lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220211182215.2730017-1-scgl@linux.ibm.com>
Date:   Fri, 11 Feb 2022 19:22:05 +0100
From:   Janis Schoetterl-Glausch <scgl@...ux.ibm.com>
To:     Christian Borntraeger <borntraeger@...ux.ibm.com>,
        Heiko Carstens <hca@...ux.ibm.com>,
        Janosch Frank <frankja@...ux.ibm.com>
Cc:     Janis Schoetterl-Glausch <scgl@...ux.ibm.com>,
        Alexander Gordeev <agordeev@...ux.ibm.com>,
        Claudio Imbrenda <imbrenda@...ux.ibm.com>,
        David Hildenbrand <david@...hat.com>,
        Jonathan Corbet <corbet@....net>, kvm@...r.kernel.org,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-s390@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>,
        Sven Schnelle <svens@...ux.ibm.com>,
        Vasily Gorbik <gor@...ux.ibm.com>
Subject: [PATCH v4 00/10] KVM: s390: Do storage key checking

Check keys when emulating instructions and let user space do key checked
accesses.
User space can do so via an extension of the MEMOP IOCTL:
* allow optional key checking
* allow MEMOP on vm fd, so key checked accesses on absolute memory
  become possible

I haven't finished the memop selftest rewrite, but decided to send out a
new version anyway, since the functional patches are (hopefully) final
and the memop selftest patch works. I'll reply to it with the
rewritten version.

v3: https://lore.kernel.org/kvm/20220209170422.1910690-1-scgl@linux.ibm.com/
v2: https://lore.kernel.org/kvm/20220207165930.1608621-1-scgl@linux.ibm.com/

v3 -> v4
 * rebase
 * ignore key in memop if skey flag not specified
 * fix nits in documentation
 * pick up tags

v2 -> v3
 * get rid of reserved bytes check in vm,vcpu memop
 * minor documentation changes
 * moved memop selftest patches to end of series and squashed them,
   currently working on making the test pretty

v1 -> v2
 * rebase
 * storage key variants of _?copy_from/to_user instead of
   __copy_from/to_user_key, with long key arg instead of char
 * refactor protection override checks
 * u8 instead of char for key argument in s390 KVM code
 * add comments
 * pass ar (access register) to trans_exec in access_guest_with_key
 * check reserved/unused fields (backwards compatible)
 * move key arg of MEMOP out of flags
 * rename new MEMOP capability to KVM_CAP_S390_MEM_OP_EXTENSION
 * minor changes

Janis Schoetterl-Glausch (10):
  s390/uaccess: Add copy_from/to_user_key functions
  KVM: s390: Honor storage keys when accessing guest memory
  KVM: s390: handle_tprot: Honor storage keys
  KVM: s390: selftests: Test TEST PROTECTION emulation
  KVM: s390: Add optional storage key checking to MEMOP IOCTL
  KVM: s390: Add vm IOCTL for key checked guest absolute memory access
  KVM: s390: Rename existing vcpu memop functions
  KVM: s390: Add capability for storage key extension of MEM_OP IOCTL
  KVM: s390: Update api documentation for memop ioctl
  KVM: s390: selftests: Test memops with storage keys

 Documentation/virt/kvm/api.rst            | 112 ++++-
 arch/s390/include/asm/ctl_reg.h           |   2 +
 arch/s390/include/asm/page.h              |   2 +
 arch/s390/include/asm/uaccess.h           |  22 +
 arch/s390/kvm/gaccess.c                   | 250 +++++++++-
 arch/s390/kvm/gaccess.h                   |  84 +++-
 arch/s390/kvm/intercept.c                 |  12 +-
 arch/s390/kvm/kvm-s390.c                  | 132 ++++-
 arch/s390/kvm/priv.c                      |  66 +--
 arch/s390/lib/uaccess.c                   |  81 +++-
 include/uapi/linux/kvm.h                  |  11 +-
 tools/testing/selftests/kvm/.gitignore    |   1 +
 tools/testing/selftests/kvm/Makefile      |   1 +
 tools/testing/selftests/kvm/s390x/memop.c | 558 +++++++++++++++++++---
 tools/testing/selftests/kvm/s390x/tprot.c | 227 +++++++++
 15 files changed, 1375 insertions(+), 186 deletions(-)
 create mode 100644 tools/testing/selftests/kvm/s390x/tprot.c

Range-diff against v3:
 1:  0049c4412978 =  1:  313eb689b715 s390/uaccess: Add copy_from/to_user_key functions
 2:  296096b9a7b9 =  2:  192fe30b1863 KVM: s390: Honor storage keys when accessing guest memory
 3:  a5976cb3a147 =  3:  19bd017ae5a4 KVM: s390: handle_tprot: Honor storage keys
 4:  5f5e056e66df =  4:  d20fad8d501b KVM: s390: selftests: Test TEST PROTECTION emulation
 5:  64fa17a83b26 !  5:  bdee09b4a15e KVM: s390: Add optional storage key checking to MEMOP IOCTL
    @@ Commit message
         CPU would, or pass another key if necessary.
     
         Signed-off-by: Janis Schoetterl-Glausch <scgl@...ux.ibm.com>
    -    Acked-by: Janosch Frank <frankja@...ux.ibm.com>
         Reviewed-by: Claudio Imbrenda <imbrenda@...ux.ibm.com>
    +    Reviewed-by: Christian Borntraeger <borntraeger@...ux.ibm.com>
    +    Reviewed-by: Janosch Frank <frankja@...ux.ibm.com>
     
      ## arch/s390/kvm/kvm-s390.c ##
    -@@
    - #include <linux/sched/signal.h>
    - #include <linux/string.h>
    - #include <linux/pgtable.h>
    -+#include <linux/bitfield.h>
    - 
    - #include <asm/asm-offsets.h>
    - #include <asm/lowcore.h>
     @@ arch/s390/kvm/kvm-s390.c: static int kvm_s390_handle_pv(struct kvm *kvm, struct kvm_pv_cmd *cmd)
      	return r;
      }
    @@ arch/s390/kvm/kvm-s390.c: static long kvm_s390_guest_mem_op(struct kvm_vcpu *vcp
     +	if (mop->flags & KVM_S390_MEMOP_F_SKEY_PROTECTION) {
     +		if (access_key_invalid(mop->key))
     +			return -EINVAL;
    ++	} else {
    ++		mop->key = 0;
     +	}
      	if (!(mop->flags & KVM_S390_MEMOP_F_CHECK_ONLY)) {
      		tmpbuf = vmalloc(mop->size);
 6:  57e3ad332677 !  6:  e207a2f9af8a KVM: s390: Add vm IOCTL for key checked guest absolute memory access
    @@ Commit message
         accesses and so are not applied as they are when using the vcpu memop.
     
         Signed-off-by: Janis Schoetterl-Glausch <scgl@...ux.ibm.com>
    -    Acked-by: Janosch Frank <frankja@...ux.ibm.com>
    +    Reviewed-by: Christian Borntraeger <borntraeger@...ux.ibm.com>
     
      ## arch/s390/kvm/gaccess.c ##
     @@ arch/s390/kvm/gaccess.c: static int low_address_protection_enabled(struct kvm_vcpu *vcpu,
    @@ arch/s390/kvm/kvm-s390.c: static bool access_key_invalid(u8 access_key)
     +	if (mop->flags & KVM_S390_MEMOP_F_SKEY_PROTECTION) {
     +		if (access_key_invalid(mop->key))
     +			return -EINVAL;
    ++	} else {
    ++		mop->key = 0;
     +	}
     +	if (!(mop->flags & KVM_S390_MEMOP_F_CHECK_ONLY)) {
     +		tmpbuf = vmalloc(mop->size);
 7:  1615f5ab6e30 =  7:  52adbceebe41 KVM: s390: Rename existing vcpu memop functions
 8:  a8420e0f1b7f =  8:  43280a2db282 KVM: s390: Add capability for storage key extension of MEM_OP IOCTL
 9:  c59952ee362b !  9:  9389cd2f4d23 KVM: s390: Update api documentation for memop ioctl
    @@ Commit message
         as well as the existing SIDA operations.
     
         Signed-off-by: Janis Schoetterl-Glausch <scgl@...ux.ibm.com>
    +    Reviewed-by: Janosch Frank <frankja@...ux.ibm.com>
     
      ## Documentation/virt/kvm/api.rst ##
     @@ Documentation/virt/kvm/api.rst: The fields in each entry are defined as follows:
    @@ Documentation/virt/kvm/api.rst: Parameters are specified via the following struc
     +the access. "ar" designates the access register number to be used; the valid
     +range is 0..15.
     +Logical accesses are permitted for the VCPU ioctl only.
    -+Logical accesses are permitted for non secure guests only.
    ++Logical accesses are permitted for non-protected guests only.
     +
     +Supported flags:
     +  * ``KVM_S390_MEMOP_F_CHECK_ONLY``
    @@ Documentation/virt/kvm/api.rst: Parameters are specified via the following struc
     +  * ``KVM_S390_MEMOP_F_SKEY_PROTECTION``
     +
     +The KVM_S390_MEMOP_F_CHECK_ONLY flag can be set to check whether the
    -+corresponding memory access would cause an access exception, without touching
    -+the data in memory at the destination.
    ++corresponding memory access would cause an access exception; however,
    ++no actual access to the data in memory at the destination is performed.
     +In this case, "buf" is unused and can be NULL.
     +
     +In case an access exception occurred during the access (or would occur
    @@ Documentation/virt/kvm/api.rst: Parameters are specified via the following struc
     +Absolute accesses are permitted for the VM ioctl if KVM_CAP_S390_MEM_OP_EXTENSION
     +is > 0.
     +Currently absolute accesses are not permitted for VCPU ioctls.
    -+Absolute accesses are permitted for non secure guests only.
    ++Absolute accesses are permitted for non-protected guests only.
     +
     +Supported flags:
     +  * ``KVM_S390_MEMOP_F_CHECK_ONLY``
    @@ Documentation/virt/kvm/api.rst: Parameters are specified via the following struc
     +^^^^^^^^^^^^^^^^
     +
     +Access the secure instruction data area which contains memory operands necessary
    -+for instruction emulation for secure guests.
    ++for instruction emulation for protected guests.
     +SIDA accesses are available if the KVM_CAP_S390_PROTECTED capability is available.
     +SIDA accesses are permitted for the VCPU ioctl only.
    -+SIDA accesses are permitted for secure guests only.
    ++SIDA accesses are permitted for protected guests only.
      
     -The "reserved" field is meant for future extensions. It is not used by
     -KVM with the currently defined set of flags.
10:  68752e1eca95 = 10:  af33593d63a4 KVM: s390: selftests: Test memops with storage keys

base-commit: f1baf68e1383f6ed93eb9cff2866d46562607a43
-- 
2.32.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ