lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0a1a860f-cb46-426e-b586-f33d38b2c912@intel.com>
Date: Fri, 30 Aug 2024 14:01:28 +0300
From: Adrian Hunter <adrian.hunter@...el.com>
To: Kai Huang <kai.huang@...el.com>, dave.hansen@...el.com,
 kirill.shutemov@...ux.intel.com, tglx@...utronix.de, bp@...en8.de,
 peterz@...radead.org, mingo@...hat.com, hpa@...or.com,
 dan.j.williams@...el.com, seanjc@...gle.com, pbonzini@...hat.com
Cc: x86@...nel.org, linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
 rick.p.edgecombe@...el.com, isaku.yamahata@...el.com, chao.gao@...el.com,
 binbin.wu@...ux.intel.com
Subject: Re: [PATCH v3 8/8] x86/virt/tdx: Don't initialize module that doesn't
 support NO_RBP_MOD feature

On 27/08/24 10:14, Kai Huang wrote:
> Old TDX modules can clobber RBP in the TDH.VP.ENTER SEAMCALL.  However
> RBP is used as frame pointer in the x86_64 calling convention, and
> clobbering RBP could result in bad things like being unable to unwind
> the stack if any non-maskable exceptions (NMI, #MC etc) happens in that
> gap.
> 
> A new "NO_RBP_MOD" feature was introduced to more recent TDX modules to
> not clobber RBP.  This feature is reported in the TDX_FEATURES0 global
> metadata field via bit 18.
> 
> Don't initialize the TDX module if this feature is not supported [1].
> 
> Link: https://lore.kernel.org/all/c0067319-2653-4cbd-8fee-1ccf21b1e646@suse.com/T/#mef98469c51e2382ead2c537ea189752360bd2bef [1]
> Signed-off-by: Kai Huang <kai.huang@...el.com>
> Reviewed-by: Nikolay Borisov <nik.borisov@...e.com>

Reviewed-by: Adrian Hunter <adrian.hunter@...el.com>

> ---
> 
> v2 -> v3:
>  - check_module_compatibility() -> check_features().
>  - Improve error message.
> 
>  https://lore.kernel.org/kvm/cover.1721186590.git.kai.huang@intel.com/T/#md9e2eeef927838cbf20d7b361cdbea518b8aec50
> 
> ---
>  arch/x86/virt/vmx/tdx/tdx.c | 17 +++++++++++++++++
>  arch/x86/virt/vmx/tdx/tdx.h |  3 +++
>  2 files changed, 20 insertions(+)
> 
> diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c
> index fa335ab1ae92..032a53ddf5bc 100644
> --- a/arch/x86/virt/vmx/tdx/tdx.c
> +++ b/arch/x86/virt/vmx/tdx/tdx.c
> @@ -454,6 +454,18 @@ static int get_tdx_sys_info(struct tdx_sys_info *sysinfo)
>  	return get_tdx_sys_info_tdmr(&sysinfo->tdmr);
>  }
>  
> +static int check_features(struct tdx_sys_info *sysinfo)
> +{
> +	u64 tdx_features0 = sysinfo->features.tdx_features0;
> +
> +	if (!(tdx_features0 & TDX_FEATURES0_NO_RBP_MOD)) {
> +		pr_err("frame pointer (RBP) clobber bug present, upgrade TDX module\n");
> +		return -EINVAL;
> +	}
> +
> +	return 0;
> +}
> +
>  /* Calculate the actual TDMR size */
>  static int tdmr_size_single(u16 max_reserved_per_tdmr)
>  {
> @@ -1235,6 +1247,11 @@ static int init_tdx_module(void)
>  
>  	print_basic_sys_info(&sysinfo);
>  
> +	/* Check whether the kernel can support this module */
> +	ret = check_features(&sysinfo);
> +	if (ret)
> +		return ret;
> +
>  	/*
>  	 * To keep things simple, assume that all TDX-protected memory
>  	 * will come from the page allocator.  Make sure all pages in the
> diff --git a/arch/x86/virt/vmx/tdx/tdx.h b/arch/x86/virt/vmx/tdx/tdx.h
> index e7bed9e717c7..831361e6d0fb 100644
> --- a/arch/x86/virt/vmx/tdx/tdx.h
> +++ b/arch/x86/virt/vmx/tdx/tdx.h
> @@ -154,6 +154,9 @@ struct tdx_sys_info_features {
>  	u64 tdx_features0;
>  };
>  
> +/* Architectural bit definitions of TDX_FEATURES0 metadata field */
> +#define TDX_FEATURES0_NO_RBP_MOD	_BITULL(18)
> +
>  /* Class "TDX Module Version" */
>  struct tdx_sys_info_version {
>  	u16 major;


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ