lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 15 Jun 2023 10:23:01 -0500
From:   John Allen <john.allen@....com>
To:     Borislav Petkov <bp@...en8.de>
Cc:     kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
        pbonzini@...hat.com, weijiang.yang@...el.com,
        rick.p.edgecombe@...el.com, seanjc@...gle.com, x86@...nel.org,
        thomas.lendacky@....com
Subject: Re: [RFC PATCH v2] x86/sev-es: Include XSS value in GHCB CPUID
 request

On Thu, Jun 15, 2023 at 01:52:55PM +0200, Borislav Petkov wrote:
> On Wed, May 24, 2023 at 03:56:19PM +0000, John Allen wrote:
> > +	if (has_cpuflag(X86_FEATURE_SHSTK) && regs->ax == 0xd && regs->cx <= 1) {
> > +		unsigned long lo, hi;
> > +		u64 xss;
> > +
> > +		/*
> > +		 * Since vc_handle_cpuid may be used during early boot, the
> > +		 * rdmsr wrappers are incompatible and should not be used.
> > +		 * Invoke the instruction directly.
> > +		 */
> > +		asm volatile("rdmsr" : "=a" (lo), "=d" (hi)
> > +			     : "c" (MSR_IA32_XSS));
> > +		xss = (hi << 32) | lo;
> > +		ghcb_set_xss(ghcb, xss);
> 
> $ git grep ghcb_set_xss
> $
> 
> So this patch needs some tree which I'm not aware of.
> 
> Also, this passing through of host XSS to the guest looks like it is
> bypassing the vcpu->arch.ia32_xss copy which KVM seems to maintain. It
> looks to me like the handling needs to be synchronized with it or so.

Hi Boris,

Yeah, sorry, this is confusing. This patch is logically part of the SVM
shadow stack support series:
https://lore.kernel.org/all/20230524155339.415820-1-john.allen@amd.com/

Since this patch is for the guest kernel, it is meant for the tip tree
rather than the kvm tree so I sent it as a separate patch. However, as
you noted, this patch depends on patch 5/6 of that series to introduce
the ghcb_set_xss function. How would you advise that I handle this
entanglement in the next series?

Thanks,
John

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ