Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp336670imu; Fri, 11 Jan 2019 01:02:57 -0800 (PST) X-Google-Smtp-Source: ALg8bN51JPXXTSRP8YKQpwfsR2T0AaQGEK9rV0m0RuU8kWwtPjKfxgyasHej9mWBVDWRKzTy6ujZ X-Received: by 2002:a63:d157:: with SMTP id c23mr12492197pgj.170.1547197377691; Fri, 11 Jan 2019 01:02:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547197377; cv=none; d=google.com; s=arc-20160816; b=agaNyrxwNVt6i2pVYGQ3jG7YMV4oziV766j27Rmz0ewu0ETIbwIfIz+dqDnXFWhRlw p8EY1xXGW6DxfQy+5AwFeAk63g8QzSQuxHXZSL0hzXaKov2Cz4zgGzeo+BOFazJCIYie w3ygWijNg8sHLo6ki4SqXxDNGtx7PwT717tON2bgcIqvayXKDbIaARdwYQ4z5yEpCQv0 Db7Cf2AKSKb8e5rckRr8i5sN2S399eOVHyl5CxP098HvfNEEnOE3abcgNN91pGhfcP6M SX+cVAF6n1kB39F+Wiyc6oIL7Z5R/IE4dG7Fj+BsAm6601+8aGJruXswIQ4CD6LyxhHN 5CWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:thread-index:thread-topic :content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date; bh=uiTYp+Ppw3mad8DAKlVOjrHL58YIEv2cViJQdmupEX4=; b=UlcauvHhbd/tMYeTPRtOfkMXSjEOY30i8BGUCTubAzQWMVsLErhh2/NJoBVoU8S934 RM8nDzLh3FuMNxuI7yOrojXEZ8iaGXvId6zRSwZSJ5wNWXT1mqHXWDzKDlbsjTamlWfW xKiynKZoTOlWaGl8GJQVwbArp2z0OUgELQ3DT1mYFr81zUYiFwNr9FRIwPSAggPkXyCH 4i6alznux2M8L+uylRT9CgTpmbGZkdMzMtA+w9xZ3o6Ks/gcVj26jGYrS03UuW/k7bKF I1sLbGfqN5mF5v81xChXUxtK1txq6O0Mavy8/Ycy0WR1MneYSaIci0zI97KIpiPkk5yd meGw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t136si33541342pfc.262.2019.01.11.01.02.40; Fri, 11 Jan 2019 01:02:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731108AbfAKHpJ (ORCPT + 99 others); Fri, 11 Jan 2019 02:45:09 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54766 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727578AbfAKHpI (ORCPT ); Fri, 11 Jan 2019 02:45:08 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2703719D383; Fri, 11 Jan 2019 07:45:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8ABC4600C2; Fri, 11 Jan 2019 07:45:06 +0000 (UTC) Received: from zmail21.collab.prod.int.phx2.redhat.com (zmail21.collab.prod.int.phx2.redhat.com [10.5.83.24]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 554C93F7CB; Fri, 11 Jan 2019 07:45:05 +0000 (UTC) Date: Fri, 11 Jan 2019 02:45:04 -0500 (EST) From: Pankaj Gupta To: Dave Chinner Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, qemu-devel@nongnu.org, linux-nvdimm@ml01.01.org, linux-fsdevel@vger.kernel.org, virtualization@lists.linux-foundation.org, linux-acpi@vger.kernel.org, linux-ext4@vger.kernel.org, linux-xfs@vger.kernel.org, jack@suse.cz, stefanha@redhat.com, dan j williams , riel@surriel.com, nilal@redhat.com, kwolf@redhat.com, pbonzini@redhat.com, zwisler@kernel.org, vishal l verma , dave jiang , david@redhat.com, jmoyer@redhat.com, xiaoguangrong eric , hch@infradead.org, mst@redhat.com, jasowang@redhat.com, lcapitulino@redhat.com, imammedo@redhat.com, eblake@redhat.com, willy@infradead.org, tytso@mit.edu, adilger kernel , darrick wong , rjw@rjwysocki.net Message-ID: <1326478078.61913951.1547192704870.JavaMail.zimbra@redhat.com> In-Reply-To: <20190110012617.GA4205@dastard> References: <20190109144736.17452-1-pagupta@redhat.com> <20190110012617.GA4205@dastard> Subject: Re: [PATCH v3 0/5] kvm "virtio pmem" device MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [10.65.161.12, 10.4.195.30] Thread-Topic: kvm "virtio pmem" device Thread-Index: BxCbuq7mbfT/7EGJGXq2rFPowBArAw== X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 11 Jan 2019 07:45:07 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > On Wed, Jan 09, 2019 at 08:17:31PM +0530, Pankaj Gupta wrote: > > This patch series has implementation for "virtio pmem". > > "virtio pmem" is fake persistent memory(nvdimm) in guest > > which allows to bypass the guest page cache. This also > > implements a VIRTIO based asynchronous flush mechanism. > > Hmmmm. Sharing the host page cache direct into the guest VM. Sounds > like a good idea, but..... > > This means the guest VM can now run timing attacks to observe host > side page cache residency, and depending on the implementation I'm > guessing that the guest will be able to control host side page > cache eviction, too (e.g. via discard or hole punch operations). Not sure how? this is similar to mmapping virtual memory by any userspace process. Any host userspace process can do such attack on host page cache using mincore & mmap shared file. But i don't think guest can do this alone. For virtio-pmem usecase guest won't be using page cache so timing attack from only guest side is not possible unless host userspace can run checks on page cache eviction state using mincore etc. As rightly described by Rik, guest will only access its own page cache pages and if guest page cache is managed directly by host, this saves alot of effort for guest in transferring guest state of page cache. > > Which means this functionality looks to me like a new vector for > information leakage into and out of the guest VM via guest > controlled host page cache manipulation. > > https://arxiv.org/pdf/1901.01161 > > I might be wrong, but if I'm not we're going to have to be very > careful about how guest VMs can access and manipulate host side > resources like the page cache..... If I am following correctly the discussions in MM thread. Important steps to mitigate this: * Avoid running mincore in privilege mode: to safeguard page evict state of any page cache page. * tweaking RWF_NOWAIT I think if we secure ways to find current state(cached/evicted) of a page in host, we should be able to mitigate the impact for any page cache page access attack including virtio-pmem. Thanks, Pankaj