| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bb3256d7c5ee2e84e26d71570db25b05ada8a59f.camel@intel.com> Date: Fri, 19 Sep 2025 17:29:27 +0000 From: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com> To: "thomas.lendacky@....com" <thomas.lendacky@....com>, "john.allen@....com" <john.allen@....com> CC: "Gao, Chao" <chao.gao@...el.com>, "seanjc@...gle.com" <seanjc@...gle.com>, "Li, Xiaoyao" <xiaoyao.li@...el.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "minipli@...ecurity.net" <minipli@...ecurity.net>, "mlevitsk@...hat.com" <mlevitsk@...hat.com>, "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "pbonzini@...hat.com" <pbonzini@...hat.com> Subject: Re: [PATCH v15 29/41] KVM: SEV: Synchronize MSR_IA32_XSS from the GHCB when it's valid On Fri, 2025-09-19 at 08:40 -0500, Tom Lendacky wrote: > Likely something to do with the encryption bit since, if set, will > generate an invalid address in 32-bit, right? But the SSP is a virtual address and c-bit is a physical thing. > > For SEV-ES, we transition to 64-bit very quickly because of the use of the > encryption bit, which is why, for example, we don't support SEV-ES / > SEV-SNP in the OvmfIa32X64.dsc package. This sounds like it's about the lack of ability to set the c-bit in the page table, rather than having the C-bit set in a virtual address. In compatibility mode you are not using 32 bit page tables, so the C-bit should be available like normal I think. Not an expert in 32 bit/compatibility mode though. More background on this test/behavior: During the tail end of the shadow stack enabling, there was a concern raised that we didn't un-support 32 bit shadow stack cleanly enough. We blocked it from being allowed in 32 bit apps, but nothing stopped an app from enabling it in 64 bit an then switching to 32 bit mode without the kernel getting a chance to block it. The simplest, get-it-done type solution was to just not allocate shadow stacks in the space where they could be usable in 32 bit mode and let the HW catch it. But the whole point is just to not allow 32 bit mode CET. Sounds like SEV-ES covers this another way - don't support 32 bit at all. I wonder if we should just patch the test to skip the 32 bit test on coco VMs? PS, we don't support CET on TDX currently even though it doesn't require everything in this series, but I just remembered (forehead slap) that on the way upstream the extra CET-TDX exclusion got pulled out. After this series, it would be allowed in TDX guests as well. So we need to do the same testing in TDX. Let me see how the test goes in TDX and get back to you.
Powered by blists - more mailing lists