| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <sh3fz5qlmy2smu74ezibbptxgmlpedzui3c4q6x22jc5w5ik4q@qms3osoxh74t> Date: Mon, 30 Jun 2025 15:07:08 +0300 From: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com> To: Peter Zijlstra <peterz@...radead.org> Cc: Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>, x86@...nel.org, Krzysztof Kozlowski <krzk+dt@...nel.org>, Conor Dooley <conor+dt@...nel.org>, Rob Herring <robh@...nel.org>, "K. Y. Srinivasan" <kys@...rosoft.com>, Haiyang Zhang <haiyangz@...rosoft.com>, Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>, Michael Kelley <mhklinux@...look.com>, "Rafael J. Wysocki" <rafael@...nel.org>, Saurabh Sengar <ssengar@...ux.microsoft.com>, Chris Oo <cho@...rosoft.com>, linux-hyperv@...r.kernel.org, devicetree@...r.kernel.org, linux-acpi@...r.kernel.org, linux-kernel@...r.kernel.org, Ricardo Neri <ricardo.neri@...el.com>, Yunhong Jiang <yunhong.jiang@...ux.intel.com> Subject: Re: [PATCH v5 02/10] x86/acpi: Move acpi_wakeup_cpu() and helpers to smpwakeup.c On Mon, Jun 30, 2025 at 01:03:16PM +0200, Peter Zijlstra wrote: > On Fri, Jun 27, 2025 at 08:35:08PM -0700, Ricardo Neri wrote: > > > - /* > > - * Wait for the CPU to wake up. > > - * > > - * The CPU being woken up is essentially in a spin loop waiting to be > > - * woken up. It should not take long for it wake up and acknowledge by > > - * zeroing out ->command. > > - * > > - * ACPI specification doesn't provide any guidance on how long kernel > > - * has to wait for a wake up acknowledgment. It also doesn't provide > > - * a way to cancel a wake up request if it takes too long. > > - * > > - * In TDX environment, the VMM has control over how long it takes to > > - * wake up secondary. It can postpone scheduling secondary vCPU > > - * indefinitely. Giving up on wake up request and reporting error opens > > - * possible attack vector for VMM: it can wake up a secondary CPU when > > - * kernel doesn't expect it. Wait until positive result of the wake up > > - * request. > > - */ > > - while (READ_ONCE(acpi_mp_wake_mailbox->command)) > > - cpu_relax(); > > - > > - return 0; > > -} > > > + while (READ_ONCE(acpi_mp_wake_mailbox->command)) > > + cpu_relax(); > > + > > + return 0; > > +} > > So I realize this is just code movement at this point, but this will > hard lockup the machine if the AP doesn't come up, right? Correct. > IIRC we have some timeout in the regular SIPI bringup if the AP doesn't > respond. See the comment. In TDX guest case, we need to consider malicious VMM that can postpone scheduling the target vCPU indefinitely. It can give VMM indirect control of what the target would run upon wakeup. Like, it can wait until the guest do kexec and the same start RIP would point non-startup code. I hope we will get SIPI-based CPU bringup in TDX guest eventually. It will be more reliable. -- Kiryl Shutsemau / Kirill A. Shutemov
Powered by blists - more mailing lists