lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <700e336a-7d2f-e468-f38b-96e6d35174e7@amd.com>
Date:   Tue, 5 Apr 2022 12:53:30 -0500
From:   Tom Lendacky <thomas.lendacky@....com>
To:     Paolo Bonzini <pbonzini@...hat.com>, isaku.yamahata@...el.com,
        kvm@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     isaku.yamahata@...il.com, Jim Mattson <jmattson@...gle.com>,
        erdemaktas@...gle.com, Connor Kuehl <ckuehl@...hat.com>,
        Sean Christopherson <seanjc@...gle.com>
Subject: Re: [RFC PATCH v5 101/104] KVM: TDX: Silently ignore INIT/SIPI

On 4/5/22 10:48, Paolo Bonzini wrote:
> On 3/4/22 20:49, isaku.yamahata@...el.com wrote:
>> +        if (kvm_init_sipi_unsupported(vcpu->kvm))
>> +            /*
>> +             * TDX doesn't support INIT.  Ignore INIT event.  In the
>> +             * case of SIPI, the callback of
>> +             * vcpu_deliver_sipi_vector ignores it.
>> +             */
>>               vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE;
>> -        else
>> -            vcpu->arch.mp_state = KVM_MP_STATE_INIT_RECEIVED;
>> +        else {
>> +            kvm_vcpu_reset(vcpu, true);
>> +            if (kvm_vcpu_is_bsp(apic->vcpu))
>> +                vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE;
>> +            else
>> +                vcpu->arch.mp_state = KVM_MP_STATE_INIT_RECEIVED;
>> +        }
> 
> Should you check vcpu->arch.guest_state_protected instead of 
> special-casing TDX?  KVM_APIC_INIT is not valid for SEV-ES either, if I 
> remember correctly.

While the INIT doesn't update any actual state that is in the encrypted 
VMSA, SEV-ES still calls kvm_vcpu_reset() to allow KVM to set any internal 
tracking state, etc. I haven't ever tested SEV-ES where that is bypassed.

Thanks,
Tom

> 
> Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ