| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Nov 2021 09:56:17 -0700
From: Peter Gonda <pgonda@...gle.com>
To: Sean Christopherson <seanjc@...gle.com>
Cc: Thomas.Lendacky@....com, Marc Orr <marcorr@...gle.com>,
David Rientjes <rientjes@...gle.com>,
Brijesh Singh <brijesh.singh@....com>,
Joerg Roedel <jroedel@...e.de>,
Herbert Xu <herbert@...dor.apana.org.au>,
John Allen <john.allen@....com>,
"David S. Miller" <davem@...emloft.net>,
Paolo Bonzini <pbonzini@...hat.com>,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH V3 2/4] crypto: ccp - Move SEV_INIT retry for corrupted data
On Tue, Nov 9, 2021 at 9:31 AM Sean Christopherson <seanjc@...gle.com> wrote:
>
> On Tue, Nov 02, 2021, Peter Gonda wrote:
> > This change moves the data corrupted retry of SEV_INIT into the
>
> Use imperative mood.
Will do for next revision
>
> > __sev_platform_init_locked() function. This is for upcoming INIT_EX
> > support as well as helping direct callers of
> > __sev_platform_init_locked() which currently do not support the
> > retry.
> >
> > Signed-off-by: Peter Gonda <pgonda@...gle.com>
> > Reviewed-by: Marc Orr <marcorr@...gle.com>
> > Acked-by: David Rientjes <rientjes@...gle.com>
> > Acked-by: Tom Lendacky <thomas.lendacky@....com>
> > Cc: Tom Lendacky <thomas.lendacky@....com>
> > Cc: Brijesh Singh <brijesh.singh@....com>
> > Cc: Marc Orr <marcorr@...gle.com>
> > Cc: Joerg Roedel <jroedel@...e.de>
> > Cc: Herbert Xu <herbert@...dor.apana.org.au>
> > Cc: David Rientjes <rientjes@...gle.com>
> > Cc: John Allen <john.allen@....com>
> > Cc: "David S. Miller" <davem@...emloft.net>
> > Cc: Paolo Bonzini <pbonzini@...hat.com>
> > Cc: linux-crypto@...r.kernel.org
> > Cc: linux-kernel@...r.kernel.org
> > ---
> > drivers/crypto/ccp/sev-dev.c | 24 ++++++++++++------------
> > 1 file changed, 12 insertions(+), 12 deletions(-)
> >
> > diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
> > index ec89a82ba267..e4bc833949a0 100644
> > --- a/drivers/crypto/ccp/sev-dev.c
> > +++ b/drivers/crypto/ccp/sev-dev.c
> > @@ -267,6 +267,18 @@ static int __sev_platform_init_locked(int *error)
> > }
> >
> > rc = __sev_do_cmd_locked(SEV_CMD_INIT, &data, error);
> > + if (rc && *error == SEV_RET_SECURE_DATA_INVALID) {
>
> There are no guarantees that @error is non-NULL as this is reachable via an
> exported function, sev_platform_init(). Which ties in with my complaints in the
> previous patch that the API is a bit of a mess.
That seems like a bug from the caller right? Is it typical that we
sanity-check the caller in these instances? For example the same
comment could be made here:
https://elixir.bootlin.com/linux/latest/source/drivers/crypto/ccp/sev-dev.c#L336
```
static int sev_get_platform_state(int *state, int *error)
{
struct sev_user_data_status data;
int rc;
rc = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, error);
if (rc)
return rc;
*state = data.state; <--- State could be null.
return rc;
}
```
Example outside of this driver:
https://elixir.bootlin.com/linux/v5.15.1/source/arch/x86/kvm/x86.c#L468
```
int kvm_set_apic_base(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
{
enum lapic_mode old_mode = kvm_get_apic_mode(vcpu);
enum lapic_mode new_mode = kvm_apic_mode(msr_info->data); <---
msr_info could be null here
u64 reserved_bits = kvm_vcpu_reserved_gpa_bits_raw(vcpu) | 0x2ff |
(guest_cpuid_has(vcpu, X86_FEATURE_X2APIC) ? 0 : X2APIC_ENABLE);
if ((msr_info->data & reserved_bits) != 0 || new_mode == LAPIC_MODE_INVALID)
return 1;
if (!msr_info->host_initiated) {
if (old_mode == LAPIC_MODE_X2APIC && new_mode == LAPIC_MODE_XAPIC)
return 1;
if (old_mode == LAPIC_MODE_DISABLED && new_mode == LAPIC_MODE_X2APIC)
return 1;
}
kvm_lapic_set_base(vcpu, msr_info->data);
kvm_recalculate_apic_map(vcpu->kvm);
return 0;
}
EXPORT_SYMBOL_GPL(kvm_set_apic_base);
```
About the API being a mess that seems a little out of scope for this
change. I am not changing the API surface at all here. Again happy to
discuss improvements with you and Tom for follow up series.
>
> > + /*
> > + * INIT command returned an integrity check failure
> > + * status code, meaning that firmware load and
> > + * validation of SEV related persistent data has
> > + * failed and persistent state has been erased.
> > + * Retrying INIT command here should succeed.
> > + */
> > + dev_dbg(sev->dev, "SEV: retrying INIT command");
> > + rc = __sev_do_cmd_locked(SEV_CMD_INIT, &data, error);
> > + }
> > +
> > if (rc)
> > return rc;
> >
> > @@ -1091,18 +1103,6 @@ void sev_pci_init(void)
> >
> > /* Initialize the platform */
> > rc = sev_platform_init(&error);
> > - if (rc && (error == SEV_RET_SECURE_DATA_INVALID)) {
> > - /*
> > - * INIT command returned an integrity check failure
> > - * status code, meaning that firmware load and
> > - * validation of SEV related persistent data has
> > - * failed and persistent state has been erased.
> > - * Retrying INIT command here should succeed.
> > - */
> > - dev_dbg(sev->dev, "SEV: retrying INIT command");
> > - rc = sev_platform_init(&error);
> > - }
> > -
> > if (rc) {
> > dev_err(sev->dev, "SEV: failed to INIT error %#x, rc %d\n",
> > error, rc);
> > --
> > 2.33.1.1089.g2158813163f-goog
> >
Powered by blists - more mailing lists