Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3037124rwd; Fri, 16 Jun 2023 11:17:15 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7bZboO999pykU4Tp4FgwBHQYDH3WhAie2CAPP0QrQ+b/sBCJyF5CVjjhh+zk4kzWar/5Qj X-Received: by 2002:a05:6358:c122:b0:12b:dc5e:fd8b with SMTP id fh34-20020a056358c12200b0012bdc5efd8bmr2562383rwb.28.1686939435554; Fri, 16 Jun 2023 11:17:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686939435; cv=none; d=google.com; s=arc-20160816; b=oi9YDzBO2mTgqopAwlyo8MyhKJuTB7wVL92lw+oFwTRSTe2OP78OvFUvikPnsGRUR9 bXQWTg1YMnREjQHxyDzwPQHYpNAAiIsE69RoKJk+eCSGZg2iGOs9U7M5INCrGTUqOLx5 Sjld9NL2eEsC64AfJSlfsFkw+HCeIPRjpA332XEUfZ9pIHld5Six5+ukgBtoWl+rJGJk UhfEP2BsNsW8mSPegWW2iIK25yUuyUVwSIhvizlflfq1x9c1YCsevEXjSSiJDK3xCxcb e73Y6yojtnvNsX0Cs8/uNtE596hc05F9mEtaodXr4izxK1mKgET8wXq3sQGjBnrqjM19 SxVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:dkim-signature; bh=z/xcbkC1KM0iOBe2jwKeLHJYI8b7snTFL7pXba/BOVQ=; b=OiKZMbUVNgf/1wo9xxjQ376e9xWDv9CbWrqgdwKB2E534YJsSbXlXpUMAYCyg4OE1X xWiFMEVPb7TvV8rtSiWzP8OwL9gAfqr6gkerR7bBaM+P82JFn6mvo9xoJksBGA9MKzOX 9MbNvxUuTtwqoNm/kWjQ3NDt7VSmIPxkQCGDGVg3v61+13E30Z6hnqiMXdho3HNxh6UW 7GqsZwTz8qtCfWyycL43J2BX4QvoHVFI+eYKy2/bQvScpKFRljidJPJuf04CUAMD1/fQ bLmcA8VkbF6LhbDbWQHfFD68AaCGmJ16ERE2s6/chuvj674OniTjEeHUHQTLT8V8gjPf tTbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=erpa4DvJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b5-20020a63eb45000000b0053b8c98d14bsi12044333pgk.859.2023.06.16.11.17.01; Fri, 16 Jun 2023 11:17:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=erpa4DvJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231144AbjFPSIA (ORCPT + 99 others); Fri, 16 Jun 2023 14:08:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46564 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229538AbjFPSH6 (ORCPT ); Fri, 16 Jun 2023 14:07:58 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 193E030FE for ; Fri, 16 Jun 2023 11:07:57 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-bd69bb4507eso1008708276.2 for ; Fri, 16 Jun 2023 11:07:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1686938876; x=1689530876; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=z/xcbkC1KM0iOBe2jwKeLHJYI8b7snTFL7pXba/BOVQ=; b=erpa4DvJNDkn0MUrlPUdqcaWtRan5xUjwEoAKe3Ux6fnyZ+sXru7zVyCRxkgBcvmDO HqNB7WYCGOAtZrKTbZmh8F+MeNIDf5ssYJVqJqdO4BmZSTAmFTjdZsItG8M9AzpxtG3R cwxug9zPJS52gTTR9PZl/6QmnnYTJUrNzSnJ4CBRzqKDFOtdFmOQ8iZSbfBATCwsVdqG 8w/XlM3WeZ08IcA8l2NOo3oMoV28ATIpf+4/ZIA4kxFsJJX/yl4NtpsWyU0rQv3q5xFV xVfxkF3ePUUkQdSbdHAnS2g0kwAUALpkqIrTInlRzLpor0v0xA3qKqoPsxRRyQjaxbBc 1UMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686938876; x=1689530876; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=z/xcbkC1KM0iOBe2jwKeLHJYI8b7snTFL7pXba/BOVQ=; b=Xhl3565DNoo371e9Ge5hXuqHqJ5haYpWfvnCS4kkj3z9zzuOdHt65jknzp4o+yutEA nxXbqmcghQRue+wGu/a7ApwbCWbF4f4GjZBVv22NRRDefKSzrPcUww6wUtVW7aMZeUWB t4TBFaitEGA+rIgeb5dpB7GEKaHvqA4Qi6qN+KmmXnqzf346KL/Nc8VTaZgkA5U8v9ns f/1CTKMchQ4hzXKvTvOnglOSCvIZ6fTJmI70/6zTAONFKu3H0HEZtadymUnEony7XSv+ FzMpGkVwQbvnTe2Dm4HpySDY6Gztf7tabLxgv1GMTchFyZBbUAM7LhR46gfyknw9ZGTU za3Q== X-Gm-Message-State: AC+VfDxymJB3fstuwnQ52+VQ5z3Beh6D4T0797++0IiqfHxf4ZPXUtp2 V9ONrFjwEwcFXnn8i+z7BtpLznQXxv4= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a25:20d:0:b0:ba8:2e79:c193 with SMTP id 13-20020a25020d000000b00ba82e79c193mr286501ybc.12.1686938876277; Fri, 16 Jun 2023 11:07:56 -0700 (PDT) Date: Fri, 16 Jun 2023 11:07:54 -0700 In-Reply-To: <22438996-cea6-fcdc-530b-bf3f2477a81c@semihalf.com> Mime-Version: 1.0 References: <20230612164727.3935657-1-carlos.bilbao@amd.com> <001aa2ed-2f78-4361-451d-e31a4d4abaa0@semihalf.com> <22438996-cea6-fcdc-530b-bf3f2477a81c@semihalf.com> Message-ID: Subject: Re: [PATCH v2] docs: security: Confidential computing intro and threat model for x86 virtualization From: Sean Christopherson To: Dmytro Maluka Cc: Elena Reshetova , Carlos Bilbao , Jason CJ Chen , "corbet@lwn.net" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "ardb@kernel.org" , "kraxel@redhat.com" , "dovmurik@linux.ibm.com" , "dave.hansen@linux.intel.com" , "Dhaval.Giani@amd.com" , "michael.day@amd.com" , "pavankumar.paluri@amd.com" , "David.Kaplan@amd.com" , "Reshma.Lal@amd.com" , "Jeremy.Powell@amd.com" , "sathyanarayanan.kuppuswamy@linux.intel.com" , "alexander.shishkin@linux.intel.com" , "thomas.lendacky@amd.com" , "tglx@linutronix.de" , "dgilbert@redhat.com" , "gregkh@linuxfoundation.org" , "dinechin@redhat.com" , "linux-coco@lists.linux.dev" , "berrange@redhat.com" , "mst@redhat.com" , "tytso@mit.edu" , "jikos@kernel.org" , "joro@8bytes.org" , "leon@kernel.org" , "richard.weinberger@gmail.com" , "lukas@wunner.de" , "jejb@linux.ibm.com" , "cdupontd@redhat.com" , "jasowang@redhat.com" , "sameo@rivosinc.com" , "bp@alien8.de" , "security@kernel.org" , Larry Dewey , android-kvm@google.com, Dmitry Torokhov , Allen Webb , Tomasz Nowicki , Grzegorz Jaszczyk , Patryk Duda Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 16, 2023, Dmytro Maluka wrote: > On 6/16/23 15:56, Sean Christopherson wrote: > > On Fri, Jun 16, 2023, Dmytro Maluka wrote: > >> On 6/14/23 16:15, Sean Christopherson wrote: > >>> On Wed, Jun 14, 2023, Elena Reshetova wrote: > >>>>>> +This new type of adversary may be viewed as a more powerful type > >>>>>> +of external attacker, as it resides locally on the same physical machine > >>>>>> +-in contrast to a remote network attacker- and has control over the guest > >>>>>> +kernel communication with most of the HW:: > >>>>> > >>>>> IIUC, this last statement doesn't hold true for the pKVM on x86 use case, which > >>>>> specifically aims to give a "guest" exclusive access to hardware resources. > >>>> > >>>> Does it hold for *all* HW resources? If yes, indeed this would make pKVM on > >>>> x86 considerably different. > >>> > >>> Heh, the original says "most", so it doesn't have to hold for all hardware resources, > >>> just a simple majority. > >> > >> Again, pedantic mode on, I find it difficult to agree with the wording > >> that the guest owns "most of" the HW resources it uses. It controls the > >> data communication with its hardware device, but other resources (e.g. > >> CPU time, interrupts, timers, PCI config space, ACPI) are owned by the > >> host and virtualized by it for the guest. > > > > I wasn't saying that the guest owns most resources, I was saying that the *untrusted* > > host does *not* own most resources that are exposed to the guest. My understanding > > is that everything in your list is owned by the trusted hypervisor in the pKVM model. > > Heh, no. Most of these resources are owned by the untrusted host, that's > the point. Ah, I was overloading "owned", probably wrongly. What I'm trying to call out is that in pKVM, while the untrusted host can withold resources, it can't subvert most of those resources. Taking scheduling as an example, a pKVM vCPU may be migrated to a different pCPU by the untrusted host, but pKVM ensures that it is safe to run on the new pCPU, e.g. on Intel, pKVM (presumably) does any necessary VMCLEAR, IBPB, INVEPT, etc. to ensure the vCPU doesn't consume stale data. > Basically for two reasons: 1. we want to keep the trusted hypervisor as > simple as possible. 2. we don't need availability guarantees. > > The trusted hypervisor owns only: 2nd-stage MMU, IOMMU, VMCS (or its > counterparts on non-Intel), physical PCI config space (merely for > controlling a few critical registers like BARs and MSI address > registers), perhaps a few more things that don't come to my mind now. The "physical PCI config space" is a key difference, and is very relevant to this doc (see my response to Allen). > The untrusted host schedules its guests on physical CPUs (i.e. the > host's L1 vCPUs are 1:1 mapped onto pCPUs), while the trusted hypervisor > has no scheduling, it only handles vmexits from the host and guests. The > untrusted host fully controls the physical interrupt controllers (I > think we realize that is not perfectly fine, but here we are), etc. Yeah, IRQs are a tough nut to crack.