| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aPvaw6NgPBq1paUh@google.com> Date: Fri, 24 Oct 2025 13:00:03 -0700 From: Sean Christopherson <seanjc@...gle.com> To: dan.j.williams@...el.com Cc: Dave Hansen <dave.hansen@...el.com>, Chao Gao <chao.gao@...el.com>, Vishal Annapurve <vannapurve@...gle.com>, Elena Reshetova <elena.reshetova@...el.com>, "linux-coco@...ts.linux.dev" <linux-coco@...ts.linux.dev>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "x86@...nel.org" <x86@...nel.org>, Reinette Chatre <reinette.chatre@...el.com>, Ira Weiny <ira.weiny@...el.com>, Kai Huang <kai.huang@...el.com>, "yilun.xu@...ux.intel.com" <yilun.xu@...ux.intel.com>, "sagis@...gle.com" <sagis@...gle.com>, "paulmck@...nel.org" <paulmck@...nel.org>, "nik.borisov@...e.com" <nik.borisov@...e.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>, "Kirill A. Shutemov" <kas@...nel.org>, Paolo Bonzini <pbonzini@...hat.com>, Rick P Edgecombe <rick.p.edgecombe@...el.com>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [PATCH v2 00/21] Runtime TDX Module update support On Fri, Oct 24, 2025, dan.j.williams@...el.com wrote: > Dave Hansen wrote: > > On 10/24/25 00:43, Chao Gao wrote: > > ... > > > Beyond "the kvm_tdx object gets torn down during a build," I see two potential > > > issues: > > > > > > 1. TD Build and TDX migration aren't purely kernel processes -- they span multiple > > > KVM ioctls. Holding a read-write lock throughout the entire process would > > > require exiting to userspace while the lock is held. I think this is > > > irregular, but I'm not sure if it's acceptable for read-write semaphores. > > > > Sure, I guess it's irregular. But look at it this way: let's say we > > concocted some scheme to use a TD build refcount and a module update > > flag, had them both wait_event_interruptible() on each other, and then > > did wakeups. That would get the same semantics without an rwsem. > > This sounds unworkable to me. > > First, you cannot return to userspace while holding a lock. Lockdep will > rightfully scream: > > "WARNING: lock held when returning to user space!" > > The complexity of ensuring that a multi-stage ABI transaction completes > from the kernel side is painful. If that process dies in the middle of > its ABI sequence who cleans up these references? > > The operational mechanism to make sure that one process flow does not > mess up another process flow is for those process to communicate with > *userspace* file locks, or for those process to check for failures after > the fact and retry. Unless you can make the build side an atomic ABI, > this is a documentation + userspace problem, not a kernel problem. C'mon people (especially the Google folks), this is the ***exact*** same problem as certificate updates for SNP[1]. Y'all suggested holding a lock across a userspace exit back then, and Dan's analysis confirms my reaction from back then that "Holding a lock across an exit to userspace seems wildly unsafe."[2] In the end, it took more time to understand the problem then to sketch out and test a solution[3]. Unless this somehow puts the host (kernel) at risk, this is a userspace problem. [1] https://lore.kernel.org/all/20240426173515.6pio42iqvjj2aeac@amd.com [2] https://lore.kernel.org/all/Zx_V5SHwzDAl8ZQR@google.com [3] https://lore.kernel.org/all/ZixCYlKn5OYUFWEq@google.com
Powered by blists - more mailing lists