lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b5e2c332-59a8-7fa8-5e59-4cb2e5be3b8d@redhat.com>
Date:   Sat, 27 Nov 2021 11:25:15 +0100
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Lai Jiangshan <laijs@...ux.alibaba.com>,
        linux-kernel@...r.kernel.org, kvm@...r.kernel.org
Cc:     stable@...r.kernel.org, Tom Lendacky <thomas.lendacky@....com>
Subject: Re: [PATCH] KVM: MMU: shadow nested paging does not have PKU

On 11/27/21 02:21, Lai Jiangshan wrote:
> 
> 
> On 2021/11/26 21:21, Paolo Bonzini wrote:
>> Initialize the mask for PKU permissions as if CR4.PKE=0, avoiding
>> incorrect interpretations of the nested hypervisor's page tables.
> 
> I think the AMD64 volume2 Architecture Programmer’s Manual does not
> specify it, but it seems that for a sane NPT walk, PKU should not work
> in NPT.

The PK bit is not defined in the nested page fault EXITINFO1, too. 
Thomas, can you have it fixed in the APM that the host's SMEP, SMAP and 
PKE bits do not affect nested page table walks?

> I once planed to set
> 
>      cr0 = X86_CR0_PG | X86_CR0_WP;
>      cr4 = cr4 & ~(X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE);
> 
> It adds X86_CR0_WP and removes smep smap just because it is always usermode
> access, and it has no meaning for CR0_WP, smep, smap.  Setting it like this
> ways can reduce the role combination.

Adding WP is a good idea (the host hCR0.WP bit is ignored under nested 
paging).  Adding PG is unnecessary though, it must be on.

Removing SMEP and SMAP makes sense, but not really because of the role 
(if you add WP, then SMEP and SMAP are not part of the role because SMEP 
& ~WP and SMAP & ~WP are both zero).  Special-casing hCR4.SMEP basically 
allows us to implement Guest Mode Execute Trap essentially for free and 
even on older processors, because it's the same thing as SMEP---just 
governed by a field in the VMCB control area instead of host CR4.

I'll send a v2 that also removes WP, SMEP and SMAP.

>> -    update_pkru_bitmask(context);
>> +    context->pkru_mask = 0;
> 
> It is not worth to optimize it since update_pkru_bitmask() will also just
> set context->pkru_mask = 0 and then return.

I didn't think of it as an optimization, but I can undo it.

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ