Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.112.34 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.112.34; helo=mail.nvidia.com;
Subject: Re: [PATCH v5] virtio-blk: Add validation for block size in config
 space
To:     Yongji Xie <xieyongji@bytedance.com>
CC:     Jason Wang <jasowang@redhat.com>,
        "Michael S. Tsirkin" <mst@redhat.com>,
        Stefan Hajnoczi <stefanha@redhat.com>,
        virtualization <virtualization@lists.linux-foundation.org>,
        <linux-block@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>
References: <20210809101609.148-1-xieyongji@bytedance.com>
 <e6ab104e-a18b-3f17-9cd8-6a6b689b56b4@nvidia.com>
 <CACycT3sNRRBrSTJOUr=POc-+BOAgfT7+qgFE2BLBTGJ30cZVsQ@mail.gmail.com>
 <dc8e7f6d-9aa6-58c6-97f7-c30391aeac5d@nvidia.com>
 <CACycT3v83sVvUWxZ-+SDyeXMPiYd0zi5mtmg8AkXYgVLxVpTvA@mail.gmail.com>
 <06af4897-7339-fca7-bdd9-e0f9c2c6195b@nvidia.com>
 <CACycT3usFyVyBuJBz2n5TRPveKKUXTqRDMo76VkGu7NCowNmvg@mail.gmail.com>
 <6d6154d7-7947-68be-4e1e-4c1d0a94b2bc@nvidia.com>
 <CACycT3sxeUQa7+QA0CAx47Y3tVHKigcQEfEHWi04aWA5xbgA9A@mail.gmail.com>
 <7f0181d7-ff5c-0346-66ee-1de3ed23f5dd@nvidia.com>
 <20210823080952-mutt-send-email-mst@kernel.org>
 <b9636f39-1237-235e-d1fe-8f5c0d422c7d@nvidia.com>
 <CACGkMEuc0C0=te3O6z76BniiuHJgfxHnaAZoX=+PCy4Y7DxRow@mail.gmail.com>
 <c238448b-9915-a4fc-4ec8-c807a06b359f@nvidia.com>
 <CACycT3vCfydrCq8vR9-WMq+-KDJx1Z+q1saOmp0yW0TRvLrqGg@mail.gmail.com>
From:   Max Gurtovoy <mgurtovoy@nvidia.com>
Message-ID: <fe2d623c-c0aa-a27e-fbe3-2c012b863140@nvidia.com>
Date:   Tue, 24 Aug 2021 16:30:48 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <CACycT3vCfydrCq8vR9-WMq+-KDJx1Z+q1saOmp0yW0TRvLrqGg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Aug 2021 13:30:54.1025
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5d2d7630-49c5-4b13-64ac-08d967036606
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.112.34];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT053.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB2503
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 8/24/2021 3:52 PM, Yongji Xie wrote:
> On Tue, Aug 24, 2021 at 6:11 PM Max Gurtovoy <mgurtovoy@nvidia.com> wrote:
>>
>> On 8/24/2021 5:47 AM, Jason Wang wrote:
>>> On Tue, Aug 24, 2021 at 6:31 AM Max Gurtovoy <mgurtovoy@nvidia.com> wrote:
>>>> On 8/23/2021 3:13 PM, Michael S. Tsirkin wrote:
>>>>> On Mon, Aug 23, 2021 at 01:45:31PM +0300, Max Gurtovoy wrote:
>>>>>> It helpful if there is a justification for this.
>>>>>>
>>>>>> In this case, no such HW device exist and the only device that can cause
>>>>>> this trouble today is user space VDUSE device that must be validated by the
>>>>>> emulation VDUSE kernel driver.
>>>>>>
>>>>>> Otherwise, will can create 1000 commit like this in the virtio level (for
>>>>>> example for each feature for each virtio device).
>>>>> Yea, it's a lot of work but I don't think it's avoidable.
>>>>>
>>>>>>>>>>> And regardless of userspace device, we still need to fix it for other cases.
>>>>>>>>>> which cases ? Do you know that there is a buggy HW we need to workaround ?
>>>>>>>>>>
>>>>>>>>> No, there isn't now. But this could be a potential attack surface if
>>>>>>>>> the host doesn't trust the device.
>>>>>>>> If the host doesn't trust a device, why it continues using it ?
>>>>>>>>
>>>>>>> IIUC this is the case for the encrypted VMs.
>>>>>> what do you mean encrypted VM ?
>>>>>>
>>>>>> And how this small patch causes a VM to be 100% encryption supported ?
>>>>>>
>>>>>>>> Do you suggest we do these workarounds in all device drivers in the kernel ?
>>>>>>>>
>>>>>>> Isn't it the driver's job to validate some unreasonable configuration?
>>>>>> The check should be in different layer.
>>>>>>
>>>>>> Virtio blk driver should not cover on some strange VDUSE stuff.
>>>>> Yes I'm not convinced VDUSE is a valid use-case. I think that for
>>>>> security and robustness it should validate data it gets from userspace
>>>>> right there after reading it.
>>>>> But I think this is useful for the virtio hardening thing.
>>>>> https://lwn.net/Articles/865216/
>>>> I don't see how this change is assisting confidential computing.
>>>>
>>>> Confidential computingtalks about encrypting guest memory from the host,
>>>> and not adding some quirks to devices.
>>> In the case of confidential computing, the hypervisor and hard device
>>> is not in the trust zone. It means the guest doesn't trust the cloud
>>> vendor.
>> Confidential computing protects data during processing ("in-use" data).
>>
>> Nothing to do with virtio feature negotiation.
>>
> But if a misbehaving device can corrupt the guest memory, I think it
> should be avoided.

So don't say it's related to confidential computing, and fix it in the 
VDUSE kernel driver in the hypervisor.

If this is existing device and we want to add a quirk to it, so be it. 
But it's not the case.

> Thanks,
> Yongji