lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <84e28104e486a664da5d7d06c9294d138eaf837c.camel@infradead.org>
Date: Mon, 07 Apr 2025 10:40:27 +0100
From: David Woodhouse <dwmw2@...radead.org>
To: Christoph Hellwig <hch@...radead.org>
Cc: virtio-comment@...ts.linux.dev, mst@...hat.com, Claire Chang
 <tientzu@...omium.org>, linux-devicetree <devicetree@...r.kernel.org>, Rob
 Herring <robh+dt@...nel.org>, Jörg Roedel
 <joro@...tes.org>,  iommu@...ts.linux-foundation.org,
 linux-kernel@...r.kernel.org, graf@...zon.de
Subject: Re: [RFC PATCH 1/3] content: Add VIRTIO_F_SWIOTLB to negotiate use
 of SWIOTLB bounce buffers

On Mon, 2025-04-07 at 00:34 -0700, Christoph Hellwig wrote:
> 
> > > describe this limitation, which is much better than hacking around it
> > > using an odd device model.
> > 
> > It still has the problem that existing drivers in all operating systems
> > produced before 2030 will see the device and try to use it as-is, with
> > no comprehension of this new thing.
> 
> Given how much enablement the various CoCo schemes need it won't work
> anyway.

Not all CoCo-style schemes need any enablement on the guest side at
all. It's perfectly feasible to have a pKVM-like model where the VMM
(and host Linux) are absolutely prevented from accessing guest memory,
without the guest knowing *anything* about it at all.

It's not about attestation to the guest. Deprivileging the host kernel
provides a huge amount of protection against both software and CPU
speculation bugs across the whole of that massive code base.

And you can do it with *full* compatibility. The guest just sees a
standard SMMU for its *actual* network and block devices, which are PCI
passthrough. (Yes, the guest does need to *use* the SMMU).

The caveat is when we have *emulated* devices, like virtio-vsock. That
brings us to LART the IOMMU designers for building a two-stage IOMMU
without considering emulated PCI devices, and then to start this
conversation we're having now about how to do it.

> Btw, you mail formatting in the last days went completely crazy.

Yeah, that's K-9 mail on Android not word wrapping; I'll see if I can
fix it. At least it's a mobile client that doesn't send HTML :)

Download attachment "smime.p7s" of type "application/pkcs7-signature" (5069 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ