| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231121094219.x5ez6ohzc773viul@box.shutemov.name>
Date: Tue, 21 Nov 2023 12:42:19 +0300
From: "kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>
To: "Huang, Kai" <kai.huang@...el.com>
Cc: "tglx@...utronix.de" <tglx@...utronix.de>,
"mingo@...hat.com" <mingo@...hat.com>,
"x86@...nel.org" <x86@...nel.org>, "bp@...en8.de" <bp@...en8.de>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
"Edgecombe, Rick P" <rick.p.edgecombe@...el.com>,
"Reshetova, Elena" <elena.reshetova@...el.com>,
"Nakajima, Jun" <jun.nakajima@...el.com>,
"rafael@...nel.org" <rafael@...nel.org>,
"peterz@...radead.org" <peterz@...radead.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"sathyanarayanan.kuppuswamy@...ux.intel.com"
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
"Hunter, Adrian" <adrian.hunter@...el.com>,
"thomas.lendacky@....com" <thomas.lendacky@....com>,
"ashish.kalra@....com" <ashish.kalra@....com>,
"kexec@...ts.infradead.org" <kexec@...ts.infradead.org>,
"seanjc@...gle.com" <seanjc@...gle.com>,
"bhe@...hat.com" <bhe@...hat.com>,
"linux-coco@...ts.linux.dev" <linux-coco@...ts.linux.dev>
Subject: Re: [PATCHv3 09/14] x86/tdx: Account shared memory
On Tue, Nov 21, 2023 at 02:47:29AM +0000, Huang, Kai wrote:
>
> > +static atomic_long_t nr_shared;
> > +
> > +static inline bool pte_decrypted(pte_t pte)
> > +{
> > + return cc_mkdec(pte_val(pte)) == pte_val(pte);
> > +}
> > +
> > /* Called from __tdx_hypercall() for unrecoverable failure */
> > noinstr void __noreturn __tdx_hypercall_failed(void)
> > {
> > @@ -820,6 +828,11 @@ static int tdx_enc_status_change_finish(unsigned long vaddr, int numpages,
> > if (!enc && !tdx_enc_status_changed(vaddr, numpages, enc))
> > return -EIO;
> >
> > + if (enc)
> > + atomic_long_sub(numpages, &nr_shared);
> > + else
> > + atomic_long_add(numpages, &nr_shared);
> > +
> > return 0;
> > }
> >
> > @@ -895,3 +908,59 @@ void __init tdx_early_init(void)
> >
> > pr_info("Guest detected\n");
> > }
> > +
> > +#ifdef CONFIG_DEBUG_FS
> > +static int tdx_shared_memory_show(struct seq_file *m, void *p)
> > +{
> > + unsigned long addr, end;
> > + unsigned long found = 0;
> > +
> > + addr = PAGE_OFFSET;
> > + end = PAGE_OFFSET + get_max_mapped();
> > +
> > + while (addr < end) {
> > + unsigned long size;
> > + unsigned int level;
> > + pte_t *pte;
> > +
> > + pte = lookup_address(addr, &level);
> > + size = page_level_size(level);
> > +
> > + if (pte && pte_decrypted(*pte))
> > + found += size / PAGE_SIZE;
> > +
> > + addr += size;
> > +
> > + cond_resched();
> > + }
> > +
> > + seq_printf(m, "Number of unshared pages in kernel page tables: %16lu\n",
> > + found);
> > + seq_printf(m, "Number of pages accounted as unshared: %16ld\n",
> > + atomic_long_read(&nr_shared));
>
> unshared -> shared?
Right.
> Btw, I am not quite sure what's the purpose of reporting number of shared pages
> in both kernel page table and that the kernel is accounting?
>
> IIUC, there might be slight chance that the former is different from the latter
> (i.e., when user reads this while the kernel is converting pages
> simultaneously), but in most of the time the user should see they are the same.
>
> I can see it might be helpful to report @nr_shared to the user, but how can
> reporting both help the user?
It is critical to unshared *all* pages on kexec or the second kernel will
crash at some point on accessing shared page as private.
This is the sanity check: if number of shared pages in page tables is less
than what we expected, we've lost shared bit somewhere. And kexec will
likely be a disaster.
Ability to trigger the check a any point can help to correlate the leak
with activity.
> That being said, I think perhaps you can separate the /sysfs part as a separate
> patch because it's not a mandatory part of this series but a nice to have. Then
> the /sysfs part can be reviewed separately.
Okay, makes sense.
--
Kiryl Shutsemau / Kirill A. Shutemov
Powered by blists - more mailing lists