| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <03d27b6a-be96-44d7-b4ea-aa00ccab4cc5@suse.com> Date: Fri, 17 May 2024 16:44:45 +0200 From: Juergen Gross <jgross@...e.com> To: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com> Cc: linux-kernel@...r.kernel.org, x86@...nel.org, linux-coco@...ts.linux.dev, Dave Hansen <dave.hansen@...ux.intel.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, "H. Peter Anvin" <hpa@...or.com> Subject: Re: [PATCH] x86/kvm/tdx: Save %rbp in TDX_MODULE_CALL On 17.05.24 16:39, Kirill A. Shutemov wrote: > On Fri, May 17, 2024 at 04:08:03PM +0200, Juergen Gross wrote: >> On 17.05.24 15:55, Kirill A. Shutemov wrote: >>> On Fri, May 17, 2024 at 02:14:50PM +0200, Juergen Gross wrote: >>>> While testing TDX host support patches, a crash of the host has been >>>> observed a few instructions after doing a seamcall. Reason was a >>>> clobbered %rbp (set to 0), which occurred in spite of the TDX module >>>> offering the feature NOT to modify %rbp across TDX module calls. >>>> >>>> In order not having to build the host kernel with CONFIG_FRAME_POINTER, >>>> save %rbp across a seamcall/tdcall. >>> >>> There's a feature in TDX module 1.5 that prevents RBP modification across >>> TDH.VP.ENTER SEAMCALL. See NO_RBP_MOD in TDX Module 1.5 ABI spec. >>> >>> I think it has to be enabled for all TDs and TDX modules that don't >>> support it need to be rejected. >>> >> >> Yes, I know. I'm using the patch series: >> >> [PATCH v19 000/130] KVM TDX basic feature support >> >> which I think does exactly that (see setup_tdparams() and tdx_module_setup()). > > Looks like the check is broken: > > https://lore.kernel.org/all/46mh5hinsv5mup2x7jv4iu2floxmajo2igrxb3haru3cgjukbg@v44nspjozm4h/ > >> Nevertheless the clobbering happened, and saving/restoring %rbp made the >> issue to go away. I suspect there is a path left still clobbering %rbp. > > What is your TDX module version? My guess is that NOM_RBP_MOD is not > supported by it and given that the check is broken nobody enforces it. Just another data point: Before using this machine I was testing on another one with older firmware. That one really didn't support NOM_RBP_MOD and I needed to build the kernel with CONFIG_FRAME_POINTER enabled to get past the check you are mentioning above. Juergen Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3684 bytes) Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (496 bytes)
Powered by blists - more mailing lists