Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp610754pxb; Thu, 30 Sep 2021 13:04:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwgcTfOItbb9Aclig2t2PrVqpb4Qv2pumNT9Sxh0ZElkNcX/G8YTeiTA7jATG27ePgwMYwk X-Received: by 2002:a17:906:1755:: with SMTP id d21mr1350071eje.257.1633032245928; Thu, 30 Sep 2021 13:04:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633032245; cv=none; d=google.com; s=arc-20160816; b=Hr115WCHY9HK/3qxknZdRzxi/9/P6lQGSNKSXVamWh8X2drlx1x9pGLhEdl+CgSnB9 u3xwjDTMiClyRzlW/evoxzMzntZ2oDqeW05tu687uy0iLKL6yljIiCd/b9eopI5KwJ4w HU2X7PsiaxO9o5+w3W8bRX83NODNcwzPxqrL+Y992Wyb5/S3gMX76RJ6GqGlOX/9LFRN bJf3rPYdvjh8sCYFnIoM7NXnMVQO32mztLwzkObur2LqKTdfIiKYzFH2r6Ov/MkYKagY XrDkf9C3nhIsJCnyh2dx7fa4vW3jYe5qhJMPxgr68NmN5n7+VP7+Iq9BvmChBHssagnh LiwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=F4zAguWljCgbcn2JVGtyUkfpf0QYmCYtq5NGlHmVnaI=; b=Qiou07bILaDBw6UrbSLQ7+QxgVdGIlsot3EALu2jgIXIEn/231f6Nq0+BcMGydIHG9 hwiUoAxDeBx+NzxWYzyn1Y1mn5XUGS7Yotgi0hPhEgn0OrojBz0ZDSWLLTqEsPD7y13f BAn5cm6/Tm2su1jTec2sKm97vZSxF6YE0edlLWIYDs9acQUtQI5i7Nzt2gWeDnPwySx8 APv82ThQHQqR4svTtZeUkxfK9TsNznlE0Dtm46QqP5NRNWPqdetMQcM7twTlzQA+Bt+E kh9YFa9pdpzztWILPwdelykpz78xKn68z2Ubn223kETxmibkaKmjuXiYifO8VDs0l+xK D8Ig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id kx11si4383666ejc.554.2021.09.30.13.03.36; Thu, 30 Sep 2021 13:04:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345252AbhI3Tmm (ORCPT + 99 others); Thu, 30 Sep 2021 15:42:42 -0400 Received: from mga01.intel.com ([192.55.52.88]:8856 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344889AbhI3Tmj (ORCPT ); Thu, 30 Sep 2021 15:42:39 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10123"; a="247821075" X-IronPort-AV: E=Sophos;i="5.85,336,1624345200"; d="scan'208";a="247821075" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Sep 2021 12:40:51 -0700 X-IronPort-AV: E=Sophos;i="5.85,336,1624345200"; d="scan'208";a="480062750" Received: from rnmathur-mobl1.amr.corp.intel.com (HELO skuppusw-mobl5.amr.corp.intel.com) ([10.212.105.173]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Sep 2021 12:40:50 -0700 Subject: Re: [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest To: Andi Kleen , Greg Kroah-Hartman Cc: Dan Williams , "Michael S. Tsirkin" , Borislav Petkov , X86 ML , Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Kuppuswamy Sathyanarayanan , Linux Kernel Mailing List , Linux PCI , USB list , virtualization@lists.linux-foundation.org, "Reshetova, Elena" References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930010511.3387967-5-sathyanarayanan.kuppuswamy@linux.intel.com> <20210930065953-mutt-send-email-mst@kernel.org> <6d1e2701-5095-d110-3b0a-2697abd0c489@linux.intel.com> <1cfdce51-6bb4-f7af-a86b-5854b6737253@linux.intel.com> <291d5e03-ccaa-3a73-cdcd-66cbe80fede1@linux.intel.com> From: "Kuppuswamy, Sathyanarayanan" Message-ID: Date: Thu, 30 Sep 2021 12:40:48 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: <291d5e03-ccaa-3a73-cdcd-66cbe80fede1@linux.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +Elena On 9/30/21 12:30 PM, Andi Kleen wrote: > > On 9/30/2021 12:04 PM, Kuppuswamy, Sathyanarayanan wrote: >> >> >> On 9/30/21 8:23 AM, Greg Kroah-Hartman wrote: >>> On Thu, Sep 30, 2021 at 08:18:18AM -0700, Kuppuswamy, Sathyanarayanan wrote: >>>> >>>> >>>> On 9/30/21 6:36 AM, Dan Williams wrote: >>>>>> And in particular, not all virtio drivers are hardened - >>>>>> I think at this point blk and scsi drivers have been hardened - so >>>>>> treating them all the same looks wrong. >>>>> My understanding was that they have been audited, Sathya? >>>> >>>> Yes, AFAIK, it has been audited. Andi also submitted some patches >>>> related to it. Andi, can you confirm. >>> >>> What is the official definition of "audited"? >> >> >> In our case (Confidential Computing platform), the host is an un-trusted >> entity. So any interaction with host from the drivers will have to be >> protected against the possible attack from the host. For example, if we >> are accessing a memory based on index value received from host, we have >> to make sure it does not lead to out of bound access or when sharing the >> memory with the host, we need to make sure only the required region is >> shared with the host and the memory is un-shared after use properly. >> >> Elena can share more details, but it was achieved with static analysis >> and fuzzing. Here is a presentation she is sharing about the work at the >> Linux Security Summit: >> https://static.sched.com/hosted_files/lssna2021/b6/LSS-HardeningLinuxGuestForCCC.pdf >> >> Andi, can talk more about the specific driver changes that came out of this >> effort. > > The original virtio was quite easy to exploit because it put its free list into the shared ring buffer. > > We had a patchkit to harden virtio originally, but after some discussion we instead switched to > Jason Wang's patchkit to move the virtio metadata into protected memory, which fixed near all of the > issues. These patches have been already merged. There is one additional patch to limit the virtio > modes. > > There's an ongoing effort to audit (mostly finished I believe) and fuzz the three virtio drivers > (fuzzing is still ongoing). > > There was also a range of changes outside virtio for code outside the device model. Most of it was > just disabling it though. > > -Andi > -- Sathyanarayanan Kuppuswamy Linux Kernel Developer