lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f3381541-822b-4e94-93f7-699afc6aa6a3@intel.com>
Date: Thu, 11 Apr 2024 19:39:11 +0300
From: Adrian Hunter <adrian.hunter@...el.com>
To: isaku.yamahata@...el.com, kvm@...r.kernel.org,
 linux-kernel@...r.kernel.org, "Edgecombe, Rick P"
 <rick.p.edgecombe@...el.com>
Cc: isaku.yamahata@...il.com, Paolo Bonzini <pbonzini@...hat.com>,
 erdemaktas@...gle.com, Sean Christopherson <seanjc@...gle.com>,
 Sagi Shahar <sagis@...gle.com>, Kai Huang <kai.huang@...el.com>,
 chen.bo@...el.com, hang.yuan@...el.com, tina.zhang@...el.com
Subject: Re: [PATCH v19 076/130] KVM: TDX: Finalize VM initialization

On 26/02/24 10:26, isaku.yamahata@...el.com wrote:
> From: Isaku Yamahata <isaku.yamahata@...el.com>
> 
> To protect the initial contents of the guest TD, the TDX module measures
> the guest TD during the build process as SHA-384 measurement.  The
> measurement of the guest TD contents needs to be completed to make the
> guest TD ready to run.
> 
> Add a new subcommand, KVM_TDX_FINALIZE_VM, for VM-scoped
> KVM_MEMORY_ENCRYPT_OP to finalize the measurement and mark the TDX VM ready
> to run.

Perhaps a spruced up commit message would be:

<BEGIN>
Add a new VM-scoped KVM_MEMORY_ENCRYPT_OP IOCTL subcommand,
KVM_TDX_FINALIZE_VM, to perform TD Measurement Finalization.

Documentation for the API is added in another patch:
"Documentation/virt/kvm: Document on Trust Domain Extensions(TDX)"

For the purpose of attestation, a measurement must be made of the TDX VM
initial state. This is referred to as TD Measurement Finalization, and
uses SEAMCALL TDH.MR.FINALIZE, after which:
1. The VMM adding TD private pages with arbitrary content is no longer
   allowed
2. The TDX VM is runnable
<END>

History:

This code is essentially unchanged from V1, as below.
Except for V5, the code has never had any comments.
Paolo's comment from then still appears unaddressed.

V19:		Unchanged
V18:		Undoes change of V17
V17:		Also change tools/arch/x86/include/uapi/asm/kvm.h
V16:		Unchanged
V15:		Undoes change of V10
V11-V14:	Unchanged
V10:		Adds a hack (related to TDH_MEM_TRACK)
		that was later removed in V15
V6-V9:		Unchanged
V5		Broke out the code into a separate patch and
		received its only comments, which were from Paolo:

	"Reviewed-by: Paolo Bonzini <pbonzini@...hat.com>
	Note however that errors should be passed back in the struct."
		
	This presumably refers to struct kvm_tdx_cmd which has an "error"
	member, but that is not updated by tdx_td_finalizemr()

V4 was a cut-down series and the code was not present
V3 introduced WARN_ON_ONCE for the error condition
V2 accommodated renaming the seamcall function and ID

Outstanding:

1. Address Paolo's comment about the error code
2. Is WARN_ON sensible?

Final note:

It might be possible to make TD Measurement Finalization
transparent to the user space VMM and forego another API, but it seems
doubtful that would really make anything much simpler.

> 
> Signed-off-by: Isaku Yamahata <isaku.yamahata@...el.com>
> 
> ---
> v18:
> - Remove the change of tools/arch/x86/include/uapi/asm/kvm.h.
> 
> v14 -> v15:
> - removed unconditional tdx_track() by tdx_flush_tlb_current() that
>   does tdx_track().
> 
> Signed-off-by: Isaku Yamahata <isaku.yamahata@...el.com>
> ---
>  arch/x86/include/uapi/asm/kvm.h |  1 +
>  arch/x86/kvm/vmx/tdx.c          | 21 +++++++++++++++++++++
>  2 files changed, 22 insertions(+)
> 
> diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
> index 34167404020c..c160f60189d1 100644
> --- a/arch/x86/include/uapi/asm/kvm.h
> +++ b/arch/x86/include/uapi/asm/kvm.h
> @@ -573,6 +573,7 @@ enum kvm_tdx_cmd_id {
>  	KVM_TDX_INIT_VM,
>  	KVM_TDX_INIT_VCPU,
>  	KVM_TDX_EXTEND_MEMORY,
> +	KVM_TDX_FINALIZE_VM,
>  
>  	KVM_TDX_CMD_NR_MAX,
>  };
> diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
> index 3cfba63a7762..6aff3f7e2488 100644
> --- a/arch/x86/kvm/vmx/tdx.c
> +++ b/arch/x86/kvm/vmx/tdx.c
> @@ -1400,6 +1400,24 @@ static int tdx_extend_memory(struct kvm *kvm, struct kvm_tdx_cmd *cmd)
>  	return ret;
>  }
>  
> +static int tdx_td_finalizemr(struct kvm *kvm)
> +{
> +	struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm);
> +	u64 err;
> +
> +	if (!is_hkid_assigned(kvm_tdx) || is_td_finalized(kvm_tdx))
> +		return -EINVAL;
> +
> +	err = tdh_mr_finalize(kvm_tdx->tdr_pa);
> +	if (WARN_ON_ONCE(err)) {

Is a failed SEAMCALL really something to WARN over?

> +		pr_tdx_error(TDH_MR_FINALIZE, err, NULL);

As per Paolo, error code is not returned in struct kvm_tdx_cmd

> +		return -EIO;
> +	}
> +
> +	kvm_tdx->finalized = true;
> +	return 0;
> +}
> +
>  int tdx_vm_ioctl(struct kvm *kvm, void __user *argp)
>  {
>  	struct kvm_tdx_cmd tdx_cmd;
> @@ -1422,6 +1440,9 @@ int tdx_vm_ioctl(struct kvm *kvm, void __user *argp)
>  	case KVM_TDX_EXTEND_MEMORY:
>  		r = tdx_extend_memory(kvm, &tdx_cmd);
>  		break;
> +	case KVM_TDX_FINALIZE_VM:
> +		r = tdx_td_finalizemr(kvm);
> +		break;
>  	default:
>  		r = -EINVAL;
>  		goto out;


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ