lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 3 May 2021 07:44:49 -0700
From:   Dave Hansen <dave.hansen@...el.com>
To:     Brijesh Singh <brijesh.singh@....com>, x86@...nel.org,
        linux-kernel@...r.kernel.org, kvm@...r.kernel.org
Cc:     tglx@...utronix.de, bp@...en8.de, jroedel@...e.de,
        thomas.lendacky@....com, pbonzini@...hat.com, mingo@...hat.com,
        rientjes@...gle.com, seanjc@...gle.com, peterz@...radead.org,
        hpa@...or.com, tony.luck@...el.com
Subject: Re: [PATCH Part2 RFC v2 10/37] x86/fault: Add support to handle the
 RMP fault for kernel address

On 4/30/21 5:37 AM, Brijesh Singh wrote:
> When SEV-SNP is enabled globally, a write from the host goes through the
> RMP check. When the host writes to pages, hardware checks the following
> conditions at the end of page walk:
> 
> 1. Assigned bit in the RMP table is zero (i.e page is shared).
> 2. If the page table entry that gives the sPA indicates that the target
>    page size is a large page, then all RMP entries for the 4KB
>    constituting pages of the target must have the assigned bit 0.
> 3. Immutable bit in the RMP table is not zero.
> 
> The hardware will raise page fault if one of the above conditions is not
> met. A host should not encounter the RMP fault in normal execution, but
> a malicious guest could trick the hypervisor into it. e.g., a guest does
> not make the GHCB page shared, on #VMGEXIT, the hypervisor will attempt
> to write to GHCB page.

Is that the only case which is left?  If so, why don't you simply split
the direct map for GHCB pages before giving them to the guest?  Or, map
them with vmap() so that the mapping is always 4k?

Or, worst case, you could use exception tables and something like
copy_to_user() to write to the GHCB.  That way, the thread doing the
write can safely recover from the fault without the instruction actually
ever finishing execution.

BTW, I went looking through the spec.  I didn't see anything about the
guest being able to write the "Assigned" RMP bit.  Did I miss that?
Which of the above three conditions is triggered by the guest failing to
make the GHCB page shared?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ