From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4EFCC4363D for ; Tue, 20 Oct 2020 13:49:30 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 31D352224F for ; Tue, 20 Oct 2020 13:49:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=shutemov-name.20150623.gappssmtp.com header.i=@shutemov-name.20150623.gappssmtp.com header.b="cicVnczs" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 31D352224F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=shutemov.name Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 73ED86B005C; Tue, 20 Oct 2020 09:49:29 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6EEA76B0062; Tue, 20 Oct 2020 09:49:29 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5B7576B0071; Tue, 20 Oct 2020 09:49:29 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0061.hostedemail.com [216.40.44.61]) by kanga.kvack.org (Postfix) with ESMTP id 2A34F6B005C for ; Tue, 20 Oct 2020 09:49:29 -0400 (EDT) Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id BC6DC181AEF15 for ; Tue, 20 Oct 2020 13:49:28 +0000 (UTC) X-FDA: 77392436016.14.truck59_24032e927240 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin14.hostedemail.com (Postfix) with ESMTP id 887941822987B for ; Tue, 20 Oct 2020 13:49:28 +0000 (UTC) X-HE-Tag: truck59_24032e927240 X-Filterd-Recvd-Size: 6189 Received: from mail-lf1-f66.google.com (mail-lf1-f66.google.com [209.85.167.66]) by imf50.hostedemail.com (Postfix) with ESMTP for ; Tue, 20 Oct 2020 13:49:27 +0000 (UTC) Received: by mail-lf1-f66.google.com with SMTP id z2so2196896lfr.1 for ; Tue, 20 Oct 2020 06:49:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov-name.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=1o8TpeHhno8OE2SrDdQUqRsdXAVOC0TzkDg0pRysRCg=; b=cicVnczstWRFH9gw+EuYx/lkIIBZzIw/xFGQDmuS3kVvj7vDkCCzApdH1mGBpMoiA9 UtpBzyMmwiraaOs2MZMRvwTopaDFxaacSqLiI/IFdi8hKKrlZORdjZIJsLS3cLypFks/ Bda/wOENIgPWwOMRaDoliBIRfRwHPiY6madPv88jbUecOdIdC863Zw3wYV4k28/eBqGi W2EDYSVlOfa6oSB3jXwakuWfGlTrNxPtkIc3sHP4hip+5nDyO4AZhVF1W7eZd1S7ISnM q/XrxAC2qb0wuhsp5epuANvG0/N4WWTpFeq7y8QxSVLZcING1Hvt56ZqLKl9e4GR5Zim 1olw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=1o8TpeHhno8OE2SrDdQUqRsdXAVOC0TzkDg0pRysRCg=; b=RsC13ah+xMt0wMoxdOyiIaDVEJAh5UWy95dB6HLuChY705Iof1+W2a5pVzg+EZPCUW OyYeHCXqdVv0DY9sad7XnI2sreMN+MJo8YdpZ9Bh4sfhqSYwyMLCipGHpWmG7p+MXtJl 0WG3WFOkRc2Zg1BL8Bre2cUALjJ25wZmhvgI3yg4r0K3VjawwSaabGybWzgPk2To4wdT IYoPfBZj6j3ZbvZfbpDJwm23zN8QeSZkECMzA1g6qx+6Ol3SCUFdFP2+W0DjGie4BEuh AMHaDDNWqYY0FfsyZSiUlmvlEhLjH2XLzF3nz52DkQDRw7bLzh5HTHaMDcyqqS3+kOZF EUEw== X-Gm-Message-State: AOAM531f7V46ECC51JEnYLUFIA1KPC97ct+l6CY1jHNlo2MCuczMA2iR 5QiCr6p48pcWNO0pB2mo88tMWQ== X-Google-Smtp-Source: ABdhPJwzV88aVC3wAh1fZRh2Qt1Fuvww50QbPS9U7q8Lm6OYo/M98+w8nswpqWagGg+ahtm5dpfxOw== X-Received: by 2002:ac2:5a05:: with SMTP id q5mr976885lfn.592.1603201766368; Tue, 20 Oct 2020 06:49:26 -0700 (PDT) Received: from box.localdomain ([86.57.175.117]) by smtp.gmail.com with ESMTPSA id o17sm319166lfb.55.2020.10.20.06.49.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Oct 2020 06:49:25 -0700 (PDT) Received: by box.localdomain (Postfix, from userid 1000) id 2039A102328; Tue, 20 Oct 2020 16:49:24 +0300 (+03) Date: Tue, 20 Oct 2020 16:49:24 +0300 From: "Kirill A. Shutemov" To: Vitaly Kuznetsov Cc: David Rientjes , Andrea Arcangeli , Kees Cook , Will Drewry , "Edgecombe, Rick P" , "Kleen, Andi" , Liran Alon , Mike Rapoport , x86@kernel.org, kvm@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, "Kirill A. Shutemov" , Dave Hansen , Andy Lutomirski , Peter Zijlstra , Paolo Bonzini , Sean Christopherson , Wanpeng Li , Jim Mattson , Joerg Roedel Subject: Re: [RFCv2 00/16] KVM protected memory extension Message-ID: <20201020134924.2i4z4kp6bkiheqws@box> References: <20201020061859.18385-1-kirill.shutemov@linux.intel.com> <87ft6949x8.fsf@vitty.brq.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <87ft6949x8.fsf@vitty.brq.redhat.com> Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Oct 20, 2020 at 09:46:11AM +0200, Vitaly Kuznetsov wrote: > "Kirill A. Shutemov" writes: >=20 > > =3D=3D Background / Problem =3D=3D > > > > There are a number of hardware features (MKTME, SEV) which protect gu= est > > memory from some unauthorized host access. The patchset proposes a pu= rely > > software feature that mitigates some of the same host-side read-only > > attacks. > > > > > > =3D=3D What does this set mitigate? =3D=3D > > > > - Host kernel =E2=80=9Daccidental=E2=80=9D access to guest data (thi= nk speculation) > > > > - Host kernel induced access to guest data (write(fd, &guest_data_pt= r, len)) > > > > - Host userspace access to guest data (compromised qemu) > > > > - Guest privilege escalation via compromised QEMU device emulation > > > > =3D=3D What does this set NOT mitigate? =3D=3D > > > > - Full host kernel compromise. Kernel will just map the pages again= . > > > > - Hardware attacks > > > > > > The second RFC revision addresses /most/ of the feedback. > > > > I still didn't found a good solution to reboot and kexec. Unprotect a= ll > > the memory on such operations defeat the goal of the feature. Clearin= g up > > most of the memory before unprotecting what is required for reboot (o= r > > kexec) is tedious and error-prone. > > Maybe we should just declare them unsupported? >=20 > Making reboot unsupported is a hard sell. Could you please elaborate on > why you think that "unprotect all" hypercall (or rather a single > hypercall supporting both protecting/unprotecting) defeats the purpose > of the feature? If guest has some data that it prefers not to leak to the host and use th= e feature for the purpose, share all the memory to get through reboot is a very weak point. >=20 > clean up *all* its memory upon reboot, however: > - It may only clean up the most sensitive parts. This should probably b= e > done even without this new feature and even on bare metal (think about > next boot target being malicious). > - The attack window shrinks significantly. "Speculative" bugs require > time to exploit and it will only remain open until it boots up again > (few seconds). Maybe it would be cleaner to handle reboot in userspace? If we got the VM rebooted, just reconstruct it from scratch as if it would be new boot. --=20 Kirill A. Shutemov