lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANgfPd85MST8Lf_LhQ++JjxwJRvBoYk8FpOwzYbOhBL1zz157w@mail.gmail.com>
Date:   Thu, 14 Apr 2022 14:14:48 -0700
From:   Ben Gardon <bgardon@...gle.com>
To:     Sean Christopherson <seanjc@...gle.com>
Cc:     LKML <linux-kernel@...r.kernel.org>, kvm <kvm@...r.kernel.org>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Peter Xu <peterx@...hat.com>,
        David Matlack <dmatlack@...gle.com>,
        Jim Mattson <jmattson@...gle.com>,
        David Dunn <daviddunn@...gle.com>,
        Jing Zhang <jingzhangos@...gle.com>,
        Junaid Shahid <junaids@...gle.com>
Subject: Re: [PATCH v5 10/10] KVM: selftests: Test disabling NX hugepages on a VM

On Wed, Apr 13, 2022 at 3:48 PM Sean Christopherson <seanjc@...gle.com> wrote:
>
> On Wed, Apr 13, 2022, Ben Gardon wrote:
> > diff --git a/tools/testing/selftests/kvm/x86_64/nx_huge_pages_test.c b/tools/testing/selftests/kvm/x86_64/nx_huge_pages_test.c
> > index 7f80e48781fd..21c31e1d567e 100644
> > --- a/tools/testing/selftests/kvm/x86_64/nx_huge_pages_test.c
> > +++ b/tools/testing/selftests/kvm/x86_64/nx_huge_pages_test.c
> > @@ -13,6 +13,8 @@
> >  #include <fcntl.h>
> >  #include <stdint.h>
> >  #include <time.h>
> > +#include <linux/reboot.h>
> > +#include <sys/syscall.h>
> >
> >  #include <test_util.h>
> >  #include "kvm_util.h"
> > @@ -80,13 +82,45 @@ static void check_split_count(struct kvm_vm *vm, int expected_splits)
> >                   expected_splits, actual_splits);
> >  }
> >
> > -int main(int argc, char **argv)
> > +void run_test(bool disable_nx)
>
> Probably worth naming this disable_nx_workaround or disable_nx_mitigation, it's
> quite easy to think this means "disable EFER.NX".
>
> >  {
> >       struct kvm_vm *vm;
> >       struct timespec ts;
> > +     uint64_t pages;
> >       void *hva;
> > -
> > -     vm = vm_create_default(0, 0, guest_code);
> > +     int r;
> > +
> > +     pages = vm_pages_needed(VM_MODE_DEFAULT, 1, DEFAULT_GUEST_PHY_PAGES,
> > +                             0, 0);
> > +     vm = vm_create_without_vcpus(VM_MODE_DEFAULT, pages);
> > +
> > +     if (disable_nx) {
> > +             kvm_check_cap(KVM_CAP_VM_DISABLE_NX_HUGE_PAGES);
> > +
> > +             /*
> > +              * Check if this process has the reboot permissions needed to
> > +              * disable NX huge pages on a VM.
> > +              *
> > +              * The reboot call below will never have any effect because
> > +              * the magic values are not set correctly, however the
> > +              * permission check is done before the magic value check.
> > +              */
> > +             r = syscall(SYS_reboot, 0, 0, 0, NULL);
> > +             if (r && errno == EPERM) {
> > +                     r = vm_disable_nx_huge_pages(vm);
> > +                     TEST_ASSERT(r == EPERM,
> > +                                 "This process should not have permission to disable NX huge pages");
>
> First off, huge kudos for negative testing!  But, it's going to provide poor coverage
> if we teach everyone to use the runner script, because that'll likely require root on
> most hosts, e.g. to futz with the module param.
>
> Aha!  Idea.  And it should eliminate the SYS_reboot shenanigans, which while hilarious,
> are mildy scary.
>
> In the runner script, wrap all the modification of sysfs knobs with sudo, and then
> (again with sudo) do:
>
>         setcap cap_sys_boot+ep path/to/nx_huge_pages_test
>         path/to/nx_huge_pages_test MAGIC_NUMBER -b
>
> where "-b" means "has CAP_SYS_BOOT".  And then
>
>         setcap cap_sys_boot-ep path/to/nx_huge_pages_test
>         path/to/nx_huge_pages_test MAGIC_NUMBER
>
> Hmm, and I guess if the script is run as root, just skip the second invocation.

Wouldn't it be easier to just run the test binary twice and just have
the second time run without root permissions? I don't know if there's
an easy way to do that.

>
> > +                     return;
> > +             }
> > +
> > +             TEST_ASSERT(r && errno == EINVAL,
> > +                         "Reboot syscall should fail with -EINVAL");
> > +
> > +             r = vm_disable_nx_huge_pages(vm);
> > +             TEST_ASSERT(!r, "Disabling NX huge pages should succeed if process has reboot permissions");
> > +     }
> > +
> > +     vm_vcpu_add_default(vm, 0, guest_code);
> >
> >       vm_userspace_mem_region_add(vm, VM_MEM_SRC_ANONYMOUS_HUGETLB,
> >                                   HPAGE_GPA, HPAGE_SLOT,
> > @@ -121,21 +155,21 @@ int main(int argc, char **argv)
> >        * to be remapped at 4k.
> >        */
> >       vcpu_run(vm, 0);
> > -     check_2m_page_count(vm, 1);
> > -     check_split_count(vm, 1);
> > +     check_2m_page_count(vm, disable_nx ? 2 : 1);
> > +     check_split_count(vm, disable_nx ? 0 : 1);
>
> Can you update the comments to explain why these magic number of pages are
> expected for NX enabled/disabled?  As Jim has pointed out, just because KVM and
> selftests might agree that 1==2, doesn't mean that their math is correct :-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ