From: Leon Romanovsky <leon@kernel.org>
To: "Reshetova, Elena" <elena.reshetova@intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Shishkin, Alexander" <alexander.shishkin@intel.com>,
"Shutemov, Kirill" <kirill.shutemov@intel.com>,
"Kuppuswamy,
Sathyanarayanan" <sathyanarayanan.kuppuswamy@intel.com>,
"Kleen, Andi" <andi.kleen@intel.com>,
"Hansen, Dave" <dave.hansen@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
"Wunner, Lukas" <lukas.wunner@intel.com>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Jason Wang <jasowang@redhat.com>,
"Poimboe, Josh" <jpoimboe@redhat.com>,
"aarcange@redhat.com" <aarcange@redhat.com>,
Cfir Cohen <cfir@google.com>, Marc Orr <marcorr@google.com>,
"jbachmann@google.com" <jbachmann@google.com>,
"pgonda@google.com" <pgonda@google.com>,
"keescook@chromium.org" <keescook@chromium.org>,
James Morris <jmorris@namei.org>,
Michael Kelley <mikelley@microsoft.com>,
"Lange, Jon" <jlange@microsoft.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: Linux guest kernel threat model for Confidential Computing
Date: Thu, 26 Jan 2023 15:50:00 +0200 [thread overview]
Message-ID: <Y9KFCC8XkCvduWDp@unreal> (raw)
In-Reply-To: <DM8PR11MB57507D9C941D77E148EE9E87E7CF9@DM8PR11MB5750.namprd11.prod.outlook.com>
On Thu, Jan 26, 2023 at 01:28:15PM +0000, Reshetova, Elena wrote:
> > On Thu, Jan 26, 2023 at 11:29:20AM +0000, Reshetova, Elena wrote:
> > > > On Wed, Jan 25, 2023 at 03:29:07PM +0000, Reshetova, Elena wrote:
> > > > > Replying only to the not-so-far addressed points.
> > > > >
> > > > > > On Wed, Jan 25, 2023 at 12:28:13PM +0000, Reshetova, Elena wrote:
> > > > > > > Hi Greg,
> > > >
> > > > <...>
> > > >
> > > > > > > 3) All the tools are open-source and everyone can start using them right
> > > > away
> > > > > > even
> > > > > > > without any special HW (readme has description of what is needed).
> > > > > > > Tools and documentation is here:
> > > > > > > https://github.com/intel/ccc-linux-guest-hardening
> > > > > >
> > > > > > Again, as our documentation states, when you submit patches based on
> > > > > > these tools, you HAVE TO document that. Otherwise we think you all are
> > > > > > crazy and will get your patches rejected. You all know this, why ignore
> > > > > > it?
> > > > >
> > > > > Sorry, I didn’t know that for every bug that is found in linux kernel when
> > > > > we are submitting a fix that we have to list the way how it has been found.
> > > > > We will fix this in the future submissions, but some bugs we have are found
> > by
> > > > > plain code audit, so 'human' is the tool.
> > > >
> > > > My problem with that statement is that by applying different threat
> > > > model you "invent" bugs which didn't exist in a first place.
> > > >
> > > > For example, in this [1] latest submission, authors labeled correct
> > > > behaviour as "bug".
> > > >
> > > > [1] https://lore.kernel.org/all/20230119170633.40944-1-
> > > > alexander.shishkin@linux.intel.com/
> > >
> > > Hm.. Does everyone think that when kernel dies with unhandled page fault
> > > (such as in that case) or detection of a KASAN out of bounds violation (as it is in
> > some
> > > other cases we already have fixes or investigating) it represents a correct
> > behavior even if
> > > you expect that all your pci HW devices are trusted?
> >
> > This is exactly what I said. You presented me the cases which exist in
> > your invented world. Mentioned unhandled page fault doesn't exist in real
> > world. If PCI device doesn't work, it needs to be replaced/blocked and not
> > left to be operable and accessible from the kernel/user.
>
> Can we really assure correct operation of *all* pci devices out there?
Why do we need to do it in 2022? These *all* pci devices work.
> How would such an audit be performed given a huge set of them available?
Compliance tests?
https://pcisig.com/developers/compliance-program
> Isnt it better instead to make a small fix in the kernel behavior that would guard
> us from such potentially not correctly operating devices?
Like Greg already said, this is a small drop in a ocean which needs to be changed.
However even in mentioned by me case, you are not fixing but hiding real
problem of having broken device in my machine. It is worst possible solution
for the users.
>
>
> >
> > > What about an error in two consequent pci reads? What about just some
> > > failure that results in erroneous input?
> >
> > Yes, some bugs need to be fixed, but they are not related to trust/not-trust
> > discussion and PCI spec violations.
>
> Let's forget the trust angle here (it only applies to the Confidential Computing
> threat model and you clearly implying the existing threat model instead) and stick just to
> the not-correctly operating device. What you are proposing is to fix *unknown* bugs
> in multitude of pci devices that (in case of this particular MSI bug) can
> lead to two different values being read from the config space and kernel incorrectly
> handing this situation.
Let's don't call bug for something which is not.
Random crashes are much more tolerable then "working" device which sends
random results.
> Isn't it better to do the clear fix in one place to ensure such
> situation (two subsequent reads with different values) cannot even happen in theory?
> In security we have a saying that fixing a root cause of the problem is the most efficient
> way to mitigate the problem. The root cause here is a double-read with different values,
> so if it can be substituted with an easy and clear patch that probably even improves
> performance as we do one less pci read and use cached value instead, where is the
> problem in this particular case? If there are technical issues with the patch, of course we
> need to discuss it/fix it, but it seems we are arguing here about whenever or not we want
> to be fixing kernel code when we notice such cases...
Not really, we are arguing what is the right thing to do:
1. Fix a root cause - device
2. Hide the failure and pretend what everything is perfect despite
having problematic device.
Thanks
>
> Best Regards,
> Elena
>
>
next prev parent reply other threads:[~2023-01-26 13:50 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-25 12:28 Linux guest kernel threat model for Confidential Computing Reshetova, Elena
2023-01-25 12:43 ` Greg Kroah-Hartman
2023-01-25 13:42 ` Dr. David Alan Gilbert
2023-01-25 14:13 ` Daniel P. Berrangé
2023-01-25 15:29 ` Dr. David Alan Gilbert
2023-01-26 14:23 ` Richard Weinberger
2023-01-26 14:58 ` Dr. David Alan Gilbert
2023-01-26 15:13 ` Richard Weinberger
2023-01-26 15:22 ` Dr. David Alan Gilbert
2023-01-26 15:55 ` Daniel P. Berrangé
2023-01-27 9:02 ` Jörg Rödel
2023-01-26 15:43 ` Daniel P. Berrangé
2023-01-27 11:23 ` Reshetova, Elena
2023-01-30 11:30 ` Christophe de Dinechin
2023-01-25 14:22 ` Greg Kroah-Hartman
2023-01-25 14:30 ` James Bottomley
2023-01-25 14:57 ` Dr. David Alan Gilbert
2023-01-25 15:16 ` Greg Kroah-Hartman
2023-01-25 15:45 ` Michael S. Tsirkin
2023-01-25 16:02 ` Kirill A. Shutemov
2023-01-25 17:47 ` Michael S. Tsirkin
2023-01-25 15:50 ` Dr. David Alan Gilbert
2023-01-25 18:47 ` Jiri Kosina
2023-01-26 9:19 ` Jörg Rödel
2023-01-25 21:53 ` Lukas Wunner
2023-01-26 10:48 ` Dr. David Alan Gilbert
2023-01-26 11:24 ` Jonathan Cameron
2023-01-26 13:32 ` Samuel Ortiz
[not found] ` <CAGXJix9-cXNW7EwJf0PVzj_Qmt5fmQvBX1KvXfRX5NAeEpnMvw@mail.gmail.com>
2023-01-26 10:58 ` Jonathan Cameron
2023-01-26 13:15 ` Samuel Ortiz
2023-01-26 16:07 ` Jonathan Cameron
2023-01-27 7:02 ` Samuel Ortiz
2023-01-26 15:44 ` Lukas Wunner
2023-01-26 16:25 ` Michael S. Tsirkin
2023-01-26 21:41 ` Lukas Wunner
2023-01-27 7:17 ` Samuel Ortiz
2023-01-25 20:13 ` Jiri Kosina
2023-01-26 13:13 ` Reshetova, Elena
2023-01-25 15:29 ` Reshetova, Elena
2023-01-25 16:40 ` Theodore Ts'o
2023-01-26 8:08 ` Reshetova, Elena
2023-01-26 11:19 ` Leon Romanovsky
2023-01-26 11:29 ` Reshetova, Elena
2023-01-26 12:30 ` Leon Romanovsky
2023-01-26 13:28 ` Reshetova, Elena
2023-01-26 13:50 ` Leon Romanovsky [this message]
2023-01-26 20:54 ` Theodore Ts'o
2023-01-27 19:24 ` James Bottomley
2023-01-30 7:42 ` Reshetova, Elena
2023-01-30 12:40 ` James Bottomley
2023-01-31 11:31 ` Reshetova, Elena
2023-01-31 13:28 ` James Bottomley
2023-01-31 15:14 ` Christophe de Dinechin
2023-01-31 17:39 ` Michael S. Tsirkin
2023-02-01 10:52 ` Christophe de Dinechin Dupont de Dinechin
2023-02-01 11:01 ` Michael S. Tsirkin
2023-02-01 13:15 ` Christophe de Dinechin Dupont de Dinechin
2023-02-01 16:02 ` Michael S. Tsirkin
2023-02-01 17:13 ` Christophe de Dinechin
2023-02-06 18:58 ` Dr. David Alan Gilbert
2023-02-02 3:24 ` Jason Wang
2023-02-01 10:24 ` Christophe de Dinechin
2023-01-31 16:34 ` Reshetova, Elena
2023-01-31 17:49 ` James Bottomley
2023-02-02 14:51 ` Jeremi Piotrowski
2023-02-03 14:05 ` Reshetova, Elena
2023-01-27 9:32 ` Jörg Rödel
2023-01-26 13:58 ` Dr. David Alan Gilbert
2023-01-26 17:48 ` Reshetova, Elena
2023-01-26 18:06 ` Leon Romanovsky
2023-01-26 18:14 ` Dr. David Alan Gilbert
2023-01-26 16:29 ` Michael S. Tsirkin
2023-01-27 8:52 ` Reshetova, Elena
2023-01-27 10:04 ` Michael S. Tsirkin
2023-01-27 12:25 ` Reshetova, Elena
2023-01-27 14:32 ` Michael S. Tsirkin
2023-01-27 20:51 ` Carlos Bilbao
2023-01-30 11:36 ` Christophe de Dinechin
2023-01-30 12:00 ` Kirill A. Shutemov
2023-01-30 15:14 ` Michael S. Tsirkin
2023-01-31 10:06 ` Reshetova, Elena
2023-01-31 16:52 ` Christophe de Dinechin
2023-02-02 11:31 ` Reshetova, Elena
2023-02-07 0:27 ` Carlos Bilbao
2023-02-07 6:03 ` Greg Kroah-Hartman
2023-02-07 19:53 ` Carlos Bilbao
2023-02-07 21:55 ` Michael S. Tsirkin
2023-02-08 1:51 ` Theodore Ts'o
2023-02-08 9:31 ` Michael S. Tsirkin
2023-02-08 10:44 ` Reshetova, Elena
2023-02-08 10:58 ` Greg Kroah-Hartman
2023-02-08 16:19 ` Christophe de Dinechin
2023-02-08 17:29 ` Greg Kroah-Hartman
2023-02-08 18:02 ` Dr. David Alan Gilbert
2023-02-08 18:58 ` Thomas Gleixner
2023-02-09 19:48 ` Dr. David Alan Gilbert
2023-02-08 13:00 ` Michael S. Tsirkin
2023-02-08 13:42 ` Theodore Ts'o
2023-02-08 7:19 ` Greg Kroah-Hartman
2023-02-08 10:16 ` Reshetova, Elena
2023-02-08 13:15 ` Michael S. Tsirkin
2023-02-09 14:30 ` Reshetova, Elena
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9KFCC8XkCvduWDp@unreal \
--to=leon@kernel.org \
--cc=aarcange@redhat.com \
--cc=alexander.shishkin@intel.com \
--cc=andi.kleen@intel.com \
--cc=cfir@google.com \
--cc=dave.hansen@intel.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=jbachmann@google.com \
--cc=jlange@microsoft.com \
--cc=jmorris@namei.org \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.wunner@intel.com \
--cc=marcorr@google.com \
--cc=mika.westerberg@linux.intel.com \
--cc=mikelley@microsoft.com \
--cc=mst@redhat.com \
--cc=peterz@infradead.org \
--cc=pgonda@google.com \
--cc=sathyanarayanan.kuppuswamy@intel.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).