Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp322704pxj; Fri, 14 May 2021 04:28:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzlD6/2uoQKHU/0iCtfs61c5/fLLCqU75PEGd5C+vn2Gql9uNZIzmDIYMAZFzWggWrlchEL X-Received: by 2002:a05:6e02:48c:: with SMTP id b12mr18868311ils.128.1620991705845; Fri, 14 May 2021 04:28:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620991705; cv=none; d=google.com; s=arc-20160816; b=EOVnZBUuPDxeBpCvk2LsaXpg5R5RJ/QGPDQcK54GTlEv89/7DthJ29lllLhZjIajey 5Ly+6NC9z2nDTFBexZmlKg1pqW6QnEBh3oj3RfVSBB05X32HjqffeJz3gDJIq0QmYSW6 HQpOD30kD4g6n+KilMsjrqE8WlUZNa7kHaI0QlzCDKnm6shiv/AnohzfFhT1lUTe6YA6 2MzbdKA83PIrnwkEQH6YbptHgltZo63gW3T27VOsjROxPry5cMu4JJfvtF8DioGaGlFq gCKRIf8PGieIgIF3Y6YREQL9ISEJ4sIs95kbX9d83Am+db++ImgqfWoHFLWR1VHjcHeK kCuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=6VTAUnp96WvnXms28tMWvj3Ilwf5M8EYB2gCnZeyU+0=; b=fFWDepjspcTjlH1BY7lze/1UUDB5TuottZJOJ7T6a2QpW/XIaoIjABfv97oRyB58RY uoz7fmB3TPUGj6DqwYOEfE16V84963h9xeRMTeTUoy5l/SqXS/ETWW8KHcsCgrDgyYuq F8kiv5lJvdwFfx9FQVz2DX2vp3Mi3qfzypDMwzxk846iYe3/fyNsxi5EDuFFp67bxJ2u 5Nd0fjFCMO+U2LUmzKBY5xN7w6zrRlgYLwguTf7ulrjIcFFk2aHMlXHx9NLPwrlH2XbB bDl7p+yx/aUuvtL73u66o/q1OSgq1n0BV/1e/f15rFEdNI+gmkdpws1fQbOvILgyi9+T /Dcg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=xEpLjb3l; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y24si7189294ior.40.2021.05.14.04.28.12; Fri, 14 May 2021 04:28:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=xEpLjb3l; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231140AbhENL2r (ORCPT + 99 others); Fri, 14 May 2021 07:28:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39682 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229445AbhENL2q (ORCPT ); Fri, 14 May 2021 07:28:46 -0400 Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33E2DC061574 for ; Fri, 14 May 2021 04:27:35 -0700 (PDT) Received: by mail-ed1-x533.google.com with SMTP id di13so34318719edb.2 for ; Fri, 14 May 2021 04:27:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6VTAUnp96WvnXms28tMWvj3Ilwf5M8EYB2gCnZeyU+0=; b=xEpLjb3l0myWq5PwbpIv6kQxuCRtBtTocSeotDlVRZE9ocm9eBXCkwGio5UoK6nPSZ EcUpUJ+DEjEqzU/QwfB3nc3LG6UmkQ9bOFcT+69ah/dlgEeOio+FxN0ibvwWX7J2sQAE QPoJhBNE5sEoJLwy9nH0kmLPx5xscwyu4ku/iJIQyKH8jLP53+MoSjsKX66w4pVwXM6e anSDDAUFTxQdRKwqrzHYXnb6WYhcMrfn0nDZiuORWlipzMh+QOZLdL3AXgRRNTgzfM5F YeelKbUT9r7YMSrNJeFGnz3GEfTwv68jptrS09MBJiwnO52eo7O6aMIrxWcV3A05L4Co 5Omg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6VTAUnp96WvnXms28tMWvj3Ilwf5M8EYB2gCnZeyU+0=; b=h3INJJvLc5pFX92EuryVNXAS/gl4wwi6VpRgqH8MkRjxkh4UK9TQSrD3v4W5uVS2El pscxuGO6Zhv3wsJVr8ETUJ6T54/MZoR0J7VKPdYDc7O8CK3PvTcXFTxrp+HGYcL2bJ+w euvs4vzOnJraKKUMaoQGIdfK067XZJo0o/GXnH04nkTkeOOw7iUwU3VE6XxZPt+zyPXK O1HgzEUwXdqsLD17hLkx3i7wnezR9wzcUDl9yAjM35+U+a1m0Uae6IC7C7oFUObgQFEn gUNfeSVSV5adEMbZWTRCKeIlzu2JxkXxXDYHFHtVSf5gG0Gv7KlZeIT+/ovMd47ZSZSm y42A== X-Gm-Message-State: AOAM531X324RukygJu4m9fZpTNvx8YplvJMwY5aiwLGUv/4rLAKjDkYr lfHyKhISeXPdBp2MB4+9BmXLH5Vhp1GAuChi67fa X-Received: by 2002:a05:6402:254a:: with SMTP id l10mr56200162edb.145.1620991653732; Fri, 14 May 2021 04:27:33 -0700 (PDT) MIME-Version: 1.0 References: <20210423080942.2997-1-jasowang@redhat.com> In-Reply-To: From: Yongji Xie Date: Fri, 14 May 2021 19:27:22 +0800 Message-ID: Subject: Re: Re: [RFC PATCH V2 0/7] Do not read from descripto ring To: Stefan Hajnoczi Cc: Jason Wang , mst , virtualization , linux-kernel , file@sect.tu-berlin.de, ashish.kalra@amd.com, konrad.wilk@oracle.com, kvm , Christoph Hellwig Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 14, 2021 at 7:17 PM Stefan Hajnoczi wrote: > > On Fri, May 14, 2021 at 03:29:20PM +0800, Jason Wang wrote: > > On Fri, May 14, 2021 at 12:27 AM Stefan Hajnoczi wrote: > > > > > > On Fri, Apr 23, 2021 at 04:09:35PM +0800, Jason Wang wrote: > > > > Sometimes, the driver doesn't trust the device. This is usually > > > > happens for the encrtpyed VM or VDUSE[1]. > > > > > > Thanks for doing this. > > > > > > Can you describe the overall memory safety model that virtio drivers > > > must follow? > > > > My understanding is that, basically the driver should not trust the > > device (since the driver doesn't know what kind of device that it > > tries to drive) > > > > 1) For any read only metadata (required at the spec level) which is > > mapped as coherent, driver should not depend on the metadata that is > > stored in a place that could be wrote by the device. This is what this > > series tries to achieve. > > 2) For other metadata that is produced by the device, need to make > > sure there's no malicious device triggered behavior, this is somehow > > similar to what vhost did. No DOS, loop, kernel bug and other stuffs. > > 3) swiotb is a must to enforce memory access isolation. (VDUSE or encrypted VM) > > > > > For example: > > > > > > - Driver-to-device buffers must be on dedicated pages to avoid > > > information leaks. > > > > It looks to me if swiotlb is used, we don't need this since the > > bouncing is not done at byte not page. > > > > But if swiotlb is not used, we need to enforce this. > > > > > > > > - Driver-to-device buffers must be on dedicated pages to avoid memory > > > corruption. > > > > Similar to the above. > > > > > > > > When I say "pages" I guess it's the IOMMU page size that matters? > > > > > > > And the IOTLB page size. > > > > > What is the memory access granularity of VDUSE? > > > > It has an swiotlb, but the access and bouncing is done per byte. > > > > > > > > I'm asking these questions because there is driver code that exposes > > > kernel memory to the device and I'm not sure it's safe. For example: > > > > > > static int virtblk_add_req(struct virtqueue *vq, struct virtblk_req *vbr, > > > struct scatterlist *data_sg, bool have_data) > > > { > > > struct scatterlist hdr, status, *sgs[3]; > > > unsigned int num_out = 0, num_in = 0; > > > > > > sg_init_one(&hdr, &vbr->out_hdr, sizeof(vbr->out_hdr)); > > > ^^^^^^^^^^^^^ > > > sgs[num_out++] = &hdr; > > > > > > if (have_data) { > > > if (vbr->out_hdr.type & cpu_to_virtio32(vq->vdev, VIRTIO_BLK_T_OUT)) > > > sgs[num_out++] = data_sg; > > > else > > > sgs[num_out + num_in++] = data_sg; > > > } > > > > > > sg_init_one(&status, &vbr->status, sizeof(vbr->status)); > > > ^^^^^^^^^^^^ > > > sgs[num_out + num_in++] = &status; > > > > > > return virtqueue_add_sgs(vq, sgs, num_out, num_in, vbr, GFP_ATOMIC); > > > } > > > > > > I guess the drivers don't need to be modified as long as swiotlb is used > > > to bounce the buffers through "insecure" memory so that the memory > > > surrounding the buffers is not exposed? > > > > Yes, swiotlb won't bounce the whole page. So I think it's safe. > > Thanks Jason and Yongji Xie for clarifying. Seems like swiotlb or a > similar mechanism can handle byte-granularity isolation so the drivers > not need to worry about information leaks or memory corruption outside > the mapped byte range. > > We still need to audit virtio guest drivers to ensure they don't trust > data that can be modified by the device. I will look at virtio-blk and > virtio-fs next week. > Oh, that's great. Thank you! I also did some audit work these days and will send a new version for reviewing next Monday. Thanks, Yongji