Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp527126pxj; Thu, 3 Jun 2021 12:36:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwNz9do9I6jGsCCVlpEH+m9Ah1dIKOR4Ww76PoFdbhBQrMM+Ee4uzmsXrT4aFqZfDBFrWrY X-Received: by 2002:a17:906:6899:: with SMTP id n25mr846677ejr.462.1622748976737; Thu, 03 Jun 2021 12:36:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622748976; cv=none; d=google.com; s=arc-20160816; b=eTlKVeM53r1aAWl/FCgK4DzJbletP0hr6mcfeLUuutv63uXBfPyyFGt7DkJ97Af3kz hNjadTL/+KZWnXpbZz3IYpJoFSA4jLDk9anyoriEu0FzlD1lfiwML6CeAyifYkRUSfsT CBd11VTlY/V7QWmQp4WwAzZdBvdV3hbf3gABqjRIRyH939OPPhKLei9PPpq3PaK0UJ8G 3xcrM8wpEV73f+yJEPYKwWHksj0POYn2Gd/7D33ARvw05PjXmYdNu6GLQwMIsLhNAgiD HRJzpt5cNDYjpJ8TDt0UZV4Gb38FEcrhMwNySoerax31YZXfaJqfa3TDT63goRniIvyH 3qhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:subject:cc:to:from :date:references:in-reply-to:message-id:mime-version:user-agent :dkim-signature; bh=8lLbKTyLs7Hj/7E6wEz69ZypN73vDMgv6KQsGjwk8qU=; b=rDPQANNdjNxgK16Rkk9tx22AZeYgSPbcyNGZbOKgJPwWoNVJKXYS1kF+p18dQdv1bS 5CjFztS0JxjxEFYP8MLVpLcgviYHlv+E6n+jdfX6aKlkVIyS9/17el8DGbbBgMliIcgL +pOx27Bd5+LlYu5Ea3u7uQNrgdpeuNq+eZ9NJgKyEEBaZ9CBIQfUhDGmU9Zj9ef4kD3V PUiVT2m99UtrV3RKZx2CJhii0+aCiQ878q2R9iEITFpCc+srYzeSP0d4fYfqCBJvL7Fh UOp5/TGO5GFFSw8A/1CAVY+VEZKSZvUEirLQiHdNPC0iP46mw5qCYWzVMWwEmE29TQuO d2lw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jhQeYpzg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i10si3339133ejd.683.2021.06.03.12.35.52; Thu, 03 Jun 2021 12:36:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jhQeYpzg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229790AbhFCTeT (ORCPT + 99 others); Thu, 3 Jun 2021 15:34:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:34094 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229656AbhFCTeT (ORCPT ); Thu, 3 Jun 2021 15:34:19 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6C0FD611CC; Thu, 3 Jun 2021 19:32:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1622748754; bh=rvC32MA8E3QrSBWjTg6LF33SlYkWLco0I2yCu23n7Ok=; h=In-Reply-To:References:Date:From:To:Cc:Subject:From; b=jhQeYpzgE6vlWf6TMVMtA+XVEhF3g/+sc+mtqLnWt9Jxq6VW05vCdwGdpHLzufuYS UwGtMjrFLjvxTtrXwJuljVurczSzpAyvwhISyhtF9mlHrjE5HfQoaQl5Edk52qoEvO fIAR9d5gHQbaop5gruCM9Lb2jdZgO0Vki7OQd9lPddn94/3XqQQhfbFgTNLMzDuhWZ qfQDXIjh/bpK09jMqCFV81DG209YazmpQjI81ykvp5KDwDs8VWUNxwQkPY0OgkctQR pcqnAZK3Wrh9q7duTaMgSjY9Ojm0reQwUN8R3uZYRnguJ2XWcuU7B5qmCg7FnR504O BMQUYhKYK2fxg== Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailauth.nyi.internal (Postfix) with ESMTP id 6FF6127C005B; Thu, 3 Jun 2021 15:32:32 -0400 (EDT) Received: from imap21 ([10.202.2.71]) by compute2.internal (MEProxy); Thu, 03 Jun 2021 15:32:32 -0400 X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdelledgudefiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdet nhguhicunfhuthhomhhirhhskhhifdcuoehluhhtoheskhgvrhhnvghlrdhorhhgqeenuc ggtffrrghtthgvrhhnpedvleehjeejvefhuddtgeegffdtjedtffegveethedvgfejieev ieeufeevuedvteenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpegrnhguhidomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqudduiedu keehieefvddqvdeifeduieeitdekqdhluhhtoheppehkvghrnhgvlhdrohhrgheslhhinh hugidrlhhuthhordhush X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 66F9C51C0060; Thu, 3 Jun 2021 15:32:30 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-519-g27a961944e-fm-20210531.001-g27a96194 Mime-Version: 1.0 Message-Id: <2b2dec75-a0c1-4013-ac49-a49f30d5ac3c@www.fastmail.com> In-Reply-To: References: <20210603004133.4079390-1-ak@linux.intel.com> <20210603004133.4079390-2-ak@linux.intel.com> Date: Thu, 03 Jun 2021 12:31:59 -0700 From: "Andy Lutomirski" To: "Andi Kleen" , mst@redhat.com Cc: jasowang@redhat.com, virtualization@lists.linux-foundation.org, hch@lst.de, m.szyprowski@samsung.com, robin.murphy@arm.com, iommu@lists.linux-foundation.org, "the arch/x86 maintainers" , sathyanarayanan.kuppuswamy@linux.intel.com, "Josh Poimboeuf" , "Linux Kernel Mailing List" Subject: Re: [PATCH v1 1/8] virtio: Force only split mode with protected guest Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 3, 2021, at 11:00 AM, Andi Kleen wrote: >=20 > On 6/3/2021 10:33 AM, Andy Lutomirski wrote: > > On 6/2/21 5:41 PM, Andi Kleen wrote: > >> Only allow split mode when in a protected guest. Followon > >> patches harden the split mode code paths, and we don't want > >> an malicious host to force anything else. Also disallow > >> indirect mode for similar reasons. > > I read this as "the virtio driver is buggy. Let's disable most of t= he > > buggy code in one special case in which we need a driver without bug= s. > > In all the other cases (e.g. hardware virtio device connected over > > USB-C), driver bugs are still allowed." >=20 > My understanding is most of the other modes (except for split with=20 > separate descriptors) are obsolete and just there for compatibility. A= s=20 > long as they're deprecated they won't harm anyone. >=20 > Tell that to every crypto downgrade attack ever. I see two credible solutions: 1. Actually harden the virtio driver. 2. Have a new virtio-modern driver and use it for modern use cases. Mayb= e rename the old driver virtio-legacy or virtio-insecure. They can shar= e code. Another snag you may hit: virtio=E2=80=99s heuristic for whether to use = proper DMA ops or to bypass them is a giant kludge. I=E2=80=99m very sli= ghtly optimistic that getting the heuristic wrong will make the driver f= ail to operate but won=E2=80=99t allow the host to take over the guest, = but I=E2=80=99m not really convinced. And I wrote that code! A virtio-m= odern mode probably should not have a heuristic, and the various iommu-b= ypassing modes should be fixed to work at the bus level, not the device = level.