lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 5 May 2020 16:39:38 +0200
From:   Christian Borntraeger <borntraeger@...ibm.com>
To:     Dave Hansen <dave.hansen@...el.com>,
        Ulrich Weigand <uweigand@...ibm.com>
Cc:     Claudio Imbrenda <imbrenda@...ux.ibm.com>, viro@...iv.linux.org.uk,
        david@...hat.com, akpm@...ux-foundation.org, aarcange@...hat.com,
        linux-mm@...ck.org, frankja@...ux.ibm.com, sfr@...b.auug.org.au,
        jhubbard@...dia.com, linux-kernel@...r.kernel.org,
        linux-s390@...r.kernel.org, jack@...e.cz, kirill@...temov.name,
        peterz@...radead.org, sean.j.christopherson@...el.com,
        Ulrich.Weigand@...ibm.com
Subject: Re: [PATCH v2 1/1] fs/splice: add missing callback for inaccessible
 pages



On 05.05.20 16:34, Dave Hansen wrote:
> On 5/5/20 7:31 AM, Christian Borntraeger wrote:
>>> So, the requirements are:
>>>
>>> 1. Allow host-side DMA and CPU access to shared pages
>>> 2. Stop host-side DMA and CPU access to encrypted pages
>>> 3. Allow pages to be converted between the states at the request of the
>>>    guest
>>>
>>> Stopping the DMA is pretty easy, even across the gazillions of drivers
>>> in the tree because even random ethernet drivers do stuff like:
>>>
>>>                 txdr->buffer_info[i].dma =
>>>                         dma_map_single(&pdev->dev, skb->data, skb->len,
>>>                                        DMA_TO_DEVICE);
>>>
>>> So the DMA can be stopped at the mapping layer.  It's a *LOT* easier to
>>> catch there since the IOMMUs already provide isolation between the I/O
>>> and CPU address spaces.
>> And your problem is that the guest could convert this after the dma_map?
>> So you looked into our code if this would help?
> 
> Yep, it seemed like a close-enough problem.

Is there a way to prevent the guest from switching the state? We also have 2
variants of secure pages
1. those that are secure and when the host accesses them will be encrypted
2. those that are marked by the guest as shared. When you look at 
arch_make_page_accessible we first try to "pin" the shared state. So the guest
trying to "unshare" such a page would trigger an exit that we can handle.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ