lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 5 May 2020 07:24:18 -0700
From:   Dave Hansen <dave.hansen@...el.com>
To:     Christian Borntraeger <borntraeger@...ibm.com>,
        Ulrich Weigand <uweigand@...ibm.com>
Cc:     Claudio Imbrenda <imbrenda@...ux.ibm.com>, viro@...iv.linux.org.uk,
        david@...hat.com, akpm@...ux-foundation.org, aarcange@...hat.com,
        linux-mm@...ck.org, frankja@...ux.ibm.com, sfr@...b.auug.org.au,
        jhubbard@...dia.com, linux-kernel@...r.kernel.org,
        linux-s390@...r.kernel.org, jack@...e.cz, kirill@...temov.name,
        peterz@...radead.org, sean.j.christopherson@...el.com,
        Ulrich.Weigand@...ibm.com
Subject: Re: [PATCH v2 1/1] fs/splice: add missing callback for inaccessible
 pages

On 5/5/20 7:00 AM, Christian Borntraeger wrote:
> We are certainly not married to our approach. I would happily extend/change
> this to anything that works for your case and the s390 case. So can you outline
> your requirements a bit more?

For SEV, the guest define which pages are encrypted or not.  You could
theoretically do DMA to them or have the CPU access their contents, but
you'd get either get ciphertext for reads, or data corruption and loss
of cache coherency for writes.  That's not so cool.

Ideally, we would stop the CPU from ever accessing those pages by
unmapping them.  But, the pages go in and out of the encrypted state and
the host really needs to be *sure* about what's going on before it
restores its mapping and messes with the page.  That includes situations
where someone does a gup, starts an I/O to an unencrypted page, then the
guest tries to convert that page over to being encrypted.

So, the requirements are:

1. Allow host-side DMA and CPU access to shared pages
2. Stop host-side DMA and CPU access to encrypted pages
3. Allow pages to be converted between the states at the request of the
   guest

Stopping the DMA is pretty easy, even across the gazillions of drivers
in the tree because even random ethernet drivers do stuff like:

                txdr->buffer_info[i].dma =
                        dma_map_single(&pdev->dev, skb->data, skb->len,
                                       DMA_TO_DEVICE);

So the DMA can be stopped at the mapping layer.  It's a *LOT* easier to
catch there since the IOMMUs already provide isolation between the I/O
and CPU address spaces.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ