lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Sep 2020 12:22:05 -0500 From: Tom Lendacky <thomas.lendacky@....com> To: Sean Christopherson <sean.j.christopherson@...el.com> Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org, x86@...nel.org, Paolo Bonzini <pbonzini@...hat.com>, Jim Mattson <jmattson@...gle.com>, Joerg Roedel <joro@...tes.org>, Vitaly Kuznetsov <vkuznets@...hat.com>, Wanpeng Li <wanpengli@...cent.com>, Borislav Petkov <bp@...en8.de>, Ingo Molnar <mingo@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, Brijesh Singh <brijesh.singh@....com> Subject: Re: [RFC PATCH 00/35] SEV-ES hypervisor support On 9/14/20 5:59 PM, Sean Christopherson wrote: > On Mon, Sep 14, 2020 at 03:15:14PM -0500, Tom Lendacky wrote: >> From: Tom Lendacky <thomas.lendacky@....com> >> >> This patch series provides support for running SEV-ES guests under KVM. > > From the x86/VMX side of things, the GPR hooks are the only changes that I > strongly dislike. > > For the vmsa_encrypted flag and related things like allow_debug(), I'd > really like to aim for a common implementation between SEV-ES and TDX[*] from > the get go, within reason obviously. From a code perspective, I don't think > it will be too onerous as the basic tenets are quite similar, e.g. guest > state is off limits, FPU state is autoswitched, etc..., but I suspect (or > maybe worry?) that there are enough minor differences that we'll want a more > generic way of marking ioctls() as disallowed to avoid having one-off checks > all over the place. > > That being said, it may also be that there are some ioctls() that should be > disallowed under SEV-ES, but aren't in this series. E.g. I assume > kvm_vcpu_ioctl_smi() should be rejected as KVM can't do the necessary > emulation (I assume this applies to vanilla SEV as well?). Right, SMM isn't currently supported under SEV-ES. SEV does support SMM, though, since the register state can be altered to change over to the SMM register state. So the SMI ioctl() is ok for SEV. > > One thought to try and reconcile the differences between SEV-ES and TDX would > be expicitly list which ioctls() are and aren't supported and go from there? > E.g. if there is 95% overlap than we probably don't need to get fancy with > generic allow/deny. > > Given that we don't yet have publicly available KVM code for TDX, what if I > generate and post a list of ioctls() that are denied by either SEV-ES or TDX, > organized by the denier(s)? Then for the ioctls() that are denied by one and > not the other, we add a brief explanation of why it's denied? > > If that sounds ok, I'll get the list and the TDX side of things posted > tomorrow. That sounds good. Thanks, Tom > > Thanks! > > > [*] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsoftware.intel.com%2Fcontent%2Fwww%2Fus%2Fen%2Fdevelop%2Farticles%2Fintel-trust-domain-extensions.html&data=02%7C01%7Cthomas.lendacky%40amd.com%7C000b3d355429471694fa08d85901e575%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637357211966578452&sdata=nEhXcrxY7KmQVCsVJrX20bagZLbzwVqlT%2BYvhSYCjHI%3D&reserved=0 >
Powered by blists - more mailing lists