lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <765f8a3e-2bdd-4352-ba89-99ce3dbc6e4c@arm.com>
Date: Wed, 1 Oct 2025 16:19:16 +0100
From: Steven Price <steven.price@....com>
To: Marc Zyngier <maz@...nel.org>
Cc: kvm@...r.kernel.org, kvmarm@...ts.linux.dev,
 Suzuki K Poulose <suzuki.poulose@....com>,
 Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>,
 James Morse <james.morse@....com>, Oliver Upton <oliver.upton@...ux.dev>,
 Zenghui Yu <yuzenghui@...wei.com>, linux-arm-kernel@...ts.infradead.org,
 linux-kernel@...r.kernel.org, Joey Gouly <joey.gouly@....com>,
 Alexandru Elisei <alexandru.elisei@....com>,
 Christoffer Dall <christoffer.dall@....com>, Fuad Tabba <tabba@...gle.com>,
 linux-coco@...ts.linux.dev,
 Ganapatrao Kulkarni <gankulkarni@...amperecomputing.com>,
 Gavin Shan <gshan@...hat.com>, Shanker Donthineni <sdonthineni@...dia.com>,
 Alper Gun <alpergun@...gle.com>, "Aneesh Kumar K . V"
 <aneesh.kumar@...nel.org>, Emi Kisanuki <fj0570is@...itsu.com>,
 Vishal Annapurve <vannapurve@...gle.com>
Subject: Re: [PATCH v10 08/43] kvm: arm64: Don't expose debug capabilities for
 realm guests

On 01/10/2025 14:11, Marc Zyngier wrote:
> On Wed, 20 Aug 2025 15:55:28 +0100,
> Steven Price <steven.price@....com> wrote:
>>
>> From: Suzuki K Poulose <suzuki.poulose@....com>
>>
>> RMM v1.0 provides no mechanism for the host to perform debug operations
>> on the guest. So don't expose KVM_CAP_SET_GUEST_DEBUG and report 0
>> breakpoints and 0 watch points.
> 
> What is the guest seeing for the same things?

The number of breakpoints/watchpoints is configured using the usual
architectural register ID_AA64DFR0_EL1. So the VMM can configure the
guest as it pleases to be able to debug itself.

Obviously CCA is about the host not seeing into the guest so debugging
the guest is generally not permitted.

RMM v1.1 should provide some mechanisms for the host to debug a realm -
but this would also change the attestation measurement so needs buy in
from the guest's attestation flow. I don't think the RMM API for that is
finalised yet, and I certainly don't have any Linux patches.

Thanks,
Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ