Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.112.34 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.112.34; helo=mail.nvidia.com;
Subject: Re: [PATCH v5] virtio-blk: Add validation for block size in config
 space
To:     Yongji Xie <xieyongji@bytedance.com>
CC:     "Michael S. Tsirkin" <mst@redhat.com>,
        Jason Wang <jasowang@redhat.com>,
        Stefan Hajnoczi <stefanha@redhat.com>,
        virtualization <virtualization@lists.linux-foundation.org>,
        <linux-block@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>
References: <20210809101609.148-1-xieyongji@bytedance.com>
 <e6ab104e-a18b-3f17-9cd8-6a6b689b56b4@nvidia.com>
 <CACycT3sNRRBrSTJOUr=POc-+BOAgfT7+qgFE2BLBTGJ30cZVsQ@mail.gmail.com>
 <dc8e7f6d-9aa6-58c6-97f7-c30391aeac5d@nvidia.com>
 <CACycT3v83sVvUWxZ-+SDyeXMPiYd0zi5mtmg8AkXYgVLxVpTvA@mail.gmail.com>
 <06af4897-7339-fca7-bdd9-e0f9c2c6195b@nvidia.com>
 <CACycT3usFyVyBuJBz2n5TRPveKKUXTqRDMo76VkGu7NCowNmvg@mail.gmail.com>
 <6d6154d7-7947-68be-4e1e-4c1d0a94b2bc@nvidia.com>
 <CACycT3sxeUQa7+QA0CAx47Y3tVHKigcQEfEHWi04aWA5xbgA9A@mail.gmail.com>
From:   Max Gurtovoy <mgurtovoy@nvidia.com>
Message-ID: <7f0181d7-ff5c-0346-66ee-1de3ed23f5dd@nvidia.com>
Date:   Mon, 23 Aug 2021 13:45:31 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <CACycT3sxeUQa7+QA0CAx47Y3tVHKigcQEfEHWi04aWA5xbgA9A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Aug 2021 10:45:36.5044
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1833081c-762b-4957-6026-08d966232440
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.112.34];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT061.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4041
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 8/23/2021 1:33 PM, Yongji Xie wrote:
> On Mon, Aug 23, 2021 at 5:38 PM Max Gurtovoy <mgurtovoy@nvidia.com> wrote:
>>
>> On 8/23/2021 12:27 PM, Yongji Xie wrote:
>>> On Mon, Aug 23, 2021 at 5:04 PM Max Gurtovoy <mgurtovoy@nvidia.com> wrote:
>>>> On 8/23/2021 11:35 AM, Yongji Xie wrote:
>>>>> On Mon, Aug 23, 2021 at 4:07 PM Max Gurtovoy <mgurtovoy@nvidia.com> wrote:
>>>>>> On 8/23/2021 7:31 AM, Yongji Xie wrote:
>>>>>>> On Mon, Aug 23, 2021 at 7:17 AM Max Gurtovoy <mgurtovoy@nvidia.com> wrote:
>>>>>>>> On 8/9/2021 1:16 PM, Xie Yongji wrote:
>>>>>>>>> An untrusted device might presents an invalid block size
>>>>>>>>> in configuration space. This tries to add validation for it
>>>>>>>>> in the validate callback and clear the VIRTIO_BLK_F_BLK_SIZE
>>>>>>>>> feature bit if the value is out of the supported range.
>>>>>>>> This is not clear to me. What is untrusted device ? is it a buggy device ?
>>>>>>>>
>>>>>>> A buggy device, the devices in an encrypted VM, or a userspace device
>>>>>>> created by VDUSE [1].
>>>>>>>
>>>>>>> [1] https://lore.kernel.org/kvm/20210818120642.165-1-xieyongji@bytedance.com/
>>>>>> if it's a userspace device, why don't you fix its control path code
>>>>>> instead of adding workarounds in the kernel driver ?
>>>>>>
>>>>> VDUSE kernel module would not touch (be aware of) the device specific
>>>>> configuration space. It should be more reasonable to fix it in the
>>>>> device driver. There is also some existing interface (.validate()) for
>>>>> doing that.
>>>> who is emulating the device configuration space ?
>>>>
>>> A userspace daemon will initialize the device configuration space and
>>> pass the contents to the VDUSE kernel module. The VDUSE kernel module
>>> will handle the access of the config space from the virtio device
>>> driver, but it doesn't need to know the contents (although we can know
>>> that).
>> So you add a workaround in the guest kernel drivers instead of checking
>> these quirks in the hypervisor ?
>>
> I didn't see any problem adding this validation in the device driver.
>
>> VDUSE kernel should enforce the security for the devices it
>> emulates/presents to the VM.
>>
> I agree that the VDUSE kernel should enforce the security for the
> emulated devices. But I still think the virtio device driver should
> handle this case since nobody can make sure the device can always set
> the correct value. Adding this validation would be helpful.

It helpful if there is a justification for this.

In this case, no such HW device exist and the only device that can cause 
this trouble today is user space VDUSE device that must be validated by 
the emulation VDUSE kernel driver.

Otherwise, will can create 1000 commit like this in the virtio level 
(for example for each feature for each virtio device).

>
>>>>> And regardless of userspace device, we still need to fix it for other cases.
>>>> which cases ? Do you know that there is a buggy HW we need to workaround ?
>>>>
>>> No, there isn't now. But this could be a potential attack surface if
>>> the host doesn't trust the device.
>> If the host doesn't trust a device, why it continues using it ?
>>
> IIUC this is the case for the encrypted VMs.

what do you mean encrypted VM ?

And how this small patch causes a VM to be 100% encryption supported ?

>> Do you suggest we do these workarounds in all device drivers in the kernel ?
>>
> Isn't it the driver's job to validate some unreasonable configuration?

The check should be in different layer.

Virtio blk driver should not cover on some strange VDUSE stuff.

>
> Thanks,
> Yongji