From: Laurent Dufour <ldufour@linux.ibm.com>
To: Greg Kurz <groug@kaod.org>
Cc: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
kvm-ppc@vger.kernel.org, Bharata B Rao <bharata@linux.ibm.com>,
Paul Mackerras <paulus@ozlabs.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>
Subject: Re: [PATCH 1/2] KVM: PPC: Book3S HV: check caller of H_SVM_* Hcalls
Date: Fri, 20 Mar 2020 15:43:54 +0100 [thread overview]
Message-ID: <2268d1e3-3020-91c4-90e2-d2eced6a214a@linux.ibm.com> (raw)
In-Reply-To: <20200320132248.44b81b3b@bahia.lan>
Le 20/03/2020 à 13:22, Greg Kurz a écrit :
> On Fri, 20 Mar 2020 11:26:42 +0100
> Laurent Dufour <ldufour@linux.ibm.com> wrote:
>
>> The Hcall named H_SVM_* are reserved to the Ultravisor. However, nothing
>> prevent a malicious VM or SVM to call them. This could lead to weird result
>> and should be filtered out.
>>
>> Checking the Secure bit of the calling MSR ensure that the call is coming
>> from either the Ultravisor or a SVM. But any system call made from a SVM
>> are going through the Ultravisor, and the Ultravisor should filter out
>> these malicious call. This way, only the Ultravisor is able to make such a
>> Hcall.
>
> "Ultravisor should filter" ? And what if it doesn't (eg. because of a bug) ?
If it doesn't, a malicious SVM would be able to call UV reserved Hcall like
H_SVM_INIT_ABORT, etc... which is not a good idea.
>
> Shouldn't we also check the HV bit of the calling MSR as well to
> disambiguate SVM and UV ?
That's another way to do so, but since the SVM Hcall are going through the UV,
it seems the right place (the UV) to do the filtering.
>>
>> Cc: Bharata B Rao <bharata@linux.ibm.com>
>> Cc: Paul Mackerras <paulus@ozlabs.org>
>> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
>> Cc: Michael Ellerman <mpe@ellerman.id.au>
>> Signed-off-by: Laurent Dufour <ldufour@linux.ibm.com>
>> ---
>> arch/powerpc/kvm/book3s_hv.c | 32 +++++++++++++++++++++-----------
>> 1 file changed, 21 insertions(+), 11 deletions(-)
>>
>> diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
>> index 33be4d93248a..43773182a737 100644
>> --- a/arch/powerpc/kvm/book3s_hv.c
>> +++ b/arch/powerpc/kvm/book3s_hv.c
>> @@ -1074,25 +1074,35 @@ int kvmppc_pseries_do_hcall(struct kvm_vcpu *vcpu)
>> kvmppc_get_gpr(vcpu, 6));
>> break;
>> case H_SVM_PAGE_IN:
>> - ret = kvmppc_h_svm_page_in(vcpu->kvm,
>> - kvmppc_get_gpr(vcpu, 4),
>> - kvmppc_get_gpr(vcpu, 5),
>> - kvmppc_get_gpr(vcpu, 6));
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_page_in(vcpu->kvm,
>> + kvmppc_get_gpr(vcpu, 4),
>> + kvmppc_get_gpr(vcpu, 5),
>> + kvmppc_get_gpr(vcpu, 6));
>
> If calling kvmppc_h_svm_page_in() produces a "weird result" when
> the MSR_S bit isn't set, then I think it should do the checking
> itself, ie. pass vcpu.
>
> This would also prevent adding that many lines in kvmppc_pseries_do_hcall()
> which is a big enough function already. The checking could be done in a
> helper in book3s_hv_uvmem.c and used by all UV specific hcalls.
I'm not convinced that would be better, and I followed the way checks for other
Hcalls has been made (see H_TLB_INVALIDATE,..).
I agree kvmppc_pseries_do_hcall() is long but this is just a big switch(),
quite linear.
>
>> break;
>> case H_SVM_PAGE_OUT:
>> - ret = kvmppc_h_svm_page_out(vcpu->kvm,
>> - kvmppc_get_gpr(vcpu, 4),
>> - kvmppc_get_gpr(vcpu, 5),
>> - kvmppc_get_gpr(vcpu, 6));
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_page_out(vcpu->kvm,
>> + kvmppc_get_gpr(vcpu, 4),
>> + kvmppc_get_gpr(vcpu, 5),
>> + kvmppc_get_gpr(vcpu, 6));
>> break;
>> case H_SVM_INIT_START:
>> - ret = kvmppc_h_svm_init_start(vcpu->kvm);
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_init_start(vcpu->kvm);
>> break;
>> case H_SVM_INIT_DONE:
>> - ret = kvmppc_h_svm_init_done(vcpu->kvm);
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_init_done(vcpu->kvm);
>> break;
>> case H_SVM_INIT_ABORT:
>> - ret = kvmppc_h_svm_init_abort(vcpu->kvm);
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_init_abort(vcpu->kvm);
>> break;
>>
>> default:
>
WARNING: multiple messages have this Message-ID (diff)
From: Laurent Dufour <ldufour@linux.ibm.com>
To: Greg Kurz <groug@kaod.org>
Cc: linux-kernel@vger.kernel.org, kvm-ppc@vger.kernel.org,
Bharata B Rao <bharata@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH 1/2] KVM: PPC: Book3S HV: check caller of H_SVM_* Hcalls
Date: Fri, 20 Mar 2020 15:43:54 +0100 [thread overview]
Message-ID: <2268d1e3-3020-91c4-90e2-d2eced6a214a@linux.ibm.com> (raw)
In-Reply-To: <20200320132248.44b81b3b@bahia.lan>
Le 20/03/2020 à 13:22, Greg Kurz a écrit :
> On Fri, 20 Mar 2020 11:26:42 +0100
> Laurent Dufour <ldufour@linux.ibm.com> wrote:
>
>> The Hcall named H_SVM_* are reserved to the Ultravisor. However, nothing
>> prevent a malicious VM or SVM to call them. This could lead to weird result
>> and should be filtered out.
>>
>> Checking the Secure bit of the calling MSR ensure that the call is coming
>> from either the Ultravisor or a SVM. But any system call made from a SVM
>> are going through the Ultravisor, and the Ultravisor should filter out
>> these malicious call. This way, only the Ultravisor is able to make such a
>> Hcall.
>
> "Ultravisor should filter" ? And what if it doesn't (eg. because of a bug) ?
If it doesn't, a malicious SVM would be able to call UV reserved Hcall like
H_SVM_INIT_ABORT, etc... which is not a good idea.
>
> Shouldn't we also check the HV bit of the calling MSR as well to
> disambiguate SVM and UV ?
That's another way to do so, but since the SVM Hcall are going through the UV,
it seems the right place (the UV) to do the filtering.
>>
>> Cc: Bharata B Rao <bharata@linux.ibm.com>
>> Cc: Paul Mackerras <paulus@ozlabs.org>
>> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
>> Cc: Michael Ellerman <mpe@ellerman.id.au>
>> Signed-off-by: Laurent Dufour <ldufour@linux.ibm.com>
>> ---
>> arch/powerpc/kvm/book3s_hv.c | 32 +++++++++++++++++++++-----------
>> 1 file changed, 21 insertions(+), 11 deletions(-)
>>
>> diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
>> index 33be4d93248a..43773182a737 100644
>> --- a/arch/powerpc/kvm/book3s_hv.c
>> +++ b/arch/powerpc/kvm/book3s_hv.c
>> @@ -1074,25 +1074,35 @@ int kvmppc_pseries_do_hcall(struct kvm_vcpu *vcpu)
>> kvmppc_get_gpr(vcpu, 6));
>> break;
>> case H_SVM_PAGE_IN:
>> - ret = kvmppc_h_svm_page_in(vcpu->kvm,
>> - kvmppc_get_gpr(vcpu, 4),
>> - kvmppc_get_gpr(vcpu, 5),
>> - kvmppc_get_gpr(vcpu, 6));
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_page_in(vcpu->kvm,
>> + kvmppc_get_gpr(vcpu, 4),
>> + kvmppc_get_gpr(vcpu, 5),
>> + kvmppc_get_gpr(vcpu, 6));
>
> If calling kvmppc_h_svm_page_in() produces a "weird result" when
> the MSR_S bit isn't set, then I think it should do the checking
> itself, ie. pass vcpu.
>
> This would also prevent adding that many lines in kvmppc_pseries_do_hcall()
> which is a big enough function already. The checking could be done in a
> helper in book3s_hv_uvmem.c and used by all UV specific hcalls.
I'm not convinced that would be better, and I followed the way checks for other
Hcalls has been made (see H_TLB_INVALIDATE,..).
I agree kvmppc_pseries_do_hcall() is long but this is just a big switch(),
quite linear.
>
>> break;
>> case H_SVM_PAGE_OUT:
>> - ret = kvmppc_h_svm_page_out(vcpu->kvm,
>> - kvmppc_get_gpr(vcpu, 4),
>> - kvmppc_get_gpr(vcpu, 5),
>> - kvmppc_get_gpr(vcpu, 6));
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_page_out(vcpu->kvm,
>> + kvmppc_get_gpr(vcpu, 4),
>> + kvmppc_get_gpr(vcpu, 5),
>> + kvmppc_get_gpr(vcpu, 6));
>> break;
>> case H_SVM_INIT_START:
>> - ret = kvmppc_h_svm_init_start(vcpu->kvm);
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_init_start(vcpu->kvm);
>> break;
>> case H_SVM_INIT_DONE:
>> - ret = kvmppc_h_svm_init_done(vcpu->kvm);
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_init_done(vcpu->kvm);
>> break;
>> case H_SVM_INIT_ABORT:
>> - ret = kvmppc_h_svm_init_abort(vcpu->kvm);
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_init_abort(vcpu->kvm);
>> break;
>>
>> default:
>
WARNING: multiple messages have this Message-ID (diff)
From: Laurent Dufour <ldufour@linux.ibm.com>
To: Greg Kurz <groug@kaod.org>
Cc: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
kvm-ppc@vger.kernel.org, Bharata B Rao <bharata@linux.ibm.com>,
Paul Mackerras <paulus@ozlabs.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>
Subject: Re: [PATCH 1/2] KVM: PPC: Book3S HV: check caller of H_SVM_* Hcalls
Date: Fri, 20 Mar 2020 14:43:54 +0000 [thread overview]
Message-ID: <2268d1e3-3020-91c4-90e2-d2eced6a214a@linux.ibm.com> (raw)
In-Reply-To: <20200320132248.44b81b3b@bahia.lan>
Le 20/03/2020 à 13:22, Greg Kurz a écrit :
> On Fri, 20 Mar 2020 11:26:42 +0100
> Laurent Dufour <ldufour@linux.ibm.com> wrote:
>
>> The Hcall named H_SVM_* are reserved to the Ultravisor. However, nothing
>> prevent a malicious VM or SVM to call them. This could lead to weird result
>> and should be filtered out.
>>
>> Checking the Secure bit of the calling MSR ensure that the call is coming
>> from either the Ultravisor or a SVM. But any system call made from a SVM
>> are going through the Ultravisor, and the Ultravisor should filter out
>> these malicious call. This way, only the Ultravisor is able to make such a
>> Hcall.
>
> "Ultravisor should filter" ? And what if it doesn't (eg. because of a bug) ?
If it doesn't, a malicious SVM would be able to call UV reserved Hcall like
H_SVM_INIT_ABORT, etc... which is not a good idea.
>
> Shouldn't we also check the HV bit of the calling MSR as well to
> disambiguate SVM and UV ?
That's another way to do so, but since the SVM Hcall are going through the UV,
it seems the right place (the UV) to do the filtering.
>>
>> Cc: Bharata B Rao <bharata@linux.ibm.com>
>> Cc: Paul Mackerras <paulus@ozlabs.org>
>> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
>> Cc: Michael Ellerman <mpe@ellerman.id.au>
>> Signed-off-by: Laurent Dufour <ldufour@linux.ibm.com>
>> ---
>> arch/powerpc/kvm/book3s_hv.c | 32 +++++++++++++++++++++-----------
>> 1 file changed, 21 insertions(+), 11 deletions(-)
>>
>> diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
>> index 33be4d93248a..43773182a737 100644
>> --- a/arch/powerpc/kvm/book3s_hv.c
>> +++ b/arch/powerpc/kvm/book3s_hv.c
>> @@ -1074,25 +1074,35 @@ int kvmppc_pseries_do_hcall(struct kvm_vcpu *vcpu)
>> kvmppc_get_gpr(vcpu, 6));
>> break;
>> case H_SVM_PAGE_IN:
>> - ret = kvmppc_h_svm_page_in(vcpu->kvm,
>> - kvmppc_get_gpr(vcpu, 4),
>> - kvmppc_get_gpr(vcpu, 5),
>> - kvmppc_get_gpr(vcpu, 6));
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_page_in(vcpu->kvm,
>> + kvmppc_get_gpr(vcpu, 4),
>> + kvmppc_get_gpr(vcpu, 5),
>> + kvmppc_get_gpr(vcpu, 6));
>
> If calling kvmppc_h_svm_page_in() produces a "weird result" when
> the MSR_S bit isn't set, then I think it should do the checking
> itself, ie. pass vcpu.
>
> This would also prevent adding that many lines in kvmppc_pseries_do_hcall()
> which is a big enough function already. The checking could be done in a
> helper in book3s_hv_uvmem.c and used by all UV specific hcalls.
I'm not convinced that would be better, and I followed the way checks for other
Hcalls has been made (see H_TLB_INVALIDATE,..).
I agree kvmppc_pseries_do_hcall() is long but this is just a big switch(),
quite linear.
>
>> break;
>> case H_SVM_PAGE_OUT:
>> - ret = kvmppc_h_svm_page_out(vcpu->kvm,
>> - kvmppc_get_gpr(vcpu, 4),
>> - kvmppc_get_gpr(vcpu, 5),
>> - kvmppc_get_gpr(vcpu, 6));
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_page_out(vcpu->kvm,
>> + kvmppc_get_gpr(vcpu, 4),
>> + kvmppc_get_gpr(vcpu, 5),
>> + kvmppc_get_gpr(vcpu, 6));
>> break;
>> case H_SVM_INIT_START:
>> - ret = kvmppc_h_svm_init_start(vcpu->kvm);
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_init_start(vcpu->kvm);
>> break;
>> case H_SVM_INIT_DONE:
>> - ret = kvmppc_h_svm_init_done(vcpu->kvm);
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_init_done(vcpu->kvm);
>> break;
>> case H_SVM_INIT_ABORT:
>> - ret = kvmppc_h_svm_init_abort(vcpu->kvm);
>> + ret = H_UNSUPPORTED;
>> + if (kvmppc_get_srr1(vcpu) & MSR_S)
>> + ret = kvmppc_h_svm_init_abort(vcpu->kvm);
>> break;
>>
>> default:
>
next prev parent reply other threads:[~2020-03-20 14:44 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-20 10:26 [PATCH 0/2] Fix SVM hang at startup Laurent Dufour
2020-03-20 10:26 ` Laurent Dufour
2020-03-20 10:26 ` [PATCH 1/2] KVM: PPC: Book3S HV: check caller of H_SVM_* Hcalls Laurent Dufour
2020-03-20 10:26 ` Laurent Dufour
2020-03-20 10:26 ` Laurent Dufour
2020-03-20 12:22 ` Greg Kurz
2020-03-20 12:22 ` Greg Kurz
2020-03-20 12:22 ` Greg Kurz
2020-03-20 14:43 ` Laurent Dufour [this message]
2020-03-20 14:43 ` Laurent Dufour
2020-03-20 14:43 ` Laurent Dufour
2020-03-23 23:43 ` Paul Mackerras
2020-03-23 23:43 ` Paul Mackerras
2020-03-23 23:43 ` Paul Mackerras
2020-03-24 12:00 ` Greg Kurz
2020-03-24 12:00 ` Greg Kurz
2020-03-24 12:00 ` Greg Kurz
2020-03-24 13:13 ` Laurent Dufour
2020-03-24 13:13 ` Laurent Dufour
2020-03-24 13:13 ` Laurent Dufour
2020-03-21 0:40 ` Ram Pai
2020-03-21 0:40 ` Ram Pai
2020-03-20 10:26 ` [PATCH 2/2] KVM: PPC: Book3S HV: H_SVM_INIT_START must call UV_RETURN Laurent Dufour
2020-03-20 10:26 ` Laurent Dufour
2020-03-20 10:26 ` Laurent Dufour
2020-03-20 11:24 ` Bharata B Rao
2020-03-20 11:36 ` Bharata B Rao
2020-03-20 11:24 ` Bharata B Rao
2020-03-20 14:36 ` Laurent Dufour
2020-03-20 14:36 ` Laurent Dufour
2020-03-20 14:36 ` Laurent Dufour
2020-03-23 4:21 ` Bharata B Rao
2020-03-23 4:33 ` Bharata B Rao
2020-03-23 4:21 ` Bharata B Rao
2020-03-21 0:47 ` Ram Pai
2020-03-21 0:47 ` Ram Pai
2020-03-21 0:47 ` Ram Pai
2020-03-23 14:09 ` Fabiano Rosas
2020-03-23 14:09 ` Fabiano Rosas
2020-03-23 14:09 ` Fabiano Rosas
2020-03-24 2:54 ` [PATCH 0/2] Fix SVM hang at startup Paul Mackerras
2020-03-24 2:54 ` Paul Mackerras
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2268d1e3-3020-91c4-90e2-d2eced6a214a@linux.ibm.com \
--to=ldufour@linux.ibm.com \
--cc=benh@kernel.crashing.org \
--cc=bharata@linux.ibm.com \
--cc=groug@kaod.org \
--cc=kvm-ppc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.