| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Feb 2021 09:02:51 +0100
From: Paolo Bonzini <pbonzini@...hat.com>
To: Sean Christopherson <seanjc@...gle.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>
Cc: Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Joerg Roedel <joro@...tes.org>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KVM: SVM: Treat SVM as unsupported when running as an SEV
guest
On 02/02/21 22:20, Sean Christopherson wrote:
> Don't let KVM load when running as an SEV guest, regardless of what
> CPUID says. Memory is encrypted with a key that is not accessible to
> the host (L0), thus it's impossible for L0 to emulate SVM, e.g. it'll
> see garbage when reading the VMCB.
>
> Technically, KVM could decrypt all memory that needs to be accessible to
> the L0 and use shadow paging so that L0 does not need to shadow NPT, but
> exposing such information to L0 largely defeats the purpose of running as
> an SEV guest. This can always be revisited if someone comes up with a
> use case for running VMs inside SEV guests.
>
> Note, VMLOAD, VMRUN, etc... will also #GP on GPAs with C-bit set, i.e. KVM
> is doomed even if the SEV guest is debuggable and the hypervisor is willing
> to decrypt the VMCB. This may or may not be fixed on CPUs that have the
> SVME_ADDR_CHK fix.
>
> Cc: stable@...r.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@...gle.com>
> ---
>
> FWIW, I did get nested SVM working on SEV by decrypting all structures
> that are shadowed by L0, albeit with many restrictions. So even though
> there's unlikely to be a legitimate use case, I don't think KVM (as L0)
> needs to be changed to disallow nSVM for SEV guests, userspace is
> ultimately the one that should hide SVM from L1.
>
> arch/x86/kvm/svm/svm.c | 5 +++++
> arch/x86/mm/mem_encrypt.c | 1 +
> 2 files changed, 6 insertions(+)
>
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index 687876211ebe..9fb367cb4f15 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -448,6 +448,11 @@ static int has_svm(void)
> return 0;
> }
>
> + if (sev_active()) {
> + pr_info("KVM is unsupported when running as an SEV guest\n");
> + return 0;
> + }
> +
> return 1;
> }
>
> diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c
> index c79e5736ab2b..c3d5f0236f35 100644
> --- a/arch/x86/mm/mem_encrypt.c
> +++ b/arch/x86/mm/mem_encrypt.c
> @@ -382,6 +382,7 @@ bool sev_active(void)
> {
> return sev_status & MSR_AMD64_SEV_ENABLED;
> }
> +EXPORT_SYMBOL_GPL(sev_active);
>
> /* Needs to be called from non-instrumentable code */
> bool noinstr sev_es_active(void)
>
Queued, thanks.
Paolo
Powered by blists - more mailing lists