[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3903bbaade7ba9577da88d053b67b8bfdf0d3582.camel@intel.com>
Date: Tue, 31 Oct 2023 17:29:25 +0000
From: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
To: "petr@...arici.cz" <petr@...arici.cz>
CC: "Lutomirski, Andy" <luto@...nel.org>,
"iommu@...ts.linux.dev" <iommu@...ts.linux.dev>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
"thomas.lendacky@....com" <thomas.lendacky@....com>,
"robin.murphy@....com" <robin.murphy@....com>,
"Reshetova, Elena" <elena.reshetova@...el.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"mingo@...hat.com" <mingo@...hat.com>,
"Christopherson,, Sean" <seanjc@...gle.com>,
"kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"Yamahata, Isaku" <isaku.yamahata@...el.com>,
"Cui, Dexuan" <decui@...rosoft.com>,
"mikelley@...rosoft.com" <mikelley@...rosoft.com>,
"m.szyprowski@...sung.com" <m.szyprowski@...sung.com>,
"hch@....de" <hch@....de>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"hpa@...or.com" <hpa@...or.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"bp@...en8.de" <bp@...en8.de>,
"linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>,
"sathyanarayanan.kuppuswamy@...ux.intel.com"
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
"x86@...nel.org" <x86@...nel.org>
Subject: Re: [PATCH 04/10] swiotlb: Use free_decrypted_pages()
On Tue, 2023-10-31 at 18:13 +0100, Petr Tesařík wrote:
> Thank you for the explanation. So, after set_memory_decrypted()
> fails,
> the pages become Schroedinger-crypted, but since its true state
> cannot
> be observed by the guest kernel, it stays as such forever.
>
> Sweet.
>
Yes... The untrusted host (the part of the VMM TDX is defending
against) gets to specify the return code of these operations (success
or failure). But the coco(a general term for TDX and similar from other
vendors) threat model doesn't include DOS. So the guest should trust
the return code as far as trying to not crash, but not trust it in
regards to the potential to leak data.
It's a bit to ask of the callers, but the other solution we discussed
was to panic the guest if any weirdness is observed by the VMM, in
which case the callers would never see the error. And of course
panicing the kernel is Bad. So that is how we arrived at this request
of the callers. Appreciate the effort to handle it on that side.
> Hm, should I incorporate this knowledge into a v2 of my patch and
> address both issues?
That sounds good to me! Feel free to CC me if you would like, and I can
scrutinize it for this particular issue.
Powered by blists - more mailing lists