| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <95c28949-8732-8812-c255-79467dafb5c8@linux.ibm.com>
Date: Wed, 23 Mar 2022 09:52:16 +0100
From: Janis Schoetterl-Glausch <scgl@...ux.ibm.com>
To: Janosch Frank <frankja@...ux.ibm.com>,
Christian Borntraeger <borntraeger@...ux.ibm.com>,
Claudio Imbrenda <imbrenda@...ux.ibm.com>,
Heiko Carstens <hca@...ux.ibm.com>,
Vasily Gorbik <gor@...ux.ibm.com>,
Alexander Gordeev <agordeev@...ux.ibm.com>
Cc: David Hildenbrand <david@...hat.com>,
Sven Schnelle <svens@...ux.ibm.com>, kvm@...r.kernel.org,
linux-s390@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KVM: s390: Fix lockdep issue in vm memop
On 3/23/22 08:58, Janosch Frank wrote:
> On 3/22/22 16:32, Janis Schoetterl-Glausch wrote:
>> Issuing a memop on a protected vm does not make sense,
>
> Issuing a vm memop on a protected vm...
>
> The cpu memop still makes sense, no?
The vcpu memop does hold the vcpu->lock, so no lockdep issue.
If you issue a vcpu memop while enabling protected virtualization,
the memop might find that the vcpu is not protected, while other vcpus
might already be, but I don't think there's a way to create secure memory
concurrent with the memop.
>
>> neither is the memory readable/writable, nor does it make sense to check
>> storage keys. This is why the ioctl will return -EINVAL when it detects
>> the vm to be protected. However, in order to ensure that the vm cannot
>> become protected during the memop, the kvm->lock would need to be taken
>> for the duration of the ioctl. This is also required because
>> kvm_s390_pv_is_protected asserts that the lock must be held.
>> Instead, don't try to prevent this. If user space enables secure
>> execution concurrently with a memop it must accecpt the possibility of
>> the memop failing.
>> Still check if the vm is currently protected, but without locking and
>> consider it a heuristic.
>>
>> Fixes: ef11c9463ae0 ("KVM: s390: Add vm IOCTL for key checked guest absolute memory access")
>> Signed-off-by: Janis Schoetterl-Glausch <scgl@...ux.ibm.com>
>
> Makes sense to me.
>
> Reviewed-by: Janosch Frank <frankja@...ux.ibm.com>
>
>> ---
>> arch/s390/kvm/kvm-s390.c | 11 ++++++++++-
>> 1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
>> index ca96f84db2cc..53adbe86a68f 100644
>> --- a/arch/s390/kvm/kvm-s390.c
>> +++ b/arch/s390/kvm/kvm-s390.c
>> @@ -2385,7 +2385,16 @@ static int kvm_s390_vm_mem_op(struct kvm *kvm, struct kvm_s390_mem_op *mop)
>> return -EINVAL;
>> if (mop->size > MEM_OP_MAX_SIZE)
>> return -E2BIG;
>> - if (kvm_s390_pv_is_protected(kvm))
>> + /*
>> + * This is technically a heuristic only, if the kvm->lock is not
>> + * taken, it is not guaranteed that the vm is/remains non-protected.
>> + * This is ok from a kernel perspective, wrongdoing is detected
>> + * on the access, -EFAULT is returned and the vm may crash the
>> + * next time it accesses the memory in question.
>> + * There is no sane usecase to do switching and a memop on two
>> + * different CPUs at the same time.
>> + */
>> + if (kvm_s390_pv_get_handle(kvm))
>> return -EINVAL;
>> if (mop->flags & KVM_S390_MEMOP_F_SKEY_PROTECTION) {
>> if (access_key_invalid(mop->key))
>>
>> base-commit: c9b8fecddb5bb4b67e351bbaeaa648a6f7456912
>
Powered by blists - more mailing lists