| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZMphvF+0H9wHQr5B@google.com>
Date: Wed, 2 Aug 2023 07:01:32 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Wu Zongyo <wuzongyo@...l.ustc.edu.cn>
Cc: Tom Lendacky <thomas.lendacky@....com>,
linux-kernel@...r.kernel.org, kvm@...r.kernel.org, x86@...nel.org,
linux-coco@...ts.linux.dev
Subject: Re: [Question] int3 instruction generates a #UD in SEV VM
On Wed, Aug 02, 2023, Wu Zongyo wrote:
> On Mon, Jul 31, 2023 at 11:45:29PM +0800, wuzongyong wrote:
> >
> > On 2023/7/31 23:03, Tom Lendacky wrote:
> > > On 7/31/23 09:30, Sean Christopherson wrote:
> > >> On Sat, Jul 29, 2023, wuzongyong wrote:
> > >>> Hi,
> > >>> I am writing a firmware in Rust to support SEV based on project td-shim[1].
> > >>> But when I create a SEV VM (just SEV, no SEV-ES and no SEV-SNP) with the firmware,
> > >>> the linux kernel crashed because the int3 instruction in int3_selftest() cause a
> > >>> #UD.
> > >>
> > >> ...
> > >>
> > >>> BTW, if a create a normal VM without SEV by qemu & OVMF, the int3 instruction always generates a
> > >>> #BP.
> > >>> So I am confused now about the behaviour of int3 instruction, could anyone help to explain the behaviour?
> > >>> Any suggestion is appreciated!
> > >>
> > >> Have you tried my suggestions from the other thread[*]?
> > Firstly, I'm sorry for sending muliple mails with the same content. I thought the mails I sent previously
> > didn't be sent successfully.
> > And let's talk the problem here.
> > >>
> > >> : > > I'm curious how this happend. I cannot find any condition that would
> > >> : > > cause the int3 instruction generate a #UD according to the AMD's spec.
> > >> :
> > >> : One possibility is that the value from memory that gets executed diverges from the
> > >> : value that is read out be the #UD handler, e.g. due to patching (doesn't seem to
> > >> : be the case in this test), stale cache/tlb entries, etc.
> > >> :
> > >> : > > BTW, it worked nomarlly with qemu and ovmf.
> > >> : >
> > >> : > Does this happen every time you boot the guest with your firmware? What
> > >> : > processor are you running on?
> > >> :
> > Yes, every time.
> > The processor I used is EPYC 7T83.
> > >> : And have you ruled out KVM as the culprit? I.e. verified that KVM is NOT injecting
> > >> : a #UD. That obviously shouldn't happen, but it should be easy to check via KVM
> > >> : tracepoints.
> > >
> > > I have a feeling that KVM is injecting the #UD, but it will take instrumenting KVM to see which path the #UD is being injected from.
> > >
> > > Wu Zongyo, can you add some instrumentation to figure that out if the trace points towards KVM injecting the #UD?
> > Ok, I will try to do that.
> You're right. The #UD is injected by KVM.
>
> The path I found is:
> svm_vcpu_run
> svm_complete_interrupts
> kvm_requeue_exception // vector = 3
> kvm_make_request
>
> vcpu_enter_guest
> kvm_check_and_inject_events
> svm_inject_exception
> svm_update_soft_interrupt_rip
> __svm_skip_emulated_instruction
> x86_emulate_instruction
> svm_can_emulate_instruction
> kvm_queue_exception(vcpu, UD_VECTOR)
>
> Does this mean a #PF intercept occur when the guest try to deliver a
> #BP through the IDT? But why?
I doubt it's a #PF. A #NPF is much more likely, though it could be something
else entirely, but I'm pretty sure that would require bugs in both the host and
guest.
What is the last exit recorded by trace_kvm_exit() before the #UD is injected?
Powered by blists - more mailing lists