| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Feb 2024 07:17:14 -0800 From: Sean Christopherson <seanjc@...gle.com> To: Kai Huang <kai.huang@...el.com> Cc: "pbonzini@...hat.com" <pbonzini@...hat.com>, "yu.c.zhang@...ux.intel.com" <yu.c.zhang@...ux.intel.com>, "chao.p.peng@...ux.intel.com" <chao.p.peng@...ux.intel.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "tabba@...gle.com" <tabba@...gle.com>, Yan Y Zhao <yan.y.zhao@...el.com>, "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "michael.roth@....com" <michael.roth@....com>, Isaku Yamahata <isaku.yamahata@...el.com>, "dmatlack@...gle.com" <dmatlack@...gle.com> Subject: Re: [PATCH 05/16] KVM: x86/mmu: Use synthetic page fault error code to indicate private faults On Thu, Feb 29, 2024, Kai Huang wrote: > > > diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c > > index 408969ac1291..7807bdcd87e8 100644 > > --- a/arch/x86/kvm/mmu/mmu.c > > +++ b/arch/x86/kvm/mmu/mmu.c > > @@ -5839,19 +5839,31 @@ int noinline kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 err > > bool direct = vcpu->arch.mmu->root_role.direct; > > > > /* > > - * IMPLICIT_ACCESS is a KVM-defined flag used to correctly perform SMAP > > - * checks when emulating instructions that triggers implicit access. > > * WARN if hardware generates a fault with an error code that collides > > - * with the KVM-defined value. Clear the flag and continue on, i.e. > > - * don't terminate the VM, as KVM can't possibly be relying on a flag > > - * that KVM doesn't know about. > > + * with KVM-defined sythentic flags. Clear the flags and continue on, > > + * i.e. don't terminate the VM, as KVM can't possibly be relying on a > > + * flag that KVM doesn't know about. > > */ > > - if (WARN_ON_ONCE(error_code & PFERR_IMPLICIT_ACCESS)) > > - error_code &= ~PFERR_IMPLICIT_ACCESS; > > + if (WARN_ON_ONCE(error_code & PFERR_SYNTHETIC_MASK)) > > + error_code &= ~PFERR_SYNTHETIC_MASK; > > > > Hmm.. I thought for TDX the caller -- handle_ept_violation() -- should > explicitly set the PFERR_PRIVATE_ACCESS so that here the fault handler can > figure out the fault is private. > > Now it seems the caller should never pass PFERR_PRIVATE_ACCESS, then ... > > > if (WARN_ON_ONCE(!VALID_PAGE(vcpu->arch.mmu->root.hpa))) > > return RET_PF_RETRY; > > > > + /* > > + * Except for reserved faults (emulated MMIO is shared-only), set the > > + * private flag for software-protected VMs based on the gfn's current > > + * attributes, which are the source of truth for such VMs. Note, this > > + * wrong for nested MMUs as the GPA is an L2 GPA, but KVM doesn't > > + * currently supported nested virtualization (among many other things) > > + * for software-protected VMs. > > + */ > > + if (IS_ENABLED(CONFIG_KVM_SW_PROTECTED_VM) && > > + !(error_code & PFERR_RSVD_MASK) && > > + vcpu->kvm->arch.vm_type == KVM_X86_SW_PROTECTED_VM && > > + kvm_mem_is_private(vcpu->kvm, gpa_to_gfn(cr2_or_gpa))) > > + error_code |= PFERR_PRIVATE_ACCESS; > > + > > > > ... I am wondering how we figure out whether a fault is private for TDX? Read the next few patches :-) The sanity check gets moved to the legacy #PF handler (any error code with bits 63:32!=0 yells) and SVM's #NPF handler (error code with synthetic bits set yells), leaving VMX free and clear to stuff PFERR_PRIVATE_ACCESS as appropriate.
Powered by blists - more mailing lists