| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aAh8fD8pyxEIiBU0@intel.com>
Date: Wed, 23 Apr 2025 13:37:00 +0800
From: Chao Gao <chao.gao@...el.com>
To: Jon Kohler <jon@...anix.com>
CC: <seanjc@...gle.com>, <pbonzini@...hat.com>, <tglx@...utronix.de>,
<mingo@...hat.com>, <bp@...en8.de>, <dave.hansen@...ux.intel.com>,
<x86@...nel.org>, <hpa@...or.com>, <kvm@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [RFC PATCH 13/18] KVM: x86/mmu: Adjust SPTE_MMIO_ALLOWED_MASK to
understand MBEC
On Thu, Mar 13, 2025 at 01:36:52PM -0700, Jon Kohler wrote:
>Adjust the SPTE_MMIO_ALLOWED_MASK and associated values to make these
>masks aware of PTE Bit 10, to be used by Intel MBEC.
>
>Intel SDM 30.3.3.1 EPT Misconfigurations states:
> An EPT misconfiguration occurs if translation of a guest-physical
> address encounters an EPT paging-structure entry that meets any of
> the following conditions:
> - Bit 0 of the entry is clear (indicating that data reads are not
> allowed) and any of the following hold:
> — Bit 1 is set (indicating that data writes are allowed).
> — The processor does not support execute-only translations and
> either of the following hold:
> - Bit 2 is set (indicating that instruction fetches are allowed)
> Note: If the “mode-based execute control for EPT” VM-execution
> control is 1, setting bit 2 indicates that instruction fetches
> are allowed from supervisor-mode linear addresses.
> - The “mode-based execute control for EPT” VM-execution control
> is 1 and bit 10 is set (indicating that instruction fetches
> are allowed from user-mode linear addresses).
>
>For LKML Review:
>SDM 30.3.3.1 also states that "Software should read the VMX capability
>MSR IA32_VMX_EPT_VPID_CAP to determine whether execute-only
>translations are supported (see Appendix A.10)." A.10 indicates that
>this is specified by bit 0; if bit 0 is 1, then the processor supports
>execute-only transactions by EPT.
>
>Searching around a bit, it looks like this bit is checked by
>vmx/capabilities.h:cpu_has_vmx_ept_execute_only(), which is used only
>in kvm/vmx/vmx.c:vmx_hardware_setup(), passed as the has_exec_only
>argument to kvm_mmu_set_ept_masks(), which uses it to set
>shadow_present_mask.
>
>I'm not sure if this actually matters for this change(?), but thought
>it was at least worth surfacing for others to consider.
KVM needs to emulate the hardware behavior when walking guest EPT to report
EPT misconfigurations/violations accurately. IMO, below functions should be
modified:
FNAME(is_present_gpte)
FNAME(is_bad_mt_xwr)
>
>Signed-off-by: Jon Kohler <jon@...anix.com>
>
>---
> arch/x86/include/asm/vmx.h | 6 ++++--
> arch/x86/kvm/mmu/spte.h | 13 +++++++------
> 2 files changed, 11 insertions(+), 8 deletions(-)
>
>diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
>index 84c5be416f5c..961d37e108b5 100644
>--- a/arch/x86/include/asm/vmx.h
>+++ b/arch/x86/include/asm/vmx.h
>@@ -541,7 +541,8 @@ enum vmcs_field {
> #define VMX_EPT_SUPPRESS_VE_BIT (1ull << 63)
> #define VMX_EPT_RWX_MASK (VMX_EPT_READABLE_MASK | \
> VMX_EPT_WRITABLE_MASK | \
>- VMX_EPT_EXECUTABLE_MASK)
>+ VMX_EPT_EXECUTABLE_MASK | \
>+ VMX_EPT_USER_EXECUTABLE_MASK)
> #define VMX_EPT_MT_MASK (7ull << VMX_EPT_MT_EPTE_SHIFT)
>
> static inline u8 vmx_eptp_page_walk_level(u64 eptp)
>@@ -558,7 +559,8 @@ static inline u8 vmx_eptp_page_walk_level(u64 eptp)
>
> /* The mask to use to trigger an EPT Misconfiguration in order to track MMIO */
> #define VMX_EPT_MISCONFIG_WX_VALUE (VMX_EPT_WRITABLE_MASK | \
>- VMX_EPT_EXECUTABLE_MASK)
>+ VMX_EPT_EXECUTABLE_MASK | \
>+ VMX_EPT_USER_EXECUTABLE_MASK)
This change is not needed. whether MEBC is enabled doesn't make
VMX_EPT_WRITABLE_MASK | VMX_EPT_EXECUTABLE_MASK a valid entry for EPT.
Powered by blists - more mailing lists