| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Jan 2021 09:05:16 -0600
From: Tom Lendacky <thomas.lendacky@....com>
To: Sean Christopherson <seanjc@...gle.com>,
Paolo Bonzini <pbonzini@...hat.com>
Cc: Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Joerg Roedel <joro@...tes.org>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, Brijesh Singh <brijesh.singh@....com>
Subject: Re: [PATCH 1/3] KVM: SVM: Unconditionally sync GPRs to GHCB on VMRUN
of SEV-ES guest
On 1/22/21 5:50 PM, Sean Christopherson wrote:
> Drop the per-GPR dirty checks when synchronizing GPRs to the GHCB, the
> GRPs' dirty bits are set from time zero and never cleared, i.e. will
Ah, missed that, bad assumption on my part.
> always be seen as dirty. The obvious alternative would be to clear
> the dirty bits when appropriate, but removing the dirty checks is
> desirable as it allows reverting GPR dirty+available tracking, which
> adds overhead to all flavors of x86 VMs.
>
> Note, unconditionally writing the GPRs in the GHCB is tacitly allowed
> by the GHCB spec, which allows the hypervisor (or guest) to provide
> unnecessary info; it's the guest's responsibility to consume only what
> it needs (the hypervisor is untrusted after all).
>
> The guest and hypervisor can supply additional state if desired but
> must not rely on that additional state being provided.
Yes, that's true.
I'm ok with removing the tracking if that's desired. Otherwise, we can add
a vcpu->arch.regs_dirty = 0 in sev_es_sync_from_ghcb().
Thanks,
Tom
>
> Cc: Brijesh Singh <brijesh.singh@....com>
> Cc: Tom Lendacky <thomas.lendacky@....com>
> Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT")
> Signed-off-by: Sean Christopherson <seanjc@...gle.com>
> ---
> arch/x86/kvm/svm/sev.c | 15 ++++++---------
> 1 file changed, 6 insertions(+), 9 deletions(-)
>
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> index c8ffdbc81709..ac652bc476ae 100644
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -1415,16 +1415,13 @@ static void sev_es_sync_to_ghcb(struct vcpu_svm *svm)
> * to be returned:
> * GPRs RAX, RBX, RCX, RDX
> *
> - * Copy their values to the GHCB if they are dirty.
> + * Copy their values, even if they may not have been written during the
> + * VM-Exit. It's the guest's responsibility to not consume random data.
> */
> - if (kvm_register_is_dirty(vcpu, VCPU_REGS_RAX))
> - ghcb_set_rax(ghcb, vcpu->arch.regs[VCPU_REGS_RAX]);
> - if (kvm_register_is_dirty(vcpu, VCPU_REGS_RBX))
> - ghcb_set_rbx(ghcb, vcpu->arch.regs[VCPU_REGS_RBX]);
> - if (kvm_register_is_dirty(vcpu, VCPU_REGS_RCX))
> - ghcb_set_rcx(ghcb, vcpu->arch.regs[VCPU_REGS_RCX]);
> - if (kvm_register_is_dirty(vcpu, VCPU_REGS_RDX))
> - ghcb_set_rdx(ghcb, vcpu->arch.regs[VCPU_REGS_RDX]);
> + ghcb_set_rax(ghcb, vcpu->arch.regs[VCPU_REGS_RAX]);
> + ghcb_set_rbx(ghcb, vcpu->arch.regs[VCPU_REGS_RBX]);
> + ghcb_set_rcx(ghcb, vcpu->arch.regs[VCPU_REGS_RCX]);
> + ghcb_set_rdx(ghcb, vcpu->arch.regs[VCPU_REGS_RDX]);
> }
>
> static void sev_es_sync_from_ghcb(struct vcpu_svm *svm)
>
Powered by blists - more mailing lists