lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9eb0b655-48ca-94d0-0588-2a4f3e5b3651@amd.com>
Date:   Thu, 25 Feb 2021 08:57:33 -0600
From:   Tom Lendacky <thomas.lendacky@....com>
To:     Steve Rutherford <srutherford@...gle.com>,
        Nathan Tempelman <natet@...gle.com>
Cc:     Paolo Bonzini <pbonzini@...hat.com>, X86 ML <x86@...nel.org>,
        KVM list <kvm@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Sean Christopherson <seanjc@...gle.com>,
        David Rientjes <rientjes@...gle.com>,
        Brijesh Singh <brijesh.singh@....com>,
        Ashish Kalra <Ashish.Kalra@....com>
Subject: Re: [RFC] KVM: x86: Support KVM VMs sharing SEV context

On 2/24/21 9:44 PM, Steve Rutherford wrote:
> On Wed, Feb 24, 2021 at 1:00 AM Nathan Tempelman <natet@...gle.com> wrote:
>>
>> @@ -1186,6 +1195,10 @@ int svm_register_enc_region(struct kvm *kvm,
>>          if (!sev_guest(kvm))
>>                  return -ENOTTY;
>>
>> +       /* If kvm is mirroring encryption context it isn't responsible for it */
>> +       if (is_mirroring_enc_context(kvm))
>> +               return -ENOTTY;
>> +
> 
> Is this necessary? Same for unregister. When we looked at
> sev_pin_memory, I believe we concluded that double pinning was safe.
>>
>>          if (range->addr > ULONG_MAX || range->size > ULONG_MAX)
>>                  return -EINVAL;
>>
>> @@ -1252,6 +1265,10 @@ int svm_unregister_enc_region(struct kvm *kvm,
>>          struct enc_region *region;
>>          int ret;
>>
>> +       /* If kvm is mirroring encryption context it isn't responsible for it */
>> +       if (is_mirroring_enc_context(kvm))
>> +               return -ENOTTY;
>> +
>>          mutex_lock(&kvm->lock);
>>
>>          if (!sev_guest(kvm)) {
>> @@ -1282,6 +1299,65 @@ int svm_unregister_enc_region(struct kvm *kvm,
>>          return ret;
>>   }
>>
>> +int svm_vm_copy_asid_to(struct kvm *kvm, unsigned int mirror_kvm_fd)
>> +{
>> +       struct file *mirror_kvm_file;
>> +       struct kvm *mirror_kvm;
>> +       struct kvm_sev_info *mirror_kvm_sev;
>> +       unsigned int asid;
>> +       int ret;
>> +
>> +       if (!sev_guest(kvm))
>> +               return -ENOTTY;
> 
> You definitely don't want this: this is the function that turns the vm
> into an SEV guest (marks SEV as active).

The sev_guest() function does not set sev->active, it only checks it. The 
sev_guest_init() function is where sev->active is set.

> 
> (Not an issue with this patch, but a broader issue) I believe
> sev_guest lacks the necessary acquire/release barriers on sev->active,

The svm_mem_enc_op() takes the kvm lock and that is the only way into the 
sev_guest_init() function where sev->active is set.

Thanks,
Tom

> since it's called without the kvm lock. I mean, it's x86, so the only
> one that's going to hose you is the compiler for this type of access.
> There should be an smp_rmb() after the access in sev_guest and an
> smp_wmb() before the access in SEV_GUEST_INIT and here.
>>
>> +
>> +       mutex_lock(&kvm->lock);
>> +
>> +       /* Mirrors of mirrors should work, but let's not get silly */
>> +       if (is_mirroring_enc_context(kvm)) {
>> +               ret = -ENOTTY;
>> +               goto failed;
>> +       }
>> +
>> +       mirror_kvm_file = fget(mirror_kvm_fd);
>> +       if (!kvm_is_kvm(mirror_kvm_file)) {
>> +               ret = -EBADF;
>> +               goto failed;
>> +       }
>> +
>> +       mirror_kvm = mirror_kvm_file->private_data;
>> +
>> +       if (mirror_kvm == kvm || is_mirroring_enc_context(mirror_kvm)) {
> Just check if the source is an sev_guest and that the destination is
> not an sev_guest.
> 
> I reviewed earlier incarnations of this, and think the high-level idea
> is sound. I'd like to see kvm-selftests for this patch, and plan on
> collaborating with AMD to help make those happen.
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ