lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230112030855.GA2034518@ls.amr.corp.intel.com>
Date:   Wed, 11 Jan 2023 19:08:55 -0800
From:   Isaku Yamahata <isaku.yamahata@...il.com>
To:     Erdem Aktas <erdemaktas@...gle.com>
Cc:     isaku.yamahata@...el.com, kvm@...r.kernel.org,
        linux-kernel@...r.kernel.org, isaku.yamahata@...il.com,
        Paolo Bonzini <pbonzini@...hat.com>,
        Sean Christopherson <seanjc@...gle.com>,
        Sagi Shahar <sagis@...gle.com>,
        David Matlack <dmatlack@...gle.com>
Subject: Re: [PATCH v10 005/108] KVM: TDX: Initialize the TDX module when
 loading the KVM intel kernel module

On Wed, Jan 11, 2023 at 02:02:58PM -0800,
Erdem Aktas <erdemaktas@...gle.com> wrote:

> On Sat, Oct 29, 2022 at 11:24 PM <isaku.yamahata@...el.com> wrote:
> >
> > From: Isaku Yamahata <isaku.yamahata@...el.com>
> 
> > +int __init tdx_hardware_setup(struct kvm_x86_ops *x86_ops)
> > +{
> > +       int r;
> > +
> > +       if (!enable_ept) {
> > +               pr_warn("Cannot enable TDX with EPT disabled\n");
> > +               return -EINVAL;
> > +       }
> > +
> > +       /* MOVDIR64B instruction is needed. */
> > +       if (!static_cpu_has(X86_FEATURE_MOVDIR64B)) {
> > +               pr_warn("Cannot enable TDX with MOVDIR64B supported ");
> > +               return -ENODEV;
> > +       }
> > +
> > +       /* TDX requires VMX. */
> > +       r = vmxon_all();
> > +       if (!r)
> > +               r = tdx_module_setup();
> > +       vmxoff_all();
> 
> if few CPUs have VMX enabled, this will disable VMX in all of them.
> Depending on what enabled VMX on those CPUs, would this not cause
> kernel crashes/problems?

Are you seeing any issues? or is this a question in theory?

In theory, you're right.  In practice, unless we have other kernel components
that uses VMX, we don't have to worry.  In fact, only KVM in the kernel tree
uses VMX.

The flow is as follows,
- VMX is off on all CPUs on start up.
  NOTE: VMX is disabled on kexec or reboot.
- On loading kvm_intel.ko (or kernel boot if builtin), this function is called.
  vmxon/off_all()
- VMX is enabled on all online CPUs when creating the first guest.
- VMX is disabled on all online CPUs when destroying the last guest.
- VMX is disabled on offlining CPU

Thanks,
-- 
Isaku Yamahata <isaku.yamahata@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ