All of lore.kernel.org
 help / color / mirror / Atom feed
From: Arvind Sankar <nivedita@alum.mit.edu>
To: Joerg Roedel <jroedel@suse.de>
Cc: Arvind Sankar <nivedita@alum.mit.edu>,
	Joerg Roedel <joro@8bytes.org>,
	x86@kernel.org, Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Andy Lutomirski <luto@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Kees Cook <keescook@chromium.org>,
	Martin Radev <martin.b.radev@gmail.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/5] x86/boot/compressed/64: Check SEV encryption in 64-bit boot-path
Date: Tue, 20 Oct 2020 10:33:12 -0400	[thread overview]
Message-ID: <20201020143312.GE2996696@rani.riverdale.lan> (raw)
In-Reply-To: <20201020085957.GF9328@suse.de>

On Tue, Oct 20, 2020 at 10:59:57AM +0200, Joerg Roedel wrote:
> On Mon, Oct 19, 2020 at 05:31:06PM -0400, Arvind Sankar wrote:
> > Is it possible to take advantage of this to make the check independent
> > of the original page tables? i.e. switch to the new pagetables, then
> > write into .data or .bss the opcodes for a function that does
> > 	movabs	$imm64, %rax
> > 	jmp	*%rdi	// avoid using stack for the return
> > filling in the imm64 with the RDRAND value, and then try to execute it.
> > If the C-bit value is wrong, this will probably crash, and at any rate
> > shouldn't return with the correct value in %rax.
> 
> That could work, but is not reliable. When the C bit is wrong the CPU
> would essentially execute random data, which could also be a valid
> instruction stream. A crash is not guaranteed.
> 

That doesn't feel like a big loss: if a malicious hypervisor wanted to
induce completely random code execution, it can do that anyway by just
messing with the guest-to-host translation, no?

We would need to avoid calling this in the secondary cpu startup, I guess.

I was hoping to be able to clean up the identity mapping in
__startup_64(), which currently maps the entire kernel using wraparound
entries, to just map the head page of the kernel, since AFAICT nothing
else is actually used from the identity mapping after switching to the
new page tables. But we'd need to keep it to support this check.

  reply	other threads:[~2020-10-20 14:33 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-19 15:11 [PATCH 0/5] x86/sev-es: Mitigate some HV attack vectors Joerg Roedel
2020-10-19 15:11 ` [PATCH 1/5] x86/boot/compressed/64: Introduce sev_status Joerg Roedel
2020-10-20  0:59   ` Sean Christopherson
2020-10-20  1:08     ` Sean Christopherson
2020-10-20  9:55     ` Joerg Roedel
2020-10-19 15:11 ` [PATCH 2/5] x86/boot/compressed/64: Add CPUID sanity check to early #VC handler Joerg Roedel
2020-10-19 15:11 ` [PATCH 3/5] x86/boot/compressed/64: Check SEV encryption in 64-bit boot-path Joerg Roedel
2020-10-19 17:00   ` Arvind Sankar
2020-10-19 17:54     ` Arvind Sankar
2020-10-19 20:39       ` Joerg Roedel
2020-10-19 21:31         ` Arvind Sankar
2020-10-20  8:59           ` Joerg Roedel
2020-10-20 14:33             ` Arvind Sankar [this message]
2020-10-20 15:44               ` Joerg Roedel
2020-10-19 20:33     ` Joerg Roedel
2020-10-19 21:22       ` Arvind Sankar
2020-10-20  9:41         ` Joerg Roedel
2020-10-19 15:11 ` [PATCH 4/5] x86/head/64: Check SEV encryption before switching to kernel page-table Joerg Roedel
2020-10-19 15:11 ` [PATCH 5/5] x86/sev-es: Do not support MMIO to/from encrypted memory Joerg Roedel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201020143312.GE2996696@rani.riverdale.lan \
    --to=nivedita@alum.mit.edu \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=joro@8bytes.org \
    --cc=jroedel@suse.de \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=martin.b.radev@gmail.com \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=thomas.lendacky@amd.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.