| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Sep 2021 21:11:51 +0000
From: Sean Christopherson <seanjc@...gle.com>
To: Dave Hansen <dave.hansen@...el.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>, linux-kernel@...r.kernel.org,
kvm@...r.kernel.org, x86@...nel.org, linux-sgx@...r.kernel.org,
jarkko@...nel.org, dave.hansen@...ux.intel.com,
yang.zhong@...el.com
Subject: Re: [PATCH 2/2] x86: sgx_vepc: implement SGX_IOC_VEPC_REMOVE ioctl
On Mon, Sep 13, 2021, Dave Hansen wrote:
> On 9/13/21 6:11 AM, Paolo Bonzini wrote:
> > +static long sgx_vepc_remove_all(struct sgx_vepc *vepc)
> > +{
> > + struct sgx_epc_page *entry;
> > + unsigned long index;
> > + long failures = 0;
> > +
> > + xa_for_each(&vepc->page_array, index, entry)
> > + if (sgx_vepc_remove_page(entry))
> > + failures++;
> > +
> > + /*
> > + * Return the number of pages that failed to be removed, so
> > + * userspace knows that there are still SECS pages lying
> > + * around.
> > + */
> > + return failures;
> > +}
>
> I'm not sure the retry logic should be in userspace. Also, is this
> strictly limited to SECS pages? It could also happen if there were
> enclaves running that used the page. Granted, userspace can probably
> stop all the vcpus, but the *interface* doesn't prevent it being called
> like that.
The general rule for KVM is that so long as userspace abuse of running vCPUs (or
other concurrent operations) doesn't put the kernel/platform at risk, it's
userspace's responsibility to not screw up. The main argument being that there
are myriad ways the VMM can DoS the guest without having to abuse an ioctl().
> What else can userspace do but:
>
> ret = ioctl(fd, SGX_IOC_VEPC_REMOVE);
> if (ret)
> ret = ioctl(fd, SGX_IOC_VEPC_REMOVE);
> if (ret)
> printf("uh oh\n");
>
> We already have existing code to gather up the pages that couldn't be
> EREMOVE'd and selectively EREMOVE them again. Why not reuse that code
> here? If there is 100GB of EPC, it's gotta be painful to run through
> the ->page_array twice when once plus a small list iteration will do.
My argument against handling this fully in the kernel is that to handle a vNUMA
setup with multiple vEPC sections, the ioctl() would need to a take a set of file
descriptors to handle the case where an SECS is pinned by a child page in a
diferent vEPC. It would also require an extra list_head per page (or dynamic
allocations), as the list_head in sgx_epc_page will (likely, eventually) be needed
to handle EPC OOM. In the teardown case, sgx_epc_page.list can be used because
the pages are taken off the active/allocated list as part of teardown.
Neither issue is the end of the world, but IMO it's not worth burning the memory
and taking on extra complexity in the kernel for a relatively rare operation that's
slow as dirt anyways.
> Which reminds me... Do we need a cond_resched() in there or anything?
> That loop could theoretically get really, really long.
Powered by blists - more mailing lists