| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aPe46Ev0wWks6Hz2@google.com> Date: Tue, 21 Oct 2025 09:46:32 -0700 From: Sean Christopherson <seanjc@...gle.com> To: Adrian Hunter <adrian.hunter@...el.com> Cc: Rick P Edgecombe <rick.p.edgecombe@...el.com>, "pbonzini@...hat.com" <pbonzini@...hat.com>, "kas@...nel.org" <kas@...nel.org>, Xiaoyao Li <xiaoyao.li@...el.com>, "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "linux-coco@...ts.linux.dev" <linux-coco@...ts.linux.dev>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Yan Y Zhao <yan.y.zhao@...el.com>, "x86@...nel.org" <x86@...nel.org>, wenlong hou <houwenlong.hwl@...group.com> Subject: Re: [PATCH v4 1/4] KVM: TDX: Synchronize user-return MSRs immediately after VP.ENTER On Tue, Oct 21, 2025, Adrian Hunter wrote: > On 21/10/2025 18:06, Sean Christopherson wrote: > > On Tue, Oct 21, 2025, Adrian Hunter wrote: > >> On 21/10/2025 01:55, Edgecombe, Rick P wrote: > >>>> + * Several of KVM's user-return MSRs are clobbered by the TDX-Module if > >>>> + * VP.ENTER succeeds, i.e. on TD-Exit. Mark those MSRs as needing an > >>>> + * update to synchronize the "current" value in KVM's cache with the > >>>> + * value in hardware (loaded by the TDX-Module). > >>>> + */ > >>> > >>> I think we should be synchronizing only after a successful VP.ENTER with a real > >>> TD exit, but today instead we synchronize after any attempt to VP.ENTER. > > > > Well this is all completely @#($*#. Looking at the TDX-Module source, if the > > TDX-Module synthesizes an exit, e.g. because it suspects a zero-step attack, it > > will signal a "normal" exit but not "restore" VMM state. > > > >> If the MSR's do not get clobbered, does it matter whether or not they get > >> restored. > > > > It matters because KVM needs to know the actual value in hardware. If KVM thinks > > an MSR is 'X', but it's actually 'Y', then KVM could fail to write the correct > > value into hardware when returning to userspace and/or when running a different > > vCPU. > > I don't quite follow: if an MSR does not get clobbered, where does the > incorrect value come from? kvm_set_user_return_msr() elides the WRMSR if the current value in hardware matches the new, desired value. If KVM thinks the MSR is 'X', and KVM wants to set the MSR to 'X', then KVM will skip the WRMSR and continue on with the wrong value. Using MSR_TSC_AUX as an example, let's say the vCPU task is running on CPU1, and that there's a non-TDX vCPU (with guest-side CPU=0) also scheduled on CPU1. Before VP.ENTER, MSR_TSC_AUX=user_return_msrs[slot].curr=1 (the host's CPU1 value). After a *failed* VP.ENTER, MSR_TSC_AUX will still be '1', but it's "curr" value in user_return_msrs will be '0' due to kvm_user_return_msr_update_cache() incorrectly thinking the TDX-Module clobbered the MSR to '0' When KVM runs the non-TDX vCPU, which wants to run with MSR_TSC_AUX=0, then kvm_set_user_return_msr() will see msrs->values[slot].curr==value==0 and not do the WRMSR. KVM will then run the non-TDX vCPU with MSR_TSC_AUX=1 and corrupt the guest.
Powered by blists - more mailing lists