| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YYWg6wa398Vw6FJu@google.com>
Date: Fri, 5 Nov 2021 21:23:55 +0000
From: Sean Christopherson <seanjc@...gle.com>
To: Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@...ux.intel.com>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
x86@...nel.org, Paolo Bonzini <pbonzini@...hat.com>,
David Hildenbrand <david@...hat.com>,
Andrea Arcangeli <aarcange@...hat.com>,
Josh Poimboeuf <jpoimboe@...hat.com>,
"H . Peter Anvin" <hpa@...or.com>,
Dave Hansen <dave.hansen@...el.com>,
Tony Luck <tony.luck@...el.com>,
Dan Williams <dan.j.williams@...el.com>,
Andi Kleen <ak@...ux.intel.com>,
Kirill Shutemov <kirill.shutemov@...ux.intel.com>,
Kuppuswamy Sathyanarayanan <knsathya@...nel.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v7 05/10] x86/tdx: Handle port I/O
On Tue, Oct 05, 2021, Kuppuswamy Sathyanarayanan wrote:
> diff --git a/arch/x86/kernel/tdx.c b/arch/x86/kernel/tdx.c
> index 4cbffcb737d9..cd0fb5d14ad7 100644
> --- a/arch/x86/kernel/tdx.c
> +++ b/arch/x86/kernel/tdx.c
> @@ -175,6 +175,38 @@ static u64 tdx_handle_cpuid(struct pt_regs *regs)
> return ret;
> }
>
> +/*
> + * tdx_handle_early_io() cannot be re-used in #VE handler for handling
> + * I/O because the way of handling string I/O is different between
> + * normal and early I/O case. Also, once trace support is enabled,
> + * tdx_handle_io() will be extended to use trace calls which is also
> + * not valid for early I/O cases.
> + */
> +static void tdx_handle_io(struct pt_regs *regs, u32 exit_qual)
> +{
> + struct tdx_hypercall_output outh;
Same comments as patch 04.
> + int out, size, port, ret;
> + bool string;
> + u64 mask;
> +
> + string = VE_IS_IO_STRING(exit_qual);
> +
> + /* I/O strings ops are unrolled at build time. */
> + BUG_ON(string);
And here as well.
> +
> + out = VE_IS_IO_OUT(exit_qual);
> + size = VE_GET_IO_SIZE(exit_qual);
> + port = VE_GET_PORT_NUM(exit_qual);
> + mask = GENMASK(8 * size, 0);
And here.
> +
> + ret = _tdx_hypercall(EXIT_REASON_IO_INSTRUCTION, size, out, port,
> + regs->ax, &outh);
This one too.
> + if (!out) {
This needs to check "ret". In general, why is this continuing on if I/O fails?
If I/O fails, the kernel done messed up and some downstream driver is going to
be real unhappy. At a minimum, it should WARN.
On a related topic, the GHCB says:
TDG.VP.VMCALL_INVALID_OPERAND 0x80000000 00000000 Invalid-IO-Port access
The "Invalid-IO-Port access" in particular is poorly worded as it implies the VMM
is allowed to deny access to ports, but AFAIK that's not the intention. A better
phrasing would be something like "Reserved value in input GPR".
The GHCI should probably also state that bits 63:16 of R14 (port) are reserved.
> + regs->ax &= ~mask;
> + regs->ax |= (ret ? UINT_MAX : outh.r11) & mask;
> + }
> +}
Powered by blists - more mailing lists