| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Nov 2022 00:30:30 +0000
From: "Huang, Kai" <kai.huang@...el.com>
To: "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"Hansen, Dave" <dave.hansen@...el.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: "Luck, Tony" <tony.luck@...el.com>,
"bagasdotme@...il.com" <bagasdotme@...il.com>,
"ak@...ux.intel.com" <ak@...ux.intel.com>,
"Wysocki, Rafael J" <rafael.j.wysocki@...el.com>,
"kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>,
"Christopherson,, Sean" <seanjc@...gle.com>,
"Chatre, Reinette" <reinette.chatre@...el.com>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"Yamahata, Isaku" <isaku.yamahata@...el.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"Shahar, Sagi" <sagis@...gle.com>,
"imammedo@...hat.com" <imammedo@...hat.com>,
"Gao, Chao" <chao.gao@...el.com>,
"Brown, Len" <len.brown@...el.com>,
"sathyanarayanan.kuppuswamy@...ux.intel.com"
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
"Huang, Ying" <ying.huang@...el.com>,
"Williams, Dan J" <dan.j.williams@...el.com>
Subject: Re: [PATCH v7 03/20] x86/virt/tdx: Disable TDX if X2APIC is not
enabled
On Mon, 2022-11-21 at 15:46 -0800, Dave Hansen wrote:
> On 11/20/22 16:26, Kai Huang wrote:
> > The MMIO/xAPIC interface has some problems, most notably the APIC LEAK
> > [1]. This bug allows an attacker to use the APIC MMIO interface to
> > extract data from the SGX enclave.
> >
> > TDX is not immune from this either. Early check X2APIC and disable TDX
> > if X2APIC is not enabled, and make INTEL_TDX_HOST depend on X86_X2APIC.
>
> This makes no sense.
>
> This is TDX host code. TDX hosts are untrusted. Zero of the TDX
> security guarantees are provided by the host.
>
> What is the benefit of disabling TDX from the host if x2APIC is not
> enabled? It can't be for security reasons since the host does not help
> provide TDX security guarantees. It also can't be for SGX because SGX
> doesn't depend on the OS doing anything in order to be secure.
Agreed. Although in practice I think if we do some hardening in the kernel, it
would raise some attack bar.
>
> So, this boils down to the most fundamental of questions you need to
> answer about every patch:
>
> What does this code do?
>
> What end-user-visible effect is there if this code is not present?
Considering TDX host cannot be trusted (i.e. can be attacked/modified), I agree
the check isn't needed.
I was following your suggestion in the patch which handles "x2apic locked" case:
https://lore.kernel.org/lkml/ba80b303-31bf-d44a-b05d-5c0f83038798@intel.com/
I guess I misunderstood your point.
Reading that discussion again, if I understand correctly, you just want to make
INTEL_TDX_HOST depend on X86_X2APIC?
How about still having a patch to make INTEL_TDX_HOST depend on X86_X2APIC but
with something below in the changelog?
"
TDX capable platforms are locked to X2APIC mode and cannot fall back to the
legacy xAPIC mode when TDX is enabled by the BIOS. It doesn't make sense to
turn on INTEL_TDX_HOST while X86_X2APIC is not enabled. Make INTEL_TDX_HOST
depend on X86_X2APIC.
"
Powered by blists - more mailing lists