| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c8fd114a-1b9d-402a-b883-bfa1952d91fd@redhat.com>
Date: Thu, 18 Jul 2024 16:21:42 +0800
From: Shaoqin Huang <shahuang@...hat.com>
To: Oliver Upton <oliver.upton@...ux.dev>
Cc: Marc Zyngier <maz@...nel.org>, kvmarm@...ts.linux.dev,
Mark Brown <broonie@...nel.org>, Eric Auger <eauger@...hat.com>,
Sebastian Ott <sebott@...hat.com>, Cornelia Huck <cohuck@...hat.com>,
James Morse <james.morse@....com>, Suzuki K Poulose
<suzuki.poulose@....com>, Zenghui Yu <yuzenghui@...wei.com>,
Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 2/3] KVM: arm64: Allow userspace to change
ID_AA64PFR1_EL1
Hi Oliver,
On 7/18/24 14:35, Oliver Upton wrote:
> On Wed, Jul 17, 2024 at 11:50:15PM -0400, Shaoqin Huang wrote:
>> Allow userspace to change the guest-visible value of the register with
>> different way of handling:
>>
>> - Since the RAS and MPAM is not writable in the ID_AA64PFR0_EL1
>> register, RAS_frac and MPAM_frac are also not writable in the
>> ID_AA64PFR1_EL1 register.
>>
>> - The MTE is controlled by an internal flag (KVM_ARCH_FLAG_MTE_ENABLED),
>> so it's not writable.
>
> The flag isn't the relevant part, what's important about MTE is that it
> already has a separate UAPI for controlling it (KVM_CAP_ARM_MTE).
I'm not quite understand why KVM_ARCH_FLAG_MTE_ENABLED isn't the
relevant part. I see this capability, when enable the KVM_CAP_ARM_MTE,
it set the KVM_ARCH_FLAG_MTE_ENABLED in the kvm->arch.flags.
And do you mean we should update it like "The MTE is controlled by a
UAPI (KVM_CAP_ARM_MTE)"?
>
>> - For those fields which KVM doesn't know how to handle, they have
>> are not exposed to the guest (being disabled in the register read
>> accessor), those fields value will always be 0. Allow those fields
>> writable is fine, since the userspace can only write 0 into those
>> fields. Maybe in the future KVM know how to handle some of the
>> fields, then they can be written into other value.
>> So let them writable.
>> Those fields include SME, RNDR_trap, NMI, GCS, THE, DF2, PFAR,
>> MTE_frac, MTEX.
>
> This doesn't seem right. We're committing to a UAPI behavior the moment
> these fields are advertised to userspace, which is rather difficult to
> do for features that we don't even implement.
>
> Please only advertise the fields known to KVM and leave the others
> unadvertised.
Thanks a lot for pointing this out. Now I get the point, for those not
implemented feature, they should not writable, so they're not advertised
to userspace.
>
>> - The BT, SSBS, CSV2_frac don't introduce any new registers which KVM
>> doesn't know how to handle, they can be written without ill effect.
>> So let them writable.
>
> I think the handling of ARM_SMCCC_ARCH_WORKAROUND_2 needs to be updated
> to consider the presence of FEAT_SSBS in the guest's ID registers.
> Otherwise we'll wind up returning NOT_SUPPORTED and the guest will
> conclude it is in a vulnerable state.
I see that line of code, in the case ARM_SMCCC_ARCH_WORKAROUND_2:
if (cpus_have_final_cap(ARM64_SSBS))
break;
I guess we should update it with something like
if (SYS_FIELD_GET(ID_AA64PFR1_EL1, SSBS, IDREG(kvm,
SYS_ID_AA64PFR1_EL1)) != 0)
Oliver, Is there any proper function or macro implement the checking
like above? I don't find the similar checking in the code.
Thanks,
Shaoqin
>
--
Shaoqin
Powered by blists - more mailing lists