From: Andi Kleen <ak@linux.intel.com>
To: Andy Lutomirski <luto@kernel.org>, mst@redhat.com
Cc: Jason Wang <jasowang@redhat.com>,
virtualization@lists.linux-foundation.org, hch@lst.de,
m.szyprowski@samsung.com, robin.murphy@arm.com,
iommu@lists.linux-foundation.org,
the arch/x86 maintainers <x86@kernel.org>,
sathyanarayanan.kuppuswamy@linux.intel.com,
Josh Poimboeuf <jpoimboe@redhat.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v1 1/8] virtio: Force only split mode with protected guest
Date: Thu, 3 Jun 2021 16:32:58 -0700 [thread overview]
Message-ID: <884f34e0-fcd2-bb82-9e9e-4269823fa9b2@linux.intel.com> (raw)
In-Reply-To: <b8b39b76-8d07-4e4a-804a-746269787b61@www.fastmail.com>
> We do not need an increasing pile of kludges
Do you mean disabling features is a kludge?
If yes I disagree with that characterization.
> to make TDX and SEV “secure”. We need the actual loaded driver to be secure. The virtio architecture is full of legacy nonsense,
> and there is no good reason for SEV and TDX to be a giant special case.
I don't know where you see a "giant special case". Except for the
limited feature negotiation all the changes are common, and the
disabling of features (which is not new BTW, but already done e.g. with
forcing DMA API in some cases) can be of course used by all these other
technologies too. But it just cannot be done by default for everything
because it would break compatibility. So every technology with such
requirements has to explicitly opt-in.
>
> As I said before, real PCIe (Thunderbolt/USB-C or anything else) has the exact same problem. The fact that TDX has encrypted memory is, at best, a poor proxy for the actual condition. The actual condition is that the host does not trust the device to implement the virtio protocol correctly.
Right they can do similar limitations of feature sets. But again it
cannot be default.
>
>>
>> TDX and SEV use the arch hook to enforce DMA API, so that part is also
>> solved.
>>
> Can you point me to the code you’re referring to?
See 4/8 in this patch kit. It uses an existing hook which is already
used in tree by s390.
-Andi
WARNING: multiple messages have this Message-ID (diff)
From: Andi Kleen <ak@linux.intel.com>
To: Andy Lutomirski <luto@kernel.org>, mst@redhat.com
Cc: Jason Wang <jasowang@redhat.com>,
the arch/x86 maintainers <x86@kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
virtualization@lists.linux-foundation.org,
iommu@lists.linux-foundation.org,
Josh Poimboeuf <jpoimboe@redhat.com>,
robin.murphy@arm.com, hch@lst.de
Subject: Re: [PATCH v1 1/8] virtio: Force only split mode with protected guest
Date: Thu, 3 Jun 2021 16:32:58 -0700 [thread overview]
Message-ID: <884f34e0-fcd2-bb82-9e9e-4269823fa9b2@linux.intel.com> (raw)
In-Reply-To: <b8b39b76-8d07-4e4a-804a-746269787b61@www.fastmail.com>
> We do not need an increasing pile of kludges
Do you mean disabling features is a kludge?
If yes I disagree with that characterization.
> to make TDX and SEV “secure”. We need the actual loaded driver to be secure. The virtio architecture is full of legacy nonsense,
> and there is no good reason for SEV and TDX to be a giant special case.
I don't know where you see a "giant special case". Except for the
limited feature negotiation all the changes are common, and the
disabling of features (which is not new BTW, but already done e.g. with
forcing DMA API in some cases) can be of course used by all these other
technologies too. But it just cannot be done by default for everything
because it would break compatibility. So every technology with such
requirements has to explicitly opt-in.
>
> As I said before, real PCIe (Thunderbolt/USB-C or anything else) has the exact same problem. The fact that TDX has encrypted memory is, at best, a poor proxy for the actual condition. The actual condition is that the host does not trust the device to implement the virtio protocol correctly.
Right they can do similar limitations of feature sets. But again it
cannot be default.
>
>>
>> TDX and SEV use the arch hook to enforce DMA API, so that part is also
>> solved.
>>
> Can you point me to the code you’re referring to?
See 4/8 in this patch kit. It uses an existing hook which is already
used in tree by s390.
-Andi
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
WARNING: multiple messages have this Message-ID (diff)
From: Andi Kleen <ak@linux.intel.com>
To: Andy Lutomirski <luto@kernel.org>, mst@redhat.com
Cc: sathyanarayanan.kuppuswamy@linux.intel.com,
the arch/x86 maintainers <x86@kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
virtualization@lists.linux-foundation.org,
iommu@lists.linux-foundation.org,
Josh Poimboeuf <jpoimboe@redhat.com>,
robin.murphy@arm.com, hch@lst.de, m.szyprowski@samsung.com
Subject: Re: [PATCH v1 1/8] virtio: Force only split mode with protected guest
Date: Thu, 3 Jun 2021 16:32:58 -0700 [thread overview]
Message-ID: <884f34e0-fcd2-bb82-9e9e-4269823fa9b2@linux.intel.com> (raw)
In-Reply-To: <b8b39b76-8d07-4e4a-804a-746269787b61@www.fastmail.com>
> We do not need an increasing pile of kludges
Do you mean disabling features is a kludge?
If yes I disagree with that characterization.
> to make TDX and SEV “secure”. We need the actual loaded driver to be secure. The virtio architecture is full of legacy nonsense,
> and there is no good reason for SEV and TDX to be a giant special case.
I don't know where you see a "giant special case". Except for the
limited feature negotiation all the changes are common, and the
disabling of features (which is not new BTW, but already done e.g. with
forcing DMA API in some cases) can be of course used by all these other
technologies too. But it just cannot be done by default for everything
because it would break compatibility. So every technology with such
requirements has to explicitly opt-in.
>
> As I said before, real PCIe (Thunderbolt/USB-C or anything else) has the exact same problem. The fact that TDX has encrypted memory is, at best, a poor proxy for the actual condition. The actual condition is that the host does not trust the device to implement the virtio protocol correctly.
Right they can do similar limitations of feature sets. But again it
cannot be default.
>
>>
>> TDX and SEV use the arch hook to enforce DMA API, so that part is also
>> solved.
>>
> Can you point me to the code you’re referring to?
See 4/8 in this patch kit. It uses an existing hook which is already
used in tree by s390.
-Andi
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-06-03 23:33 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-03 0:41 Virtio hardening for TDX Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` [PATCH v1 1/8] virtio: Force only split mode with protected guest Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 1:36 ` Jason Wang
2021-06-03 1:36 ` Jason Wang
2021-06-03 1:36 ` Jason Wang
2021-06-03 1:48 ` Andi Kleen
2021-06-03 1:48 ` Andi Kleen
2021-06-03 1:48 ` Andi Kleen
2021-06-03 2:32 ` Jason Wang
2021-06-03 2:32 ` Jason Wang
2021-06-03 2:32 ` Jason Wang
2021-06-03 2:56 ` Andi Kleen
2021-06-03 2:56 ` Andi Kleen
2021-06-03 2:56 ` Andi Kleen
2021-06-03 3:02 ` Jason Wang
2021-06-03 3:02 ` Jason Wang
2021-06-03 3:02 ` Jason Wang
2021-06-03 13:55 ` Andi Kleen
2021-06-03 13:55 ` Andi Kleen
2021-06-03 13:55 ` Andi Kleen
2021-06-04 2:29 ` Jason Wang
2021-06-04 2:29 ` Jason Wang
2021-06-04 2:29 ` Jason Wang
2021-06-03 17:33 ` Andy Lutomirski
2021-06-03 17:33 ` Andy Lutomirski
2021-06-03 17:33 ` Andy Lutomirski
2021-06-03 18:00 ` Andi Kleen
2021-06-03 18:00 ` Andi Kleen
2021-06-03 18:00 ` Andi Kleen
2021-06-03 19:31 ` Andy Lutomirski
2021-06-03 19:31 ` Andy Lutomirski
2021-06-03 19:31 ` Andy Lutomirski
2021-06-03 19:53 ` Andi Kleen
2021-06-03 19:53 ` Andi Kleen
2021-06-03 19:53 ` Andi Kleen
2021-06-03 22:17 ` Andy Lutomirski
2021-06-03 22:17 ` Andy Lutomirski
2021-06-03 22:17 ` Andy Lutomirski
2021-06-03 23:32 ` Andi Kleen [this message]
2021-06-03 23:32 ` Andi Kleen
2021-06-03 23:32 ` Andi Kleen
2021-06-04 1:46 ` Andy Lutomirski
2021-06-04 1:46 ` Andy Lutomirski
2021-06-04 1:46 ` Andy Lutomirski
2021-06-04 1:54 ` Andi Kleen
2021-06-04 1:54 ` Andi Kleen
2021-06-04 1:54 ` Andi Kleen
2021-06-04 1:22 ` Jason Wang
2021-06-04 1:22 ` Jason Wang
2021-06-04 1:22 ` Jason Wang
2021-06-04 1:29 ` Jason Wang
2021-06-04 1:29 ` Jason Wang
2021-06-04 1:29 ` Jason Wang
2021-06-04 2:20 ` Jason Wang
2021-06-04 2:20 ` Jason Wang
2021-06-04 2:20 ` Jason Wang
2021-06-03 0:41 ` [PATCH v1 2/8] virtio: Add boundary checks to virtio ring Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 2:14 ` Jason Wang
2021-06-03 2:14 ` Jason Wang
2021-06-03 2:14 ` Jason Wang
2021-06-03 2:18 ` Andi Kleen
2021-06-03 2:18 ` Andi Kleen
2021-06-03 2:18 ` Andi Kleen
2021-06-03 2:36 ` Jason Wang
2021-06-03 2:36 ` Jason Wang
2021-06-03 2:36 ` Jason Wang
2021-06-03 0:41 ` [PATCH v1 3/8] virtio: Harden split buffer detachment Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 2:29 ` Jason Wang
2021-06-03 2:29 ` Jason Wang
2021-06-03 2:29 ` Jason Wang
2021-06-03 0:41 ` [PATCH v1 4/8] x86/tdx: Add arch_has_restricted_memory_access for TDX Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 4:02 ` Kuppuswamy, Sathyanarayanan
2021-06-03 4:02 ` Kuppuswamy, Sathyanarayanan
2021-06-03 0:41 ` [PATCH v1 5/8] dma: Use size for swiotlb boundary checks Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 1:48 ` Konrad Rzeszutek Wilk
2021-06-03 1:48 ` Konrad Rzeszutek Wilk
2021-06-03 1:48 ` Konrad Rzeszutek Wilk
2021-06-03 2:03 ` Andi Kleen
2021-06-03 2:03 ` Andi Kleen
2021-06-03 2:03 ` Andi Kleen
2021-06-03 9:09 ` Robin Murphy
2021-06-03 9:09 ` Robin Murphy
2021-06-03 9:09 ` Robin Murphy
2021-06-03 0:41 ` [PATCH v1 6/8] dma: Add return value to dma_unmap_page Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 9:08 ` Robin Murphy
2021-06-03 9:08 ` Robin Murphy
2021-06-03 9:08 ` Robin Murphy
2021-06-03 12:36 ` Andi Kleen
2021-06-03 12:36 ` Andi Kleen
2021-06-03 12:36 ` Andi Kleen
2021-06-03 0:41 ` [PATCH v1 7/8] virtio: Abort IO when descriptor points outside forced swiotlb Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` [PATCH v1 8/8] virtio: Error out on endless free lists Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 0:41 ` Andi Kleen
2021-06-03 1:34 ` Virtio hardening for TDX Jason Wang
2021-06-03 1:34 ` Jason Wang
2021-06-03 1:34 ` Jason Wang
2021-06-03 1:56 ` Andi Kleen
2021-06-03 1:56 ` Andi Kleen
2021-06-03 1:56 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=884f34e0-fcd2-bb82-9e9e-4269823fa9b2@linux.intel.com \
--to=ak@linux.intel.com \
--cc=hch@lst.de \
--cc=iommu@lists.linux-foundation.org \
--cc=jasowang@redhat.com \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=mst@redhat.com \
--cc=robin.murphy@arm.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.