[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <74fe44da-b99e-4fe6-b07c-43a146184e7c@intel.com>
Date: Fri, 13 Sep 2024 09:47:21 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Sean Christopherson <seanjc@...gle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Alexey Gladkov <legion@...nel.org>, linux-kernel@...r.kernel.org,
linux-coco@...ts.linux.dev, Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>,
Andrew Morton <akpm@...ux-foundation.org>, Yuan Yao <yuan.yao@...el.com>,
Geert Uytterhoeven <geert@...ux-m68k.org>, Yuntao Wang <ytcoode@...il.com>,
Kai Huang <kai.huang@...el.com>, Baoquan He <bhe@...hat.com>,
Oleg Nesterov <oleg@...hat.com>, cho@...rosoft.com, decui@...rosoft.com,
John.Starks@...rosoft.com, Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [PATCH v6 0/6] x86/tdx: Allow MMIO instructions from userspace
On 9/13/24 09:28, Sean Christopherson wrote:
>> because folks would update their kernel and old userspace would break.
>>
>> Or maybe we start enforcing things at >=SEV-SNP and TDX and just say
>> that security model has changed too much to allow the old userspace.
> Heh, that's an outright lie though. Nothing relevant has changed between SEV-ES
> and SEV-SNP that makes old userspace any less secure, or makes it harder for the
> kernel to support decoding instructions on SNP vs. ES.
The trust model does change, though.
The VMM is still in the guest TCB for SEV-ES because there are *so* many
ways to leverage NPT to compromise a VM. Yeah, the data isn't in plain
view of the VMM, but that doesn't mean the VMM is out of the TCB.
With SEV-ES, old crusty userspace is doing MMIO to a VMM in the TCB.
With SEV-SNP, old crusty userspace is talking to an untrusted VMM.
I think that's how the security model changes.
> I also don't know that this is for old userspace. AFAIK, the most common case
> for userspace triggering emulated MMIO is when a device is passed to userspace
> via VFIO/IOMMUFD, e.g. a la DPDK.
Ahh, that would make sense.
It would be nice to hear from those folks _somewhere_ about what their
restrictions are and if they'd ever be able to enforce a subset of the
ISA for MMIO or even (for example) make system calls to do MMIO.
Does it matter to them if all of a sudden the NIC or the NVMe device on
the other side of VFIO is malicious?
Powered by blists - more mailing lists