From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC565C433DB for ; Thu, 4 Feb 2021 00:12:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9116D64F65 for ; Thu, 4 Feb 2021 00:12:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234270AbhBDAMP (ORCPT ); Wed, 3 Feb 2021 19:12:15 -0500 Received: from mga14.intel.com ([192.55.52.115]:32888 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234156AbhBDAMJ (ORCPT ); Wed, 3 Feb 2021 19:12:09 -0500 IronPort-SDR: 5muCWEmxNQmhRgK7eHdjQtDLPQXprOZb2bLSZZLv0rZ+gYtaQ1Fa0/VgT7lO7qYZ0PzL4eujvT fJRgNnxGnY9g== X-IronPort-AV: E=McAfee;i="6000,8403,9884"; a="180368580" X-IronPort-AV: E=Sophos;i="5.79,399,1602572400"; d="scan'208";a="180368580" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Feb 2021 16:11:54 -0800 IronPort-SDR: RPSvQDWeFFnF/S6W7RF3U/0957dqlAcXqvUw21sLMZLePmFmJPFTB4QVpfZ2LJ8s9Gg3vae1XF gKHvv2/G/rhw== X-IronPort-AV: E=Sophos;i="5.79,399,1602572400"; d="scan'208";a="356195736" Received: from rvchebia-mobl.amr.corp.intel.com ([10.251.7.104]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Feb 2021 16:11:48 -0800 Message-ID: Subject: Re: [RFC PATCH v3 23/27] KVM: VMX: Add SGX ENCLS[ECREATE] handler to enforce CPUID restrictions From: Kai Huang To: Sean Christopherson Cc: "Edgecombe, Rick P" , "linux-sgx@vger.kernel.org" , "kvm@vger.kernel.org" , "x86@kernel.org" , "Huang, Haitao" , "luto@kernel.org" , "jarkko@kernel.org" , "Hansen, Dave" , "vkuznets@redhat.com" , "bp@alien8.de" , "mingo@redhat.com" , "tglx@linutronix.de" , "hpa@zytor.com" , "pbonzini@redhat.com" , "joro@8bytes.org" , "wanpengli@tencent.com" , "jmattson@google.com" Date: Thu, 04 Feb 2021 13:11:45 +1300 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.38.3 (3.38.3-1.fc33) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org On Wed, 2021-02-03 at 15:59 -0800, Sean Christopherson wrote: > On Thu, Feb 04, 2021, Kai Huang wrote: > > On Wed, 2021-02-03 at 15:36 -0800, Sean Christopherson wrote: > > > On Thu, Feb 04, 2021, Kai Huang wrote: > > > > On Wed, 2021-02-03 at 11:36 -0800, Sean Christopherson wrote: > > > > > On Wed, Feb 03, 2021, Edgecombe, Rick P wrote: > > > > > > On Tue, 2021-01-26 at 22:31 +1300, Kai Huang wrote: > > > > > > Don't you need to deep copy the pageinfo.contents struct as well? > > > > > > Otherwise the guest could change these after they were checked. > > > > > > > > > > > > But it seems it is checked by the HW and something is caught that would > > > > > > inject a GP anyway? Can you elaborate on the importance of these > > > > > > checks? > > > > > > > > > > Argh, yes. These checks are to allow migration between systems with different > > > > > SGX capabilities, and more importantly to prevent userspace from doing an end > > > > > around on the restricted access to PROVISIONKEY. > > > > > > > > > > IIRC, earlier versions did do a deep copy, but then I got clever. Anyways, yeah, > > > > > sadly the entire pageinfo.contents page will need to be copied. > > > > > > > > I don't fully understand the problem. Are you worried about contents being updated by > > > > other vcpus during the trap?  > > > > > > > > And I don't see how copy can avoid this problem. Even you do copy, the content can > > > > still be modified afterwards, correct? So what's the point of copying? > > > > > > The goal isn't correctness, it's to prevent a TOCTOU bug. E.g. the guest could > > > do ECREATE w/ SECS.SGX_ATTR_PROVISIONKEY=0, and simultaneously set > > > SGX_ATTR_PROVISIONKEY to bypass the above check. > > > > Oh ok. Agreed. > > > > However, such attack would require precise timing. Not sure whether it is feasible in > > practice. > > It's very feasible. XOR the bit in a tight loop, build the enclave on a > separate thread. Do that until EINIT succeeds. Compared to other timing > attacks, I doubt it'd take all that long to get a successful result. How does it work? The setting PROVISION bit needs to be set after KVM checks SECS's attribute, and before KVM actually does ECREATE, right? > > Regardless, the difficulty in exploiting the bug is irrelevant, it's a glaring > flaw that needs to be fixed. Sure.