| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <28c8302b-6833-10b4-c0eb-67456e7c4069@redhat.com>
Date: Thu, 3 Jun 2021 09:36:05 +0800
From: Jason Wang <jasowang@...hat.com>
To: Andi Kleen <ak@...ux.intel.com>, mst@...hat.com
Cc: virtualization@...ts.linux-foundation.org, hch@....de,
m.szyprowski@...sung.com, robin.murphy@....com,
iommu@...ts.linux-foundation.org, x86@...nel.org,
sathyanarayanan.kuppuswamy@...ux.intel.com, jpoimboe@...hat.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1 1/8] virtio: Force only split mode with protected guest
在 2021/6/3 上午8:41, Andi Kleen 写道:
> When running under TDX the virtio host is untrusted. The bulk
> of the kernel memory is encrypted and protected, but the virtio
> ring is in special shared memory that is shared with the
> untrusted host.
>
> This means virtio needs to be hardened against any attacks from
> the host through the ring. Of course it's impossible to prevent DOS
> (the host can chose at any time to stop doing IO), but there
> should be no buffer overruns or similar that might give access to
> any private memory in the guest.
>
> virtio has a lot of modes, most are difficult to harden.
>
> The best for hardening seems to be split mode without indirect
> descriptors. This also simplifies the hardening job because
> it's only a single code path.
>
> Only allow split mode when in a protected guest. Followon
> patches harden the split mode code paths, and we don't want
> an malicious host to force anything else. Also disallow
> indirect mode for similar reasons.
>
> Signed-off-by: Andi Kleen <ak@...ux.intel.com>
> ---
> drivers/virtio/virtio_ring.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
> index 71e16b53e9c1..f35629fa47b1 100644
> --- a/drivers/virtio/virtio_ring.c
> +++ b/drivers/virtio/virtio_ring.c
> @@ -11,6 +11,7 @@
> #include <linux/module.h>
> #include <linux/hrtimer.h>
> #include <linux/dma-mapping.h>
> +#include <linux/protected_guest.h>
> #include <xen/xen.h>
>
> #ifdef DEBUG
> @@ -2221,8 +2222,16 @@ void vring_transport_features(struct virtio_device *vdev)
> unsigned int i;
>
> for (i = VIRTIO_TRANSPORT_F_START; i < VIRTIO_TRANSPORT_F_END; i++) {
> +
> + /*
> + * In protected guest mode disallow packed or indirect
> + * because they ain't hardened.
> + */
> +
> switch (i) {
> case VIRTIO_RING_F_INDIRECT_DESC:
> + if (protected_guest_has(VM_MEM_ENCRYPT))
> + goto clear;
So we will see huge performance regression without indirect descriptor.
We need to consider to address this.
Thanks
> break;
> case VIRTIO_RING_F_EVENT_IDX:
> break;
> @@ -2231,9 +2240,12 @@ void vring_transport_features(struct virtio_device *vdev)
> case VIRTIO_F_ACCESS_PLATFORM:
> break;
> case VIRTIO_F_RING_PACKED:
> + if (protected_guest_has(VM_MEM_ENCRYPT))
> + goto clear;
> break;
> case VIRTIO_F_ORDER_PLATFORM:
> break;
> + clear:
> default:
> /* We don't understand this bit. */
> __virtio_clear_bit(vdev, i);
Powered by blists - more mailing lists