lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20221215185144.tjctmkwp5vodep3u@box>
Date:   Thu, 15 Dec 2022 21:51:44 +0300
From:   "Kirill A. Shutemov" <kirill@...temov.name>
To:     Dave Hansen <dave.hansen@...el.com>
Cc:     "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        Borislav Petkov <bp@...en8.de>,
        Andy Lutomirski <luto@...nel.org>,
        Kuppuswamy Sathyanarayanan 
        <sathyanarayanan.kuppuswamy@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Elena Reshetova <elena.reshetova@...el.com>, x86@...nel.org,
        linux-coco@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/4] x86/tdx: Use ReportFatalError to report missing
 SEPT_VE_DISABLE

On Thu, Dec 15, 2022 at 10:18:24AM -0800, Dave Hansen wrote:
> On 12/15/22 09:12, Kirill A. Shutemov wrote:
> >> Getting *all* users of panic this magic ability would be a lot better
> >> than giving it to one call-site of panic().
> >>
> >> I'm all for making the panic() path as short and simple as possible, but
> >> it would be nice if this fancy hypercall would get used in more than one
> >> spot.
> > Well, I don't see an obvious way to integrate this into panic().
> > 
> > There is panic_notifier_list and it kinda/sorta works, see the patch
> > below.
> > 
> > But it breaks panic_notifier_list contract: the callback will never return
> > and no other callback will be able to do their stuff. panic_timeout is
> > also broken.
> > 
> > So ReportFatalError() is no good for the task. And I don't have anything
> > else :/
> 
> Do we *really* have to do a hard stop when SEPT_VE_DISABLE is missing?
> 
> Wouldn't it be simpler to just defer the check until we can spit out a
> sane error message about it?
> 
> Or is there too much security exposure by continuing?

Well, I guess we can. We always have attestation as a backstop. No
sensitive user data has to be exposed to the TD before it passed
the attestation.

Do you prefer to have a separate initcall just to check SEPT_VE_DISABLE?

-- 
  Kiryl Shutsemau / Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ