lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 11 Jan 2021 16:26:02 +0300
From:   "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
To:     "Radev, Martin" <martin.radev@...ec.fraunhofer.de>
Cc:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "intel-wired-lan@...ts.osuosl.org" <intel-wired-lan@...ts.osuosl.org>,
        "doshir@...are.com" <doshir@...are.com>,
        "jesse.brandeburg@...el.com" <jesse.brandeburg@...el.com>,
        "anthony.l.nguyen@...el.com" <anthony.l.nguyen@...el.com>,
        "Morbitzer, Mathias" <mathias.morbitzer@...ec.fraunhofer.de>,
        Robert Buhren <robert.buhren@...t.tu-berlin.de>,
        "file@...t.tu-berlin.de" <file@...t.tu-berlin.de>,
        "Banse, Christian" <christian.banse@...ec.fraunhofer.de>,
        "brijesh.singh@....com" <brijesh.singh@....com>,
        "Thomas.Lendacky@....com" <Thomas.Lendacky@....com>,
        "pv-drivers@...are.com" <pv-drivers@...are.com>,
        "martin.b.radev@...il.com" <martin.b.radev@...il.com>,
        "sathyanarayanan.kuppuswamy@...ux.intel.com" 
        <sathyanarayanan.kuppuswamy@...ux.intel.com>,
        "Kleen, Andi" <andi.kleen@...el.com>
Subject: Re: Security issue with vmxnet3 and e100 for AMD SEV(-SNP) / Intel
 TDX

On Fri, Jan 08, 2021 at 03:31:56PM +0000, Radev, Martin wrote:
> Just noticed that Intel TDX already does the device filtering. Check: https://github.com/intel/tdx/commit/6789eee52aab8985e49b362379fab73aa3eecde2
> 
> CC-ing Kirill and Kuppuswamy from Intel in case they want to be part of the discussion.
> ________________________________
> From: Radev, Martin
> Sent: Friday, January 8, 2021 12:57 PM
> To: netdev@...r.kernel.org <netdev@...r.kernel.org>; intel-wired-lan@...ts.osuosl.org <intel-wired-lan@...ts.osuosl.org>
> Cc: doshir@...are.com <doshir@...are.com>; jesse.brandeburg@...el.com <jesse.brandeburg@...el.com>; anthony.l.nguyen@...el.com <anthony.l.nguyen@...el.com>; Morbitzer, Mathias <mathias.morbitzer@...ec.fraunhofer.de>; Robert Buhren <robert.buhren@...t.tu-berlin.de>; file@...t.tu-berlin.de <file@...t.tu-berlin.de>; Banse, Christian <christian.banse@...ec.fraunhofer.de>; brijesh.singh@....com <brijesh.singh@....com>; Thomas.Lendacky@....com <Thomas.Lendacky@....com>; pv-drivers@...are.com <pv-drivers@...are.com>; martin.b.radev@...il.com <martin.b.radev@...il.com>
> Subject: Security issue with vmxnet3 and e100 for AMD SEV(-SNP) / Intel TDX
> 
> Hello everybody,
> 
> tldr: Both drivers expose skb GVAs to untrusted devices which gives RIP
>          control to a malicious e100 / vmxnet3 device implementation. This is
>          an issue for AMD SEV (-SNP) [1] and likely Intel TDX [2].
> 
> Felicitas and Robert have started a project on fuzzing device drivers which
> may have negative security impact on solutions like AMD SEV Secure
> Nested Paging and Intel Trusted Domain Extensions. These solutions protect
> a VM from a malicious Hypervisor in various way.
> 
> There are a couple of devices which carry security issues under the attacker
> models of SEV-SNP / Intel TDX, but here we're only discussing VMXNET3 and
> e100, because we have detailed PoCs for both.
> 
> Maintainers of both vmxnet3 and e100 were added in this email because the
> discussion will likely be the same. The issues were already sent to AMD PSIRT,
> and Tom Lendacky and Brijesh Singh have volunteered to be part of the email
> communication with the maintainers. Both have been working on AMD SEV.
> 
> Please check the two attached files: vmxnet3_report.txt and e100_report.txt.
> Both contain detailed information about what the issue is and how it can be
> exploited by a malicious HV or attacker who has access to the QEMU process.
> 
> Fix:
> In an earlier discussion with AMD, there was the idea of making a list of
> allowed devices with SEV and forbidding everything else. This would avoid
> issues with other drivers whose implementation has not been yet scrutinized
> under the threat model of SEV-SNP and Intel Trusted Domain Extensions.

+Andi.

Right. Our TDX guest enabling has white list of devices that allowed to be
used. For now it's only VirtIO, but I believe it also requires hardening.
We need to validate any VMM input.

It might be beneficial to have coordination between Intel and AMD on what
devices (and device drivers) considered to be safe for trusted computing.
I think we can share burden of code audit and fuzzing.

-- 
 Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ