2024-06-11 17:25:40

by Jeremi Piotrowski

[permalink] [raw]
Subject: Re: [EXTERNAL] Re: [PATCH] x86/tdx: Generate SIGBUS on userspace MMIO

On 11/06/2024 19:17, Chris Oo wrote:
> We have a usecase where we have device drivers in usermode using vfio that mmap regions of the address space to access device BARs. In this case, when the #VE handler cannot emulate mmio on behalf of usermode, we need the SIGBUS to know if we should retry the attempt via doing a write via the vfio file descriptor.
>
> We don't want to have every mmio go through the vfio file descriptor, because for pages that are actually backed by physical device's BAR we won't take a #VE and introduce a bunch of extra path length, but only if the host has chosen to emulate some page in that BAR. We also don't have any way of knowing which pages will cause a #VE because there's no way for the guest to query which pages the host has chosen to emulate accesses on.
>
> Chris
>
> -----Original Message-----
> From: Dave Hansen <[email protected]>
> Sent: Tuesday, June 11, 2024 9:16 AM
> To: Kirill A. Shutemov <[email protected]>; Dave Hansen <[email protected]>; Thomas Gleixner <[email protected]>; Ingo Molnar <[email protected]>; Borislav Petkov <[email protected]>; [email protected]; H. Peter Anvin <[email protected]>
> Cc: [email protected]; [email protected]; Chris Oo <[email protected]>; Dexuan Cui <[email protected]>; John Starks <[email protected]>
> Subject: [EXTERNAL] Re: [PATCH] x86/tdx: Generate SIGBUS on userspace MMIO
>
> [Some people who received this message don't often get email from [email protected]. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> On 6/10/24 06:55, Dave Hansen wrote:
>>> Enlightened userspace may choose to handle MMIO on their own if the
>>> kernel does not emulate it.
>>>
>>> Handle the EPT_VIOLATION exit reason for userspace and deliver SIGBUS
>>> instead of SIGSEGV. SIGBUS is more appropriate for the MMIO situation.
>> Is any userspace _actually_ doing this? Sure, SIGBUS is more
>> appropriate but in practice unprepared userspace crashes either way.
>
> I also can't help but wonder if there's a better way to do this.
>
> Just thinking out loud.... Ideally, we'd reject creating a potentially troublesome VMA at mmap() time. That's way better than, for instance, panic()'ing at some random place in the middle of program execution.
>
> But I guess that's likely not possible because someone could be doing a VM_MIXEDMAP VMA that only has normal private pages and never _actually_ needs or has a shared page mapped.
>
> I'd still love to know what actual kernel drivers and actual userspace would be involved in this whole dance. It's still way too theoretical for me.

Is there a reason we can't fix the handler to do the #VE->mmio emulation for userspace too, so that this scenario
works just like outside of a CVM?


2024-06-12 12:36:52

by Kirill A. Shutemov

[permalink] [raw]
Subject: Re: [EXTERNAL] Re: [PATCH] x86/tdx: Generate SIGBUS on userspace MMIO

On Tue, Jun 11, 2024 at 07:25:27PM +0200, Jeremi Piotrowski wrote:
> Is there a reason we can't fix the handler to do the #VE->mmio emulation
> for userspace too, so that this scenario works just like outside of a
> CVM?

We are looking into it. It requires some groundwork to properly understand
risks of wider attack surface. I think we will get there, but it will take time.

--
Kiryl Shutsemau / Kirill A. Shutemov