| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3affa4a0-c930-45d3-927c-c81b38920c53@redhat.com> Date: Wed, 10 Jul 2024 23:56:03 +0200 From: David Hildenbrand <david@...hat.com> To: Sean Christopherson <seanjc@...gle.com> Cc: Patrick Roy <roypat@...zon.co.uk>, Fuad Tabba <tabba@...gle.com>, pbonzini@...hat.com, akpm@...ux-foundation.org, dwmw@...zon.co.uk, rppt@...nel.org, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com, willy@...radead.org, graf@...zon.com, derekmn@...zon.com, kalyazin@...zon.com, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, dmatlack@...gle.com, chao.p.peng@...ux.intel.com, xmarcalx@...zon.co.uk, James Gowans <jgowans@...zon.com> Subject: Re: [RFC PATCH 8/8] kvm: gmem: Allow restricted userspace mappings On 10.07.24 23:53, Sean Christopherson wrote: > On Wed, Jul 10, 2024, David Hildenbrand wrote: >> On 10.07.24 11:51, Patrick Roy wrote: >>> On 7/9/24 22:13, David Hildenbrand wrote: >>>> Note that just from staring at this commit, I don't understand the >>>> motivation *why* we would want to do that. >>> >>> Fair - I admittedly didn't get into that as much as I probably should >>> have. In our usecase, we do not have anything that pKVM would (I think) >>> call "guest-private" memory. I think our memory can be better described >>> as guest-owned, but always shared with the VMM (e.g. userspace), but >>> ideally never shared with the host kernel. This model lets us do a lot >>> of simplifying assumptions: Things like I/O can be handled in userspace >>> without the guest explicitly sharing I/O buffers (which is not exactly >>> what we would want long-term anyway, as sharing in the guest_memfd >>> context means sharing with the host kernel), we can easily do VM >>> snapshotting without needing things like TDX's TDH.EXPORT.MEM APIs, etc. >> >> Okay, so essentially you would want to use guest_memfd to only contain shard >> memory and disallow any pinning like for secretmem. >> >> If so, I wonder if it wouldn't be better to simply add KVM support to >> consume *real* secretmem memory? IIRC so far there was only demand to >> probably remove the directmap of private memory in guest_memfd, not of >> shared memory. > > It's also desirable to remove shared memory from the directmap, e.g. to prevent > using the directmap in a cross-VM attack. > > I don't think we want to allow KVM to consume secretmem. That would require > letting KVM gup() secretmem, which AIUI defeats the entire purpose of secretmem, > and I don't think KVM should be special. I would mean consuming secretmem via the fd, *not* via page tables / gup. But if we also want to have the option of directmap modifications for shared memory in guest_memfd, we could make that indeed a guest_memfd feature. -- Cheers, David / dhildenb
Powered by blists - more mailing lists