From: Dmytro Maluka <dmy@semihalf.com>
To: "Reshetova, Elena" <elena.reshetova@intel.com>, "Christopherson,,
Sean" <seanjc@google.com>
Cc: Carlos Bilbao <carlos.bilbao@amd.com>,
"Chen, Jason CJ" <jason.cj.chen@intel.com>,
"corbet@lwn.net" <corbet@lwn.net>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"ardb@kernel.org" <ardb@kernel.org>,
"kraxel@redhat.com" <kraxel@redhat.com>,
"dovmurik@linux.ibm.com" <dovmurik@linux.ibm.com>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"Dhaval.Giani@amd.com" <Dhaval.Giani@amd.com>,
"michael.day@amd.com" <michael.day@amd.com>,
"pavankumar.paluri@amd.com" <pavankumar.paluri@amd.com>,
"David.Kaplan@amd.com" <David.Kaplan@amd.com>,
"Reshma.Lal@amd.com" <Reshma.Lal@amd.com>,
"Jeremy.Powell@amd.com" <Jeremy.Powell@amd.com>,
"sathyanarayanan.kuppuswamy@linux.intel.com"
<sathyanarayanan.kuppuswamy@linux.intel.com>,
"alexander.shishkin@linux.intel.com"
<alexander.shishkin@linux.intel.com>,
"thomas.lendacky@amd.com" <thomas.lendacky@amd.com>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"dgilbert@redhat.com" <dgilbert@redhat.com>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"dinechin@redhat.com" <dinechin@redhat.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
"berrange@redhat.com" <berrange@redhat.com>,
"mst@redhat.com" <mst@redhat.com>,
"tytso@mit.edu" <tytso@mit.edu>,
"jikos@kernel.org" <jikos@kernel.org>,
"joro@8bytes.org" <joro@8bytes.org>,
"leon@kernel.org" <leon@kernel.org>,
"richard.weinberger@gmail.com" <richard.weinberger@gmail.com>,
"lukas@wunner.de" <lukas@wunner.de>,
"jejb@linux.ibm.com" <jejb@linux.ibm.com>,
"cdupontd@redhat.com" <cdupontd@redhat.com>,
"jasowang@redhat.com" <jasowang@redhat.com>,
"sameo@rivosinc.com" <sameo@rivosinc.com>,
"bp@alien8.de" <bp@alien8.de>,
"security@kernel.org" <security@kernel.org>,
Larry Dewey <larry.dewey@amd.com>,
"android-kvm@google.com" <android-kvm@google.com>,
Dmitry Torokhov <dtor@google.com>,
Allen Webb <allenwebb@google.com>,
Tomasz Nowicki <tn@semihalf.com>,
Grzegorz Jaszczyk <jaz@semihalf.com>,
Patryk Duda <pdk@semihalf.com>
Subject: Re: [PATCH v2] docs: security: Confidential computing intro and threat model for x86 virtualization
Date: Mon, 19 Jun 2023 17:03:35 +0200 [thread overview]
Message-ID: <a38a35ca-41cd-d082-9723-391130fcb8bf@semihalf.com> (raw)
In-Reply-To: <DM8PR11MB5750F226997913CC1A0E54A4E75FA@DM8PR11MB5750.namprd11.prod.outlook.com>
On 6/19/23 13:23, Reshetova, Elena wrote:
>> And BTW, doesn't it mean that interrupts also need to be hardened in the
>> guest (if we don't want the complexity of interrupt controllers in the
>> trusted hypervisor)? At least sensitive ones like IPIs, but I guess we
>> should also consider interrupt-based timings attacks, which could use
>> any type of interrupt. (I have no idea how to harden either of the two
>> cases, but I'm no expert.)
>
> We have been thinking about it a bit at least when it comes to our
> TDX case. Two main issues were identified: interrupts contributing
> to the state of Linux PRNG [1] and potential implications of missing
> interrupts for reliable panic and other kernel use cases [2].
>
> [1] https://intel.github.io/ccc-linux-guest-hardening-docs/security-spec.html#randomness-inside-tdx-guest
> [2] https://intel.github.io/ccc-linux-guest-hardening-docs/security-spec.html#reliable-panic
>
> For the first one, in addition to simply enforce usage of RDSEED
> for TDX guests, we still want to do a proper evaluation of security
> of Linux PRNG under our threat model. The second one is
> harder to reliably asses imo, but so far we were not able to find any
> concrete attack vectors. But it would be good if people who
> have expertise in this, could take a look on the assessment we did.
> The logic was to go over all kernel core callers of various
> smp_call_function*, on_each_cpu* and check the implications
> if such an IPI is never delivered.
Thanks. I also had in mind for example [1].
[1] https://people.cs.kuleuven.be/~jo.vanbulck/ccs18.pdf
next prev parent reply other threads:[~2023-06-19 15:03 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 16:47 [PATCH v2] docs: security: Confidential computing intro and threat model for x86 virtualization Carlos Bilbao
2023-06-12 22:43 ` Randy Dunlap
2023-06-14 13:55 ` Carlos Bilbao
2023-06-14 15:06 ` Randy Dunlap
2023-06-13 17:03 ` Sean Christopherson
2023-06-14 7:37 ` Reshetova, Elena
2023-06-14 14:15 ` Sean Christopherson
2023-06-16 12:36 ` Dmytro Maluka
2023-06-16 13:56 ` Sean Christopherson
2023-06-16 14:09 ` Allen Webb
2023-06-16 14:42 ` Sean Christopherson
2023-06-16 15:16 ` Allen Webb
2023-06-17 18:15 ` Dmytro Maluka
2023-06-16 15:31 ` Dmytro Maluka
2023-06-16 18:07 ` Sean Christopherson
2023-06-17 17:43 ` Dmytro Maluka
2023-06-19 11:23 ` Reshetova, Elena
2023-06-19 15:03 ` Dmytro Maluka [this message]
2023-06-16 12:24 ` Dmytro Maluka
2023-06-16 14:20 ` Sean Christopherson
2023-06-16 15:36 ` Dmytro Maluka
2023-06-22 14:32 ` Carlos Bilbao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a38a35ca-41cd-d082-9723-391130fcb8bf@semihalf.com \
--to=dmy@semihalf.com \
--cc=David.Kaplan@amd.com \
--cc=Dhaval.Giani@amd.com \
--cc=Jeremy.Powell@amd.com \
--cc=Reshma.Lal@amd.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=allenwebb@google.com \
--cc=android-kvm@google.com \
--cc=ardb@kernel.org \
--cc=berrange@redhat.com \
--cc=bp@alien8.de \
--cc=carlos.bilbao@amd.com \
--cc=cdupontd@redhat.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dgilbert@redhat.com \
--cc=dinechin@redhat.com \
--cc=dovmurik@linux.ibm.com \
--cc=dtor@google.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jason.cj.chen@intel.com \
--cc=jasowang@redhat.com \
--cc=jaz@semihalf.com \
--cc=jejb@linux.ibm.com \
--cc=jikos@kernel.org \
--cc=joro@8bytes.org \
--cc=kraxel@redhat.com \
--cc=larry.dewey@amd.com \
--cc=leon@kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=michael.day@amd.com \
--cc=mst@redhat.com \
--cc=pavankumar.paluri@amd.com \
--cc=pdk@semihalf.com \
--cc=richard.weinberger@gmail.com \
--cc=sameo@rivosinc.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=security@kernel.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tn@semihalf.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.