Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 741F1C433EF for ; Fri, 12 Nov 2021 21:23:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 486F16108B for ; Fri, 12 Nov 2021 21:23:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235742AbhKLV0R (ORCPT ); Fri, 12 Nov 2021 16:26:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:60214 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235736AbhKLV0Q (ORCPT ); Fri, 12 Nov 2021 16:26:16 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 80FC460FE3; Fri, 12 Nov 2021 21:23:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1636752205; bh=lx7eciPrF/BBoyKZDT93AJxWh2JCgt0BeWSKXENAJFQ=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=bJPu5lCSOzrkVvhS7ygoyiJD7QWq/BJp91+5S4lbYZq92OzolpVxpu5Tjp+YDrTw8 nMNmk56DMjjvq0HImMjWN3n3cmoWSXiUmTcV3GPv7kFTn6gZyFk7QwUwDveyk9r8uh DVzMyW9RbqXewpj0Iheo2z9NiivVOB38QXRvLzEewO5CZHAyl2cv4ChNIlFUEbz3oy KnvRvcmdpZAqXkTr4tjwzoYpzobPvUVHHY9DAz/sGXl5Q4+X3esbY6Xf+q3OtYexb2 GDwlzNwhUsLSyO363Hfb4WNqsQUqlp+jMuMTvRjbVjEHcwAvC1rXev9wjbqQm3g/HW Kkq6TPAOB8c0A== Message-ID: Date: Fri, 12 Nov 2021 13:23:25 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: [PATCH Part2 v5 00/45] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support Content-Language: en-US To: Marc Orr , Sean Christopherson Cc: Borislav Petkov , Dave Hansen , Peter Gonda , Brijesh Singh , x86@kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-coco@lists.linux.dev, linux-mm@kvack.org, linux-crypto@vger.kernel.org, Thomas Gleixner , Ingo Molnar , Joerg Roedel , Tom Lendacky , "H. Peter Anvin" , Ard Biesheuvel , Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Dave Hansen , Sergio Lopez , Peter Zijlstra , Srinivas Pandruvada , David Rientjes , Dov Murik , Tobin Feldman-Fitzthum , Michael Roth , Vlastimil Babka , "Kirill A . Shutemov" , Andi Kleen , tony.luck@intel.com, sathyanarayanan.kuppuswamy@linux.intel.com References: <20210820155918.7518-1-brijesh.singh@amd.com> <061ccd49-3b9f-d603-bafd-61a067c3f6fa@intel.com> From: Andy Lutomirski In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 11/12/21 13:16, Marc Orr wrote: >>> So cloud providers should have an interest to prevent such random stray >>> accesses if they wanna have guests. :) >> >> Yes, but IMO inducing a fault in the guest because of _host_ bug is wrong. > > I want to push back on "inducing a fault in the guest because of > _host_ bug is wrong.". The guest is _required_ to be robust against > the host maliciously (or accidentally) writing its memory. SNP > security depends on the guest detecting such writes. Therefore, why is > leveraging this system property that the guest will detect when its > private memory has been written wrong? > > Especially when its orders or > magnitudes simpler than the alternative to have everything in the > system -- kernel, user-space, and guest -- all coordinate to agree > what's private and what's shared. Such a complex approach is likely to > bring a lot of bugs, vulnerabilities, and limitations on future design > into the picture. > SEV-SNP, TDX, and any reasonable software solution all require that the host know which pages are private and which pages are shared. Sure, the old SEV-ES Linux host implementation was very simple, but it's nasty and fundamentally can't support migration.