| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <cover.1722019360.git.tim.merrifield@broadcom.com> Date: Fri, 26 Jul 2024 18:57:59 +0000 From: Tim Merrifield <tim.merrifield@...adcom.com> To: "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>, Dave Hansen <dave.hansen@...ux.intel.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, x86@...nel.org, "H . Peter Anvin" <hpa@...or.com>, Xin Li <xin3.li@...el.com>, Tim Merrifield <tim.merrifield@...adcom.com>, Ard Biesheuvel <ardb@...nel.org>, Kai Huang <kai.huang@...el.com>, Kevin Loughlin <kevinloughlin@...gle.com>, Thomas Zimmermann <tzimmermann@...e.de>, Rick Edgecombe <rick.p.edgecombe@...el.com>, Kees Cook <kees@...nel.org>, Mike Rapoport <rppt@...nel.org>, Brian Gerst <brgerst@...il.com>, linux-coco@...ts.linux.dev, linux-kernel@...r.kernel.org, Ajay Kaher <ajay.kaher@...adcom.com>, Alexey Makhalov <alexey.makhalov@...adcom.com>, Broadcom internal kernel review list <bcm-kernel-feedback-list@...adcom.com>, virtualization@...ts.linux.dev, alex.james@...adcom.com, doug.covelli@...adcom.com, jeffrey.sheldon@...adcom.com, kevin.christopher@...adcom.com, aravind-as.srinivasan@...adcom.com, ravindra.kumar@...adcom.com Subject: [PATCH v2 0/2] Support userspace hypercalls for TDX Hypercall instructions like VMCALL and VMMCALL are not restricted to CPL 0. This allows userspace software like open-vm-tools to communicate directly with the VMM. For TDX VMs, this communication may violate the security model. Today, VMCALLs are not forwarded to the host VMM, which breaks open-vm-tools and any other userspace software that uses VMCALL. But if userspace is aware of the risks and has been hardened to address any known violations of the security model, then it seems reasonable to allow hypercalls from this process to proceed. This patchset introduces a new x86 process control flag to address this concern. By setting the MM_CONTEXT_COCO_USER_HCALL flag, the process opts in to user-level hypercalls. When TDX is enabled, the VMCALL will #VE and control will be transferred to a hypervisor-specific hypercall handler (similar to how things work today for SEV with sev_es_hcall_prepare/sev_es_hcall_finish). The flag has no effect on non-TDX VMs. Other confidential computing technologies could use this flag to provide limited access to user-level hypercalls. v1->v2 changes: - Updated coverletter to get to the point a little faster. - Patch 1: Changed to use a per-process flag rather than a per-thread flag, based on feedback from Kirill Shutemov. I believe this also addresses the issue of inheritance raised by Dave Hansen. - Patch 1: Refactored the logic in tdx.c to be made more clear. Also, tdx_hcall now returns an error code. Both suggested by Kirill. - Patch 2: We now zero tdx_module_args to prevent data leakage to the VMM, pointed out by Kirill. Tim Merrifield (2): Add prctl to allow userlevel TDX hypercalls x86/vmware: VMware support for TDX userspace hypercalls arch/x86/coco/tdx/tdx.c | 23 ++++++++++++++ arch/x86/include/asm/mmu.h | 2 ++ arch/x86/include/asm/x86_init.h | 1 + arch/x86/include/uapi/asm/prctl.h | 3 ++ arch/x86/kernel/cpu/vmware.c | 51 ++++++++++++++++++++++++------- arch/x86/kernel/process.c | 22 +++++++++++++ 6 files changed, 91 insertions(+), 11 deletions(-) -- 2.40.1
Powered by blists - more mailing lists