| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240801103623.2a74012e@imammedo.users.ipa.redhat.com> Date: Thu, 1 Aug 2024 10:36:23 +0200 From: Igor Mammedov <imammedo@...hat.com> To: Jonathan Cameron <Jonathan.Cameron@...wei.com> Cc: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>, Shiju Jose <shiju.jose@...wei.com>, "Michael S. Tsirkin" <mst@...hat.com>, Ani Sinha <anisinha@...hat.com>, Dongjiu Geng <gengdongjiu1@...il.com>, Eric Blake <eblake@...hat.com>, Markus Armbruster <armbru@...hat.com>, Michael Roth <michael.roth@....com>, Paolo Bonzini <pbonzini@...hat.com>, Peter Maydell <peter.maydell@...aro.org>, <linux-kernel@...r.kernel.org>, <qemu-arm@...gnu.org>, <qemu-devel@...gnu.org> Subject: Re: [PATCH v3 4/7] acpi/ghes: Add a logic to handle block addresses and FW first ARM processor error injection On Wed, 31 Jul 2024 09:57:19 +0100 Jonathan Cameron <Jonathan.Cameron@...wei.com> wrote: > On Wed, 31 Jul 2024 09:11:33 +0200 > Mauro Carvalho Chehab <mchehab+huawei@...nel.org> wrote: > > > Em Tue, 30 Jul 2024 13:17:09 +0200 > > Igor Mammedov <imammedo@...hat.com> escreveu: > > > > > On Mon, 22 Jul 2024 08:45:56 +0200 > > > Mauro Carvalho Chehab <mchehab+huawei@...nel.org> wrote: [...] > > > Preferably make it generic enough to handle > > > not only ARM but other error formats HEST is > > > able to handle. > > > > A too generic interface doesn't sound feasible to me, as the > > EINJ code needs to check QEMU implementation details before > > doing the error inject. > > To be clear we are talking here about a script that > generates 'similar' stuff to ACPI EINJ does and injects > via qapi, not guest injection (which is almost always locked > down on production machines / distros because of the footgun > aspect). + ACPI EINJ interface suffers exactly the same > problems with state discoverability we have with a raw interface here. > (I checked with Mauro offline that I'd interpreted this > comment correctly!) > > > > > See, processor is probably the simplest error injection > > source, as most of the fields there aren't related to how > > the hardware simulation is done. > > > > Yet, if you see patch 7 of this series, you'll notice that some > > fields should actually be filled based on the emulation. > > > > On ARM, we have some IDs that depend on the emulation > > (MIDR, MPIDR, power state). Doing that on userspace may require > > a QAPI to query them. QEMU has qmp commands to query QOM tree, device properties is likely what you'd be interested with. Adding new QAPI might be not necessary as long as needed data point are exposed via device's properties. And additional properties are relatively cheap, especially if their names prefixed with 'x-' which by convention means /internal use, not stable, not ABI/ Well whole qmp tree structure hasn't been declared as ABI (as far as I know), but it's relatively stable and we try not to mess with it much (especially for mainstream virt machines), as some external users might (ab)use it anyway (no promises on QEMU side though). On contrary QAPI is mostly considered as ABI QEMU provides to its users with burden to maintain it stability. If injection script is internal tool to QEMU, it should be fine for it to use qom introspection to get data and limit QAPI necessary minimum only. To make sure it won't be broken silently by 'innocent' QEMU contributors, have a CI job to make sure that it still works as intended. > We could strip back the QAPI part to only the bits that are > not dependent on state. However, the kicker to that is we'd > need to make sure all that state is available to an external > tool (or fully controllable from initial launch command line). > I'm not sure where the gaps are but, I'm fairly sure there > will be some. Doesn't save much code other than documentation > of the QAPI. > > > > > The memory layout, however, is the most complex one. Even for > > an ARM processor CPER (which is the simplest scenario), the > > physical/virtual address need to be checked against the emulation > > environment. > > > > Other error sources (like memory errors, CXL, etc) will require > > a deep knowledge about how QEMU mapped such devices. > > For CXL stuff we'll piggy back on native error injection interfaces > that are already there and couldn't be avoided because they > are writing a bunch of register state (that we elide in the FW > first path). > https://lore.kernel.org/qemu-devel/20240205141940.31111-12-Jonathan.Cameron@huawei.com/ > So we won't be adding new QAPI, but the error record generation logic > will be in QEMU. For background, the CXL FW first error injection > has taken a back seat to the ARM errors because of the obvious > other factor that CXL isn't supported on ARM in upstream QEMU. > Once I escape a few near term deadlines I'll add the x86 > support for GHESv2 / SCI interrupt signaling as you'd see on a > typical x86 server. > > > > > So, in practice, if we move this to an EINJ script, we'll need > > to add a probably more complex QAPI to allow querying the memory > > layout and other device and CPU specific bindings. > > > > Also, we don't know what newer versions of ACPI spec will reserve > > us. See, even the HEST table contents is dependent of the HEST > > revision number, as made clear at the ACPI 6.5 notes: > > > > https://uefi.org/specs/ACPI/6.5/18_Platform_Error_Interfaces.html#acpi-error-source > > > > and at: > > > > https://uefi.org/specs/ACPI/6.5/18_Platform_Error_Interfaces.html#error-source-structure-header-type-12-onward > > > > So, if we're willing to add support for a more generic "raw data" > > QAPI, I would still do it per-type, and for the fields that won't > > require knowledge of the device-emulation details. > > Could blend the two options and provide no qapi for the bits > that are QEMU state dependent - if fuzzing, can inject > the full record raw as doesn't have to be valid state anyway. > > > > > Btw, my proposal on patch 7 of this series is to have raw data > > for: > > - the error-info field; > > - registers dump; > > - micro-architecture specific data. > > > > I don't mind trying to have more raw data there as I see (marginal) > > benefits of allowing to generate CPER invalid records [1], but some of > > those fields need to be validated and/or filled internally at QEMU - if > > not forced to an specific value by the caller. > > > > [1] a raw data EINJ can be useful for fuzzy logic fault detection to > > check if badly formed packages won't cause a Kernel panic or be > > an exploit. Yet, not really a concern for APEI, as if the hardware > > is faulty, a Kernel panic is not out of the table. Also, if the > > the BIOS is already compromised and has malicious code on it, > > the EINJ interface is not the main concern. > > > > > PS: > > > For user convenience, QEMU can carry a script that > > > could help generate this raw value in user friendly way > > > but at the same time it won't put maintenance > > > burden on QEMU itself. > > > > The script will still require reviews, and the same code will > > be there. So, from maintenance burden, there won't be much > > difference. it makes a lot of difference if code is integral part qemu binary, (less people have to spend time on reviewing it, avoid increasing attack surface, ... (other made up reasons)). Implementing shim/proxy in QEMU and putting all error composing logic into a separate script (even if it's a part QEMU source), shifts most of the burden to whomever (I'd assume you'd volunteer yourself) would maintain the script. If script breaks, it doesn't affect QEMU itself (nor I believe it should affect release process), script's maintainer(s) can have their own schedule/process on how to deal with it. > Agreed. I'd also be very keen that the script is tightly coupled to > QEMU as doesn't make sense to carry with kernel or RAS daemon and > I'd want to ultimately get this stuff into all the appropriate > CI flows. Agreed, it makes much more sense to carry such script as a part of QEMU. > > > > Btw, I'm actually using myself a script to test it, currently > > sitting together with rasdaemon - which is the Linux tool to detect > > and handle hardware errors: > > > > https://github.com/mchehab/rasdaemon/blob/master/contrib/qemu_einj.py > > > > as it helps a lot when trying to simulate more complex errors. > > > > Once QEMU gains support to inject processor errors, I can prepare a > > separate patch to move it to QEMU. > > > > Thanks, > > Mauro > > So tricky questions. I'm not sure which way is the least painful! > > Jonathan > >
Powered by blists - more mailing lists