From: Marc Zyngier <maz@kernel.org>
To: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>,
Dave Hansen <dave.hansen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>,
Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
David Rientjes <rientjes@google.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Kees Cook <keescook@chromium.org>, Will Drewry <wad@chromium.org>,
"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"Kleen, Andi" <andi.kleen@intel.com>,
x86@kernel.org, kvm@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
kernel-team@android.com, will@kernel.org,
Jun Nakajima <jun.nakajima@intel.com>
Subject: Re: [RFC 00/16] KVM protected memory extension
Date: Thu, 04 Jun 2020 17:27:34 +0100 [thread overview]
Message-ID: <cd292393f8e45407b2754efbaf89aa70@kernel.org> (raw)
In-Reply-To: <20200604154835.GE30223@linux.intel.com>
Hi Sean,
On 2020-06-04 16:48, Sean Christopherson wrote:
> +Jun
>
> On Thu, Jun 04, 2020 at 04:15:23PM +0100, Marc Zyngier wrote:
>> Hi Kirill,
>>
>> Thanks for this.
>>
>> On Fri, 22 May 2020 15:51:58 +0300
>> "Kirill A. Shutemov" <kirill@shutemov.name> wrote:
>>
>> > == Background / Problem ==
>> >
>> > There are a number of hardware features (MKTME, SEV) which protect guest
>> > memory from some unauthorized host access. The patchset proposes a purely
>> > software feature that mitigates some of the same host-side read-only
>> > attacks.
>> >
>> >
>> > == What does this set mitigate? ==
>> >
>> > - Host kernel ”accidental” access to guest data (think speculation)
>> >
>> > - Host kernel induced access to guest data (write(fd, &guest_data_ptr, len))
>> >
>> > - Host userspace access to guest data (compromised qemu)
>> >
>> > == What does this set NOT mitigate? ==
>> >
>> > - Full host kernel compromise. Kernel will just map the pages again.
>> >
>> > - Hardware attacks
>>
>> Just as a heads up, we (the Android kernel team) are currently
>> involved in something pretty similar for KVM/arm64 in order to bring
>> some level of confidentiality to guests.
>>
>> The main idea is to de-privilege the host kernel by wrapping it in its
>> own nested set of page tables which allows us to remove memory
>> allocated to guests on a per-page basis. The core hypervisor runs more
>> or less independently at its own privilege level. It still is KVM
>> though, as we don't intend to reinvent the wheel.
>>
>> Will has written a much more lingo-heavy description here:
>> https://lore.kernel.org/kvmarm/20200327165935.GA8048@willie-the-truck/
>
> Pardon my arm64 ignorance...
>
> IIUC, in this mode, the host kernel runs at EL1? And to switch to a
> guest
> it has to bounce through EL2, which is KVM, or at least a chunk of KVM?
> I assume the EL1->EL2->EL1 switch is done by trapping an exception of
> some
> form?
>
> If all of the above are "yes", does KVM already have the necessary
> logic to
> perform the EL1->EL2->EL1 switches, or is that being added as part of
> the
> de-privileging effort?
KVM already handles the EL1->EL2->EL1 madness, meaning that from
an exception level perspective, the host kernel is already a guest.
It's just that this guest can directly change the hypervisor's text,
its page tables, and muck with about everything else.
De-privileging the memory access to non host EL1 memory is where the
ongoing effort is.
M.
--
Jazz is not dead. It just smells funny...
next prev parent reply other threads:[~2020-06-04 16:27 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-22 12:51 [RFC 00/16] KVM protected memory extension Kirill A. Shutemov
2020-05-22 12:51 ` [RFC 01/16] x86/mm: Move force_dma_unencrypted() to common code Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 02/16] x86/kvm: Introduce KVM memory protection feature Kirill A. Shutemov
2020-05-25 14:58 ` Vitaly Kuznetsov
2020-05-25 15:15 ` Kirill A. Shutemov
2020-05-27 5:03 ` Sean Christopherson
2020-05-27 8:39 ` Vitaly Kuznetsov
2020-05-27 8:52 ` Sean Christopherson
2020-06-03 2:09 ` Huang, Kai
2020-06-03 11:14 ` Vitaly Kuznetsov
2020-05-22 12:52 ` [RFC 03/16] x86/kvm: Make DMA pages shared Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 04/16] x86/kvm: Use bounce buffers for KVM memory protection Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 05/16] x86/kvm: Make VirtIO use DMA API in KVM guest Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 06/16] KVM: Use GUP instead of copy_from/to_user() to access guest memory Kirill A. Shutemov
2020-05-25 15:08 ` Vitaly Kuznetsov
2020-05-25 15:17 ` Kirill A. Shutemov
2020-06-01 16:35 ` Paolo Bonzini
2020-06-02 13:33 ` Kirill A. Shutemov
2020-05-26 6:14 ` Mike Rapoport
2020-05-26 21:56 ` Kirill A. Shutemov
2020-05-29 15:24 ` Kees Cook
2020-05-22 12:52 ` [RFC 07/16] KVM: mm: Introduce VM_KVM_PROTECTED Kirill A. Shutemov
2020-05-26 6:15 ` Mike Rapoport
2020-05-26 22:01 ` Kirill A. Shutemov
2020-05-26 6:40 ` John Hubbard
2020-05-26 22:04 ` Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 08/16] KVM: x86: Use GUP for page walk instead of __get_user() Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 09/16] KVM: Protected memory extension Kirill A. Shutemov
2020-05-25 15:26 ` Vitaly Kuznetsov
2020-05-25 15:34 ` Kirill A. Shutemov
2020-06-03 1:34 ` Huang, Kai
2020-05-22 12:52 ` [RFC 10/16] KVM: x86: Enabled protected " Kirill A. Shutemov
2020-05-25 15:26 ` Vitaly Kuznetsov
2020-05-26 6:16 ` Mike Rapoport
2020-05-26 21:58 ` Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 11/16] KVM: Rework copy_to/from_guest() to avoid direct mapping Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 12/16] x86/kvm: Share steal time page with host Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 13/16] x86/kvmclock: Share hvclock memory with the host Kirill A. Shutemov
2020-05-25 15:22 ` Vitaly Kuznetsov
2020-05-25 15:25 ` Kirill A. Shutemov
2020-05-25 15:42 ` Vitaly Kuznetsov
2020-05-22 12:52 ` [RFC 14/16] KVM: Introduce gfn_to_pfn_memslot_protected() Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 15/16] KVM: Handle protected memory in __kvm_map_gfn()/__kvm_unmap_gfn() Kirill A. Shutemov
2020-05-22 12:52 ` [RFC 16/16] KVM: Unmap protected pages from direct mapping Kirill A. Shutemov
2020-05-26 6:16 ` Mike Rapoport
2020-05-26 22:10 ` Kirill A. Shutemov
2020-05-25 5:27 ` [RFC 00/16] KVM protected memory extension Kirill A. Shutemov
2020-05-25 13:47 ` Liran Alon
2020-05-25 14:46 ` Kirill A. Shutemov
2020-05-25 15:56 ` Liran Alon
2020-05-26 6:17 ` Mike Rapoport
2020-05-26 10:16 ` Liran Alon
2020-05-26 11:38 ` Mike Rapoport
2020-05-27 15:45 ` Dave Hansen
2020-05-27 21:22 ` Mike Rapoport
2020-06-04 15:15 ` Marc Zyngier
2020-06-04 15:48 ` Sean Christopherson
2020-06-04 16:27 ` Marc Zyngier [this message]
2020-06-04 16:35 ` Will Deacon
2020-06-04 19:09 ` Nakajima, Jun
2020-06-04 21:03 ` Jim Mattson
2020-06-04 23:29 ` Nakajima, Jun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd292393f8e45407b2754efbaf89aa70@kernel.org \
--to=maz@kernel.org \
--cc=aarcange@redhat.com \
--cc=andi.kleen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=jun.nakajima@intel.com \
--cc=keescook@chromium.org \
--cc=kernel-team@android.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=rientjes@google.com \
--cc=sean.j.christopherson@intel.com \
--cc=vkuznets@redhat.com \
--cc=wad@chromium.org \
--cc=wanpengli@tencent.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).