Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp519572ybb; Fri, 20 Mar 2020 03:27:27 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvBPwZwCUctZ1QOd4ZNBAjgdaoPcoz9QivceV8AaBC9wCJ42ibLe32Ja7diDmI8VLUR064i X-Received: by 2002:a05:6830:1d64:: with SMTP id l4mr5915481oti.36.1584700047284; Fri, 20 Mar 2020 03:27:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584700047; cv=none; d=google.com; s=arc-20160816; b=vZmeJdkKgb78gFoTg7nhO0SaFyb2QP4D+bAZ+fq3/a9gKVx+yMHS5GLKgAfablVoSD zlTJcTGAkAnRCSbEdoAfibHj24P93uK2wFgP/jAmpy0PxbxoURDlshUkzde9QJPWanDF lsIWOQr2lIe6Jbg60AqXVGLteQROGLXsY27uNnrQqLuYTymO2RxjQyX23tBPJ/J/NGUH R56gSS2s7lyYJTacrQBcYHZG3PZtY6Q7fDBrnc241DG3bi2T9UQXyHJh1RrqZJl7TZWP m2BGx/zmvSwKwnnLMTMQUEjXnAXlrJoltNNCgn4wI7yWzAeZSG2Cv/LU2iddy1ZwW68M Jiqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:subject:cc:to:from; bh=qClO9CwYXZDLTP6PAf56WAUKa3RSskTr9ZgMw9hxmWU=; b=pNbn62gs/DObBFuuWDBGAHTYvU6Lcp8gbrobYy27nkzP74S3WlshC/B5+q9NImp6BQ P+UsmoLtRj8wx+Ek51YxthKbj8089Ah7LRuq/45tE791LFjRaVqZ/0reZ4UMDt8eWbww eKIcyctDLdnwZmsF1zs/uYIiDCSD86JXrUJSqdgZG7Nwpo6GDr8om5bJSaP63Tyvz8nF vtKqwfyqsqySaoGYFHD8lBI+B7x2FbYauGIOOTV36Bl1eUjnCdZHIBwns+ikARhxzcQI EhDq2wkKZvpcxFcPPZWSq1PN8poBPA3mdaqwXybWa0bWDisHn37T0ASJ6sZm/+h4O3Wt HSzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 38si2733711otu.250.2020.03.20.03.27.15; Fri, 20 Mar 2020 03:27:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727194AbgCTK0y (ORCPT + 99 others); Fri, 20 Mar 2020 06:26:54 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:2706 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726631AbgCTK0x (ORCPT ); Fri, 20 Mar 2020 06:26:53 -0400 Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 02KA5DJo032022 for ; Fri, 20 Mar 2020 06:26:51 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0a-001b2d01.pphosted.com with ESMTP id 2yua2d86d3-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 20 Mar 2020 06:26:51 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 20 Mar 2020 10:26:50 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Fri, 20 Mar 2020 10:26:47 -0000 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 02KAQkkI49938592 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 20 Mar 2020 10:26:46 GMT Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 45FB5A405C; Fri, 20 Mar 2020 10:26:46 +0000 (GMT) Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D2C27A405B; Fri, 20 Mar 2020 10:26:45 +0000 (GMT) Received: from pomme.tlslab.ibm.com (unknown [9.145.123.35]) by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 20 Mar 2020 10:26:45 +0000 (GMT) From: Laurent Dufour To: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, kvm-ppc@vger.kernel.org Cc: Bharata B Rao , Paul Mackerras , Benjamin Herrenschmidt , Michael Ellerman Subject: [PATCH 1/2] KVM: PPC: Book3S HV: check caller of H_SVM_* Hcalls Date: Fri, 20 Mar 2020 11:26:42 +0100 X-Mailer: git-send-email 2.25.2 In-Reply-To: <20200320102643.15516-1-ldufour@linux.ibm.com> References: <20200320102643.15516-1-ldufour@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 20032010-4275-0000-0000-000003AFA875 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 20032010-4276-0000-0000-000038C4D94F Message-Id: <20200320102643.15516-2-ldufour@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138,18.0.645 definitions=2020-03-20_02:2020-03-20,2020-03-20 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 mlxlogscore=999 malwarescore=0 suspectscore=0 clxscore=1015 phishscore=0 priorityscore=1501 adultscore=0 bulkscore=0 spamscore=0 mlxscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2003200044 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The Hcall named H_SVM_* are reserved to the Ultravisor. However, nothing prevent a malicious VM or SVM to call them. This could lead to weird result and should be filtered out. Checking the Secure bit of the calling MSR ensure that the call is coming from either the Ultravisor or a SVM. But any system call made from a SVM are going through the Ultravisor, and the Ultravisor should filter out these malicious call. This way, only the Ultravisor is able to make such a Hcall. Cc: Bharata B Rao Cc: Paul Mackerras Cc: Benjamin Herrenschmidt Cc: Michael Ellerman Signed-off-by: Laurent Dufour --- arch/powerpc/kvm/book3s_hv.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c index 33be4d93248a..43773182a737 100644 --- a/arch/powerpc/kvm/book3s_hv.c +++ b/arch/powerpc/kvm/book3s_hv.c @@ -1074,25 +1074,35 @@ int kvmppc_pseries_do_hcall(struct kvm_vcpu *vcpu) kvmppc_get_gpr(vcpu, 6)); break; case H_SVM_PAGE_IN: - ret = kvmppc_h_svm_page_in(vcpu->kvm, - kvmppc_get_gpr(vcpu, 4), - kvmppc_get_gpr(vcpu, 5), - kvmppc_get_gpr(vcpu, 6)); + ret = H_UNSUPPORTED; + if (kvmppc_get_srr1(vcpu) & MSR_S) + ret = kvmppc_h_svm_page_in(vcpu->kvm, + kvmppc_get_gpr(vcpu, 4), + kvmppc_get_gpr(vcpu, 5), + kvmppc_get_gpr(vcpu, 6)); break; case H_SVM_PAGE_OUT: - ret = kvmppc_h_svm_page_out(vcpu->kvm, - kvmppc_get_gpr(vcpu, 4), - kvmppc_get_gpr(vcpu, 5), - kvmppc_get_gpr(vcpu, 6)); + ret = H_UNSUPPORTED; + if (kvmppc_get_srr1(vcpu) & MSR_S) + ret = kvmppc_h_svm_page_out(vcpu->kvm, + kvmppc_get_gpr(vcpu, 4), + kvmppc_get_gpr(vcpu, 5), + kvmppc_get_gpr(vcpu, 6)); break; case H_SVM_INIT_START: - ret = kvmppc_h_svm_init_start(vcpu->kvm); + ret = H_UNSUPPORTED; + if (kvmppc_get_srr1(vcpu) & MSR_S) + ret = kvmppc_h_svm_init_start(vcpu->kvm); break; case H_SVM_INIT_DONE: - ret = kvmppc_h_svm_init_done(vcpu->kvm); + ret = H_UNSUPPORTED; + if (kvmppc_get_srr1(vcpu) & MSR_S) + ret = kvmppc_h_svm_init_done(vcpu->kvm); break; case H_SVM_INIT_ABORT: - ret = kvmppc_h_svm_init_abort(vcpu->kvm); + ret = H_UNSUPPORTED; + if (kvmppc_get_srr1(vcpu) & MSR_S) + ret = kvmppc_h_svm_init_abort(vcpu->kvm); break; default: -- 2.25.2