be93719a149ce8a5a0aef77b@linux.vnet.ibm.com>
Date:   Tue, 28 Apr 2020 20:38:53 -0400
From:   Jared Rossi <jrossi@...ux.ibm.com>
To:     Halil Pasic <pasic@...ux.ibm.com>
Cc:     Eric Farman <farman@...ux.ibm.com>,
        Cornelia Huck <cohuck@...hat.com>, linux-s390@...r.kernel.org,
        kvm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/1] vfio-ccw: Enable transparent CCW IPL from DASD

On 2020-04-24 08:50, Halil Pasic wrote:
> On Thu, 23 Apr 2020 16:25:39 -0400
> Eric Farman <farman@...ux.ibm.com> wrote:
> 
>> 
>> 
>> On 4/23/20 11:11 AM, Cornelia Huck wrote:
>> > On Thu, 23 Apr 2020 15:56:20 +0200
>> > Halil Pasic <pasic@...ux.ibm.com> wrote:
>> >
>> >> On Fri, 17 Apr 2020 14:29:39 -0400
>> >> Jared Rossi <jrossi@...ux.ibm.com> wrote:
>> >>
>> >>> Remove the explicit prefetch check when using vfio-ccw devices.
>> >>> This check is not needed as all Linux channel programs are intended
>> >>> to use prefetch and will be executed in the same way regardless.
>> >>
>> >> Hm. This is a guest thing or? So you basically say, it is OK to do
>> >> this, because you know that the guest is gonna be Linux and that it
>> >> the channel program is intended to use prefetch -- but the ORB supplied
>> >> by the guest that designates the channel program happens to state the
>> >> opposite.
>> >>
>> >> Or am I missing something?
>> >
>> > I see this as a kind of architecture compliance/ease of administration
>> > tradeoff, as we none of the guests we currently support uses something
>> > that breaks with prefetching outside of IPL (which has a different
>> > workaround).>
> 
> And that workaround AFAIR makes sure that we don't issue a CP that is
> self-modifying or otherwise reliant on non-prefetch. So any time we see
> a self-modifying program we know, we have an incompatible setup.
> 
> In any case I believe the commit message is inadequate, as it does not
> reflect about the risks.
> 
>> > One thing that still concerns me a bit is debuggability if a future
>> > guest indeed does want to dynamically rewrite a channel program: the
>> 
>> +1 for some debuggability, just in general
>> 
>> > guest thinks it instructed the device to not prefetch, and then
>> > suddenly things do not work as expected. We can log when a guest
>> > submits an orb without prefetch set, but we can't find out if the guest
>> > actually does something that relies on non-prefetch.
>> 
>> Without going too far down a non-prefetch rabbit-hole, can we use the
>> cpa_within_range logic to see if the address of the CCW being fetched
>> exists as the CDA of an earlier (non-TIC) CCW in the chain we're
>> processing, and tracing/logging/messaging something about a possible
>> conflict?
>> 
>> (Jared, you did some level of this tracing with our real/synthetic 
>> tests
>> some time ago.  Any chance something of it could be polished and made
>> useful, without being overly heavy on the mainline path?)
>> 
> 
> Back then I believe I made a proposal on how this logic could look 
> like.
> I think all we need is checking for self rewrites (ccw reads to the
> addresses that comprise the  complete original channel program), and 
> for
> status-modifier 'skips'. The latter could be easily done by putting 
> some
> sort of poison at the end of the detected channel program segments.
> 

 From what I previously did with the tracing, I don't think that there is 
a
practical way to determine if a cp is actually doing something that 
relies
on non-prefetch.  It seems we would need to examine the CCWs to find 
reads
and also validate the addresses those CCWs access to check if there is a
conflict.  Probably this is too much overhead considering that we expect
it to be a rare occurrence?

Is it too simplistic to print a kernel warning stating that an ORB did 
not
have the p-bit set, but it is being prefetched anyway?

Regards,
Jared Rossi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ