lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 29 Dec 2021 17:47:56 +0000
From:   Sean Christopherson <seanjc@...gle.com>
To:     Borislav Petkov <bp@...en8.de>
Cc:     "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        tglx@...utronix.de, mingo@...hat.com, dave.hansen@...el.com,
        luto@...nel.org, peterz@...radead.org,
        sathyanarayanan.kuppuswamy@...ux.intel.com, aarcange@...hat.com,
        ak@...ux.intel.com, dan.j.williams@...el.com, david@...hat.com,
        hpa@...or.com, jgross@...e.com, jmattson@...gle.com,
        joro@...tes.org, jpoimboe@...hat.com, knsathya@...nel.org,
        pbonzini@...hat.com, sdeep@...are.com, tony.luck@...el.com,
        vkuznets@...hat.com, wanpengli@...cent.com, x86@...nel.org,
        linux-kernel@...r.kernel.org,
        Sean Christopherson <sean.j.christopherson@...el.com>
Subject: Re: [PATCH 04/26] x86/traps: Add #VE support for TDX guest

On Wed, Dec 29, 2021, Borislav Petkov wrote:
> On Wed, Dec 29, 2021 at 05:07:34PM +0000, Sean Christopherson wrote:
> > FWIW, virtual/guest NMIs are blocked by the TDX module until pending #VE info
> > is retrieved via TDGETVEINFO.  Hardware has nothing to do with that behavior.
> 
> The TDX module can block NMIs?!

It blocks _virtual_ NMIs, which simply means that it doesn't inject an NMI until
NMIs are unblocked _in the guest_.  Hardware NMIs that arrive in the guest are
never blocked and will trigger an exit to the host.

Any hypervisor can do the same, but it requires a contract between the guest and
the hypervisor to define when NMIs are unblocked.  TDX extends the historical x86
contract with the #VE info clause, but again that doesn't help with nested NMIs.

> Can we get that functionality exported to baremetal too pls? Then we can get
> rid of the NMI nesting crap.

I believe that's being addressed with FRED[*].  ERET{S,U} unblock NMIs iff a magic
bit is set on the stack, and that magic bit is set by hardware only when delivering
NMIs.  I.e. so long as the NMI handler doesn't deliberately set the bit when
returning from other faults/events, NMIs will remain blocked until the NMI handler
returns.

[*] https://www.intel.com/content/www/us/en/develop/download/flexible-return-and-event-delivery-specification.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ