lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bd22ef54224d15ee89130728c408f70da0516eaa.camel@linux.ibm.com>
Date:   Wed, 01 Sep 2021 09:18:15 -0700
From:   James Bottomley <jejb@...ux.ibm.com>
To:     Andy Lutomirski <luto@...nel.org>,
        David Hildenbrand <david@...hat.com>,
        Sean Christopherson <seanjc@...gle.com>
Cc:     Paolo Bonzini <pbonzini@...hat.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Jim Mattson <jmattson@...gle.com>,
        Joerg Roedel <joro@...tes.org>, kvm list <kvm@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Borislav Petkov <bp@...en8.de>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Joerg Roedel <jroedel@...e.de>,
        Andi Kleen <ak@...ux.intel.com>,
        David Rientjes <rientjes@...gle.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        Tom Lendacky <thomas.lendacky@....com>,
        Thomas Gleixner <tglx@...utronix.de>,
        "Peter Zijlstra (Intel)" <peterz@...radead.org>,
        Ingo Molnar <mingo@...hat.com>,
        Varad Gautam <varad.gautam@...e.com>,
        Dario Faggioli <dfaggioli@...e.com>,
        the arch/x86 maintainers <x86@...nel.org>,
        linux-mm@...ck.org, linux-coco@...ts.linux.dev,
        "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        "Kirill A . Shutemov" <kirill@...temov.name>,
        Sathyanarayanan Kuppuswamy 
        <sathyanarayanan.kuppuswamy@...ux.intel.com>,
        Dave Hansen <dave.hansen@...el.com>,
        Yu Zhang <yu.c.zhang@...ux.intel.com>
Subject: Re: [RFC] KVM: mm: fd-based approach for supporting KVM guest
 private memory

On Wed, 2021-09-01 at 08:54 -0700, Andy Lutomirski wrote:
[...]
> If you want to swap a page on TDX, you can't.  Sorry, go directly to
> jail, do not collect $200.

Actually, even on SEV-ES you can't either.  You can read the encrypted
page and write it out if you want, but unless you swap it back to the
exact same physical memory location, the encryption key won't work. 
Since we don't guarantee this for swap, I think swap won't actually
work for any confidential computing environment.

> So I think there are literally zero code paths that currently call
> try_to_unmap() that will actually work like that on TDX.  If we run
> out of memory on a TDX host, we can kill the guest completely and
> reclaim all of its memory (which probably also involves killing QEMU
> or whatever other user program is in charge), but that's really our
> only option.

I think our only option for swap is guest co-operation.  We're going to
have to inflate a balloon or something in the guest and have the guest
driver do some type of bounce of the page, where it becomes an
unencrypted page in the guest (so the host can read it without the
physical address keying of the encryption getting in the way) but
actually encrypted with a swap transfer key known only to the guest.  I
assume we can use the page acceptance infrastructure currently being
discussed elsewhere to do swap back in as well ... the host provides
the guest with the encrypted swap page and the guest has to decrypt it
and place it in encrypted guest memory.

That way the swapped memory is securely encrypted, but can be swapped
back in.

James


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ