lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <46d208b59038b5e4dce3122d7efe85f9106dae32.camel@intel.com>
Date: Wed, 2 Apr 2025 22:05:58 +0000
From: "Huang, Kai" <kai.huang@...el.com>
To: "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "pbonzini@...hat.com"
	<pbonzini@...hat.com>, "seanjc@...gle.com" <seanjc@...gle.com>,
	"binbin.wu@...ux.intel.com" <binbin.wu@...ux.intel.com>
CC: "mikko.ylinen@...ux.intel.com" <mikko.ylinen@...ux.intel.com>, "Edgecombe,
 Rick P" <rick.p.edgecombe@...el.com>, "Gao, Chao" <chao.gao@...el.com>, "Li,
 Xiaoyao" <xiaoyao.li@...el.com>, "Chatre, Reinette"
	<reinette.chatre@...el.com>, "Hunter, Adrian" <adrian.hunter@...el.com>,
	"Lindgren, Tony" <tony.lindgren@...el.com>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, "Zhao, Yan Y" <yan.y.zhao@...el.com>,
	"Yamahata, Isaku" <isaku.yamahata@...el.com>
Subject: Re: [PATCH 1/2] KVM: TDX: Handle TDG.VP.VMCALL<GetQuote>

On Wed, 2025-04-02 at 21:16 +0800, Binbin Wu wrote:
> > > > +static int tdx_get_quote(struct kvm_vcpu *vcpu)
> > > > +{
> > > > +    struct vcpu_tdx *tdx = to_tdx(vcpu);
> > > > +
> > > > +    u64 gpa = tdx->vp_enter_args.r12;
> > > > +    u64 size = tdx->vp_enter_args.r13;
> > > > +
> > > > +    /* The buffer must be shared memory. */
> > > > +    if (vt_is_tdx_private_gpa(vcpu->kvm, gpa) || size == 0) {
> > > > +        tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
> > > > +        return 1;
> > > > +    }
> > > It is a little bit confusing about the shared buffer check here.  There are two
> > > perspectives here:
> > > 
> > > 1) the buffer has already been converted to shared, i.e., the attributes are
> > > stored in the Xarray.
> > > 2) the GPA passed in the GetQuote must have the shared bit set.
> > > 
> > > The key is we need 1) here.  From the spec, we need the 2) as well because it
> > > *seems* that the spec requires GetQuote to provide the GPA with shared bit set,
> > > as it says "Shared GPA as input".
> > > 
> > > The above check only does 2).  I think we need to check 1) as well, because once
> > > you forward this GetQuote to userspace, userspace is able to access it freely.
> > 
> > Right.
> > 
> > Another discussion is whether KVM should skip the sanity checks for GetQuote
> > and let the userspace take the job.
> > Considering checking the buffer is shared memory or not, KVM seems to be a
> > better place.
> A second thought. If the userspace could do the shared memory check, the
> whole sanity checks can be done in userspace to keep KVM as small as possible.

I am not sure depending on userspace to check is a good idea while KVM can just
do it, e.g., the userspace may forget to do the check.  It's consistent with
other "userspace input checks" as well.

Another argument is there are multiple VMMs out there and they all will need to
do such check if KVM doesn't do it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ