| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aMnAVtWhxQipw9Er@google.com> Date: Tue, 16 Sep 2025 12:53:58 -0700 From: Sean Christopherson <seanjc@...gle.com> To: John Allen <john.allen@....com> Cc: Paolo Bonzini <pbonzini@...hat.com>, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, Tom Lendacky <thomas.lendacky@....com>, Mathias Krause <minipli@...ecurity.net>, Rick Edgecombe <rick.p.edgecombe@...el.com>, Chao Gao <chao.gao@...el.com>, Maxim Levitsky <mlevitsk@...hat.com>, Xiaoyao Li <xiaoyao.li@...el.com>, Zhang Yi Z <yi.z.zhang@...ux.intel.com> Subject: Re: [PATCH v15 29/41] KVM: SEV: Synchronize MSR_IA32_XSS from the GHCB when it's valid On Tue, Sep 16, 2025, John Allen wrote: > On Fri, Sep 12, 2025 at 04:23:07PM -0700, Sean Christopherson wrote: > > Synchronize XSS from the GHCB to KVM's internal tracking if the guest > > marks XSS as valid on a #VMGEXIT. Like XCR0, KVM needs an up-to-date copy > > of XSS in order to compute the required XSTATE size when emulating > > CPUID.0xD.0x1 for the guest. > > > > Treat the incoming XSS change as an emulated write, i.e. validatate the > > guest-provided value, to avoid letting the guest load garbage into KVM's > > tracking. Simply ignore bad values, as either the guest managed to get an > > unsupported value into hardware, or the guest is misbehaving and providing > > pure garbage. In either case, KVM can't fix the broken guest. > > > > Note, emulating the change as an MSR write also takes care of side effects, > > e.g. marking dynamic CPUID bits as dirty. > > > > Suggested-by: John Allen <john.allen@....com> > > Signed-off-by: Sean Christopherson <seanjc@...gle.com> > > --- > > arch/x86/kvm/svm/sev.c | 3 +++ > > arch/x86/kvm/svm/svm.h | 1 + > > 2 files changed, 4 insertions(+) > > > > diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c > > index 0cd77a87dd84..0cd32df7b9b6 100644 > > --- a/arch/x86/kvm/svm/sev.c > > +++ b/arch/x86/kvm/svm/sev.c > > @@ -3306,6 +3306,9 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *svm) > > if (kvm_ghcb_xcr0_is_valid(svm)) > > __kvm_set_xcr(vcpu, 0, kvm_ghcb_get_xcr0(ghcb)); > > > > + if (kvm_ghcb_xss_is_valid(svm)) > > + __kvm_emulate_msr_write(vcpu, MSR_IA32_XSS, kvm_ghcb_get_xss(ghcb)); > > + > > It looks like this is the change that caused the selftest regression > with sev-es. It's not yet clear to me what the problem is though. Do you see any WARNs in the guest kernel log? The most obvious potential bug is that KVM is missing a CPUID update, e.g. due to dropping an XSS write, consuming stale data, not setting cpuid_dynamic_bits_dirty, etc. But AFAICT, CPUID.0xD.1.EBX (only thing that consumes the current XSS) is only used by init_xstate_size(), and I would expect the guest kernel's sanity checks in paranoid_xstate_size_valid() to yell if KVM botches CPUID emulation. Another possibility is that unconditionally setting cpuid_dynamic_bits_dirty was masking a pre-existing (or just different) bug, and that "fixing" that flaw by eliding cpuid_dynamic_bits_dirty when "vcpu->arch.ia32_xss == data" exposed the bug.
Powered by blists - more mailing lists