lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bd4d7463-a960-3c49-9c56-a8bd5c1ea7f0@maciej.szmigiero.name>
Date:   Thu, 29 Sep 2022 17:49:52 +0200
From:   "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>
To:     Paolo Bonzini <pbonzini@...hat.com>,
        Sean Christopherson <seanjc@...gle.com>
Cc:     linux-kernel@...r.kernel.org, kvm@...r.kernel.org
Subject: Re: [PATCH] KVM: allow compiling out SMM support

On 27.09.2022 17:22, Paolo Bonzini wrote:
> Some users of KVM implement the UEFI variable store through a paravirtual device
> that does not require the "SMM lockbox" component of edk2; allow them to
> compile out system management mode, which is not a full implementation
> especially in how it interacts with nested virtualization.
> 
> Suggested-by: Sean Christopherson <seanjc@...gle.com>
> Signed-off-by: Paolo Bonzini <pbonzini@...hat.com>
> ---
> 	The patch isn't pretty.  I could skip all the changes to add WARNs
> 	to called functions, but the point of adding the config symbol is
> 	to make sure that those functions, and all the baggage they bring,
> 	are dead.
> 

Out of curiosity: why the SMM support is so special that it's worth to
add a dedicated Kconfig entry for it?

After all, the current typical way to disable stuff (for testing, etc)
in KVM is to provide this possibility via a kvm module parameter.
This way it also can be switched on or off without having to rebuild the
kernel.

Looking at the patch it doesn't seem to disable that much of code (like,
significantly slim down the binary) and where it does disable something
it mostly relies on compiler dead code removal rather than explicit
#ifdefs (which would guarantee that the disabled code did not end in
the binary).

Thanks,
Maciej

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ