Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp630407pxv; Thu, 22 Jul 2021 08:33:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx7AUgnqkRSjXCcaE9pln4XFjHx0WkW+6N3miT2HTQB73etALiRrQXvuaY/26R/y1lvUpF9 X-Received: by 2002:a92:1944:: with SMTP id e4mr294002ilm.186.1626968003148; Thu, 22 Jul 2021 08:33:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626968003; cv=none; d=google.com; s=arc-20160816; b=N9DtLbD2cb6nnPC6HpSpbeIb89oAYFgC/S6bAUn+CaGvNJ1TOGEqK1FX2sku9qAkzn GPVW1+iUt8njKVUSZ91QWzH+zG4QZf2qaBM89PgBA+Xifsof6rdBLpWJFbdw8nBtDQ2g PlyFxrIzZNgzhFKhtd1SlxEzJ6BWoz/GnA6aAL9lDV1MQyk3BLScjrbCzpAXw9Js0OCB +sCYVFkTPV5hRHQc0hbIU4GeYaAVdEuDY+K1l8FapLoWODqbxVW8Z8WiiePDG8KIR+H4 S3vQt5f6AXy0HXFRT2uzo6nccqOd1sGmrEJmqslxL8SnS191rqsIBXFyPCVM4dF4BwoQ UT6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date; bh=2lpdzv0mva0mQwiPpk60Pd3uu35eQH+g1bcw+yKvHoA=; b=URD5gIAWXNbREAxIeCvc8Tizdrz9Hlm4RqXMkONaHnsHeTK81q9XtGBQvK5jq6hZkL wXtBIpwYkGdaIy1zaEWgAut57mLRbKb+8S40b3szIkA97l/QZ2T4ZmYQfrS2IJ8PFw5C sAZu+YPJZ133C+Xte/0FMvk2CNTC7S1roHxw8ahhhBOwcIfGn3GRDAywC9ir1Yt4vGib 6y0GVX8E3Doe8CVsiKsK9LmxiZCUm+vJJy+0L+9moI3CTRQ16Zd1jLGHPsUPbdtrbEnv CYeymVODlxfEk4FGg+5bFZ05mZH4sNRhSJySD0V9Df8FzOdjGZSvo4H9e/I0h9LATCfu BOCg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h41si9105734jaa.50.2021.07.22.08.33.10; Thu, 22 Jul 2021 08:33:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232575AbhGVOt6 (ORCPT + 99 others); Thu, 22 Jul 2021 10:49:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:36754 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232138AbhGVOt5 (ORCPT ); Thu, 22 Jul 2021 10:49:57 -0400 Received: from disco-boy.misterjones.org (disco-boy.misterjones.org [51.254.78.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 316C360BD3; Thu, 22 Jul 2021 15:30:32 +0000 (UTC) Received: from sofa.misterjones.org ([185.219.108.64] helo=wait-a-minute.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1m6aec-000IEl-22; Thu, 22 Jul 2021 16:30:30 +0100 Date: Thu, 22 Jul 2021 16:30:29 +0100 Message-ID: <87y29y1i3u.wl-maz@kernel.org> From: Marc Zyngier To: Andrew Jones Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, Srivatsa Vaddagiri , Shanker R Donthineni , will@kernel.org Subject: Re: [PATCH 00/16] KVM: arm64: MMIO guard PV services In-Reply-To: <20210722132515.y66qi23r6ty3anax@gator> References: <20210715163159.1480168-1-maz@kernel.org> <20210721214243.dy6d644yznuopuqx@gator> <874kcm3byd.wl-maz@kernel.org> <20210722132515.y66qi23r6ty3anax@gator> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: drjones@redhat.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@android.com, vatsa@codeaurora.org, sdonthineni@nvidia.com, will@kernel.org X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 22 Jul 2021 14:25:15 +0100, Andrew Jones wrote: > > On Thu, Jul 22, 2021 at 11:00:26AM +0100, Marc Zyngier wrote: > > On Wed, 21 Jul 2021 22:42:43 +0100, > > Andrew Jones wrote: > > > > > > On Thu, Jul 15, 2021 at 05:31:43PM +0100, Marc Zyngier wrote: > > > > KVM/arm64 currently considers that any memory access outside of a > > > > memslot is a MMIO access. This so far has served us very well, but > > > > obviously relies on the guest trusting the host, and especially > > > > userspace to do the right thing. > > > > > > > > As we keep on hacking away at pKVM, it becomes obvious that this trust > > > > model is not really fit for a confidential computing environment, and > > > > that the guest would require some guarantees that emulation only > > > > occurs on portions of the address space that have clearly been > > > > identified for this purpose. > > > > > > This trust model is hard for me to reason about. userspace is trusted to > > > control the life cycle of the VM, to prepare the memslots for the VM, > > > and [presumably] identify what MMIO ranges are valid, yet it's not > > > trusted to handle invalid MMIO accesses. I'd like to learn more about > > > this model and the userspace involved. > > > > Imagine the following scenario: > > > > On top of the normal memory described as memslots (which pKVM will > > ensure that userspace cannot access), > > Ah, I didn't know that part. Yeah, that's the crucial bit. By default, pKVM guests do not share any memory with anyone, so the memslots are made inaccessible from both the VMM and the host kernel. The guest has to explicitly change the state of the memory it wants to share back with the host for things like IO. > > > a malicious userspace describes > > to the guest another memory region in a firmware table and does not > > back it with a memslot. > > > > The hypervisor cannot validate this firmware description (imagine > > doing ACPI and DT parsing at EL2...), so the guest starts using this > > "memory" for something, and data slowly trickles all the way to EL0. > > Not what you wanted. > > Yes, I see that now, in light of the above. > > > > > To ensure that this doesn't happen, we reverse the problem: userspace > > (and ultimately the EL1 kernel) doesn't get involved on a translation > > fault outside of a memslot *unless* the guest has explicitly asked for > > that page to be handled as a MMIO. With that, we have a full > > description of the IPA space contained in the S2 page tables: > > > > - memory described via a memslot, > > - directly mapped device (GICv2, for exmaple), > > - MMIO exposed for emulation > > > > and anything else is an invalid access that results in an abort. > > > > Does this make sense to you? > > Now I understand better, but if we're worried about malicious userspaces, > then how do we protect the guest from "bad" MMIO devices that have been > described to it? The guest can request access to those using this new > mechanism. We don't try to do anything about a malicious IO device. Any IO should be considered as malicious, and you don't want to give it anything in clear-text if it is supposed to be secret. Eventually, you'd probably want directly assigned devices that can attest to the guest that they are what they pretend to be, but that's a long way away. For now, we only want to enable virtio with a reduced level of trust (bounce buffering via shared pages for DMA, and reduced MMIO exposure). Thanks, M. -- Without deviation from the norm, progress is not possible.