lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c502a550-3856-4c21-8546-b4b1abbd0abf@amd.com>
Date: Wed, 16 Jul 2025 13:25:13 -0500
From: "Pratik R. Sampat" <prsampat@....com>
To: Sean Christopherson <seanjc@...gle.com>
Cc: linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
 ashish.kalra@....com, thomas.lendacky@....com, john.allen@....com,
 herbert@...dor.apana.org.au, bp@...en8.de, michael.roth@....com,
 aik@....com, pbonzini@...hat.com
Subject: Re: [PATCH 1/1] crypto: ccp - Add the SNP_VERIFY_MITIGATION command



On 7/10/25 5:45 PM, Sean Christopherson wrote:
> On Wed, Jul 09, 2025, Pratik R. Sampat wrote:
>> Hi Sean,
>>
>> On 7/8/25 8:57 AM, Sean Christopherson wrote:
>>> On Mon, Jun 30, 2025, Pratik R. Sampat wrote:
>>>> The SEV-SNP firmware provides the SNP_VERIFY_MITIGATION command, which
>>>> can be used to query the status of currently supported vulnerability
>>>> mitigations and to initiate mitigations within the firmware.
>>>>
>>>> See SEV-SNP Firmware ABI specifications 1.58, SNP_VERIFY_MITIGATION for
>>>> more details.
>>>
>>> Nothing here explains why this needs to be exposed directly to userspace.
>>
>> The general idea is that not all mitigations may/can be applied
>> immediately, for ex: some mitigations may require all the guest to be
>> shutdown before they can be applied. So a host userspace interface to
>> query+apply mitigations can be useful for that coordination before
>> attempting to apply the mitigation.
> 
> But why expose ioctls to effectively give userspace direct access to firmware?
> E.g. why not configure firmware mitigations via the kernel's upcoming
> Attack Vector Controls.
> 
> https://lore.kernel.org/all/20250707183316.1349127-1-david.kaplan@amd.com

Something like Attack Vector Controls may not work in our case, since
those are designed to protect the kernel from userspace and guests,
whereas SEV firmware mitigations are focused on protecting guests from
the hypervisor. Additionally, Attack Vector Controls are managed via
boot command-line parameters, but maybe we could potentially change
that by introducing RW interfaces for our case within
/sys/devices/system/cpu/vector_vulnerabilities (or what the final form
of this interface ends up being).

Another option could be to expose this functionality in a subdirectory
under /sys/firmware/?

However, with any of these approaches, we would still be giving
userspace the ability to access and alter the firmware, similar to
the interfaces that expose features such as Download Firmware EX
also allow, right?

Thanks!
Pratik

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ