| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Y/VYN3n/lHePiDxM@google.com>
Date: Tue, 21 Feb 2023 15:48:07 -0800
From: Sean Christopherson <seanjc@...gle.com>
To: Yu Zhang <yu.c.zhang@...ux.intel.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 08/12] KVM: nSVM: Use KVM-governed feature framework to
track "vVM{SAVE,LOAD} enabled"
On Tue, Feb 21, 2023, Yu Zhang wrote:
> > Sorry, why guest_cpuid_is_intel(vcpu)? Is it becasue that a AMD host with virtual
> > VMSAVE/VMLOAD capability will always expose this feature for all AMD guests?
>
> Oh, sorry. I missed the guest_cpuid_has() in kvm_governed_feature_check_and_set().
> So please just ignore my 2nd question.
>
> As to the check of guest_cpuid_is_intel(), is it necessary?
Yes? The comment in init_vmcb_after_set_cpuid() says:
/*
* We must intercept SYSENTER_EIP and SYSENTER_ESP
* accesses because the processor only stores 32 bits.
* For the same reason we cannot use virtual VMLOAD/VMSAVE.
*/
but I'm struggling to connect the dots to SYSENTER. I suspect the comment is
misleading and has nothing to do 32-bit vs. 64-bit (or I'm reading it wrong) and
should be something like:
/*
* Disable virtual VMLOAD/VMSAVE and intercept VMLOAD/VMSAVE if the
* guest CPU is Intel in order to inject #UD.
*/
In other words, a non-SVM guest shouldn't be allowed to execute VMLOAD/VMSAVE.
Powered by blists - more mailing lists