Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3075243pxa; Tue, 25 Aug 2020 10:43:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyEYqmqcLKpOnTATDv2bD/+amVpYhLQ+NnEUjhA6DA2cwU21pW8P0cbLj8sgGtsrffk9QAH X-Received: by 2002:a50:f30e:: with SMTP id p14mr8491275edm.31.1598377394829; Tue, 25 Aug 2020 10:43:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598377394; cv=none; d=google.com; s=arc-20160816; b=G7IcN+gbydYPjys49h8Xtfvr7yuR8u8TY9J8NbVmRP/40sJ9ueUfb7yMwNk0LjyB48 RosPXKu/L/TufyiiIwf31uoTl9x0SkrjZGNwYwjkrmEeoRsSE1RQSgjJD74sUGbemrcx kChEugebsv0miC0/+JA0CAQfO0QtmsxjmxLBqYv938JO+mde/bGUw5d+7Utou+qTJ+UG 2GCVmAiNLWjwzjjGeSQ4jcz0khmZ+Ok45EGxzo5FMaDazcoJzEmufeiVxwdCPw1YC2+5 8NVrIADaX5+HAY5ikdsdAwPyfDXZzEtEP4OPZZwO2eedkUFSDi6ablAocBFXzimzU3sv iovQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=KR9UDbkwVaDLCPkdi3aRsOZuTUPPMX7n1skoyD8HkH8=; b=aBeu2bUljja1GpfSpvEfO8Auig/Z8rAwQXK6rHyvf3GZdcgisHuaRo7w2neYA9Q6Rk lJ+w5a095Ldlj5IR9SlTirK9Sie7Mi9mcwQ0AMzkznsMno5J+Idijd//rCi+z08h5NPy m43mxucVlaM8EAMh68jx6E3RIg1JVOmELm+wZ/6t2ZikTh/I/K+TXfAx2qXJDkTTIpTv /wQ93ty1qaeRV/vhG3ICdR4wHjxw1X80sB086+RCzzTiGmsGrwWFqOPQuou689qMugR2 zDhCf9kMK8BzBEf/fqrHTPXbwwQe+H38Zqc4WZZDWePmkbELjV+1hrem80gqp9bmMwAa Jbmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Oij2eI5J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s5si6594401eji.321.2020.08.25.10.42.50; Tue, 25 Aug 2020 10:43:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Oij2eI5J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726475AbgHYRmB (ORCPT + 99 others); Tue, 25 Aug 2020 13:42:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:55788 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725936AbgHYRmA (ORCPT ); Tue, 25 Aug 2020 13:42:00 -0400 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E81CB2087C for ; Tue, 25 Aug 2020 17:41:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598377320; bh=kYKBKWPdmIGbowfnANRtKnPRq86WNOXztM21yJfgy/8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Oij2eI5JkXzLlsBn/eF7PnI3rfkUCoAgdebAy7NdWTrmhYYqTFRf/LrRywr7qP4c6 sZshwlstASSBuHHm/09pXiY0y/BT2PCOzWU63a40UUb7V8tfNu+zdZZm49K5mqEvO5 l9iJq7Dc9WrOBnGnRTjeERTJxrPl3crUYiGmA5uQ= Received: by mail-wm1-f45.google.com with SMTP id x5so3380970wmi.2 for ; Tue, 25 Aug 2020 10:41:59 -0700 (PDT) X-Gm-Message-State: AOAM530bbOIwr7plu1u3WaWC11W/1TDnS2/aStWF5hgqqYTQpy8GGbGa ueJmE101c1GC5YUSzirO+d2Nc+/o9uRiDQEVKJeCKw== X-Received: by 2002:a1c:7e02:: with SMTP id z2mr3108351wmc.138.1598377318393; Tue, 25 Aug 2020 10:41:58 -0700 (PDT) MIME-Version: 1.0 References: <875z98jkof.fsf@nanos.tec.linutronix.de> <3babf003-6854-e50a-34ca-c87ce4169c77@citrix.com> <20200825043959.GF15046@sjchrist-ice> <20200825171903.GA20660@sjchrist-ice> In-Reply-To: From: Andy Lutomirski Date: Tue, 25 Aug 2020 10:41:46 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: TDX #VE in SYSCALL gap (was: [RFD] x86: Curing the exception and syscall trainwreck in hardware) To: "Luck, Tony" Cc: Andy Lutomirski , "Christopherson, Sean J" , Andrew Cooper , Thomas Gleixner , LKML , X86 ML , Linus Torvalds , Tom Lendacky , Pu Wen , Stephen Hemminger , Sasha Levin , Dirk Hohndel , Jan Kiszka , Tony W Wang-oc , "H. Peter Anvin" , "Mallick, Asit K" , Gordon Tetlow , David Kaplan Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 25, 2020 at 10:36 AM Luck, Tony wrote: > > > > Or malicious hypervisor action, and that's a problem. > > > > > > Suppose the hypervisor remaps a GPA used in the SYSCALL gap (e.g. the > > > actual SYSCALL text or the first memory it accesses -- I don't have a > > > TDX spec so I don't know the details). > > Is it feasible to defend against a malicious (or buggy) hypervisor? > > Obviously, we can't leave holes that guests can exploit. But the hypervisor > can crash the system no matter how clever TDX is. Crashing the system is one thing. Corrupting the system in a way that could allow code execution is another thing entirely. And the whole point of TDX is to defend the guest against the hypervisor.