Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-gues

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-gues

From:	Xiaoyao Li
Subject:	Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
Date:	Thu, 25 Aug 2022 22:42:34 +0800
User-agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Thunderbird/91.12.0

On 8/25/2022 7:36 PM, Gerd Hoffmann wrote:

On Tue, Aug 02, 2022 at 03:47:25PM +0800, Xiaoyao Li wrote:

Bit 28, named SEPT_VE_DISABLE, disables EPT violation conversion to #VE
on guest TD access of PENDING pages when set to 1. Some guest OS (e.g.,
Linux TD guest) may require this bit set as 1. Otherwise refuse to boot.


--verbose please.  That somehow doesn't make sense to me.

A guest is either TDX-aware (which should be the case for linux 5.19+),
or it is not.  My expectation would be that guests which are not
TDX-aware will be disturbed by any #VE exception, not only the ones
triggered by EPT violations.  So I'm wondering what this config bit
actually is useful for ...

This bit, including other properties of tdx-guest object, are supposedto be configured for TD only. On VM creation phase, user needs to decideif it's a TD (TDX VM) or non-TD (previous normal VM) by attachingtdx-guest object or not.

If it's a TD when VM creation, but the guest kernel is notTDX-capable/-aware, it's doomed to fail booting.

For TD guest kernel, it has its own reason to turn SEPT_VE on or off.E.g., linux TD guest requires SEPT_VE to be disabled to avoid #VE onsyscall gap [1]. Frankly speaking, this bit is better to be configuredby TD guest kernel, however current TDX architecture makes the design tolet VMM configure.



[1]: TD pages that are not accepted cause a #VE exception.
It is possible for a hypervisor to take away a guest page
and thus trigger a #VE the next time it is accessed.
Normally the guest would just panic in such a case, but
for that it first needs to execute the #VE handler
reliably.

This can cause problems with the "system call gap": a malicious
hypervisor might trigger a #VE for example on the system call entry
code, and when a user process does a system call it would trigger a
and SYSCALL relies on the kernel code to switch to the kernel stack,
this would lead to kernel code running on the ring 3 stack.  This could
be exploited by a combination of malicious host and malicious ring 3
program to attack the kernel.

take care,
   Gerd

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v1 09/40] i386/tdx: Update tdx_fixed0/1 bits by tdx_caps.cpuid_config[], (continued)
- [PATCH v1 09/40] i386/tdx: Update tdx_fixed0/1 bits by tdx_caps.cpuid_config[], Xiaoyao Li, 2022/08/02
- [PATCH v1 12/40] i386/kvm: Move architectural CPUID leaf generation to separate helper, Xiaoyao Li, 2022/08/02
- [PATCH v1 10/40] i386/tdx: Integrate tdx_caps->xfam_fixed0/1 into tdx_cpuid_lookup, Xiaoyao Li, 2022/08/02
- [PATCH v1 11/40] i386/tdx: Integrate tdx_caps->attrs_fixed0/1 to tdx_cpuid_lookup, Xiaoyao Li, 2022/08/02
- [PATCH v1 13/40] KVM: Introduce kvm_arch_pre_create_vcpu(), Xiaoyao Li, 2022/08/02
  - Re: [PATCH v1 13/40] KVM: Introduce kvm_arch_pre_create_vcpu(), Gerd Hoffmann, 2022/08/25
- [PATCH v1 14/40] i386/tdx: Initialize TDX before creating TD vcpus, Xiaoyao Li, 2022/08/02
  - Re: [PATCH v1 14/40] i386/tdx: Initialize TDX before creating TD vcpus, Gerd Hoffmann, 2022/08/25
- [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object, Xiaoyao Li, 2022/08/02
  - Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object, Gerd Hoffmann, 2022/08/25
    - Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object, Xiaoyao Li <=
    - Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object, Gerd Hoffmann, 2022/08/26
- [PATCH v1 16/40] i386/tdx: Wire CPU features up with attributes of TD guest, Xiaoyao Li, 2022/08/02
  - Re: [PATCH v1 16/40] i386/tdx: Wire CPU features up with attributes of TD guest, Gerd Hoffmann, 2022/08/25
- [PATCH v1 17/40] i386/tdx: Validate TD attributes, Xiaoyao Li, 2022/08/02
  - Re: [PATCH v1 17/40] i386/tdx: Validate TD attributes, Gerd Hoffmann, 2022/08/25
- [PATCH v1 18/40] i386/tdx: Implement user specified tsc frequency, Xiaoyao Li, 2022/08/02
  - Re: [PATCH v1 18/40] i386/tdx: Implement user specified tsc frequency, Gerd Hoffmann, 2022/08/25
- [PATCH v1 19/40] i386/tdx: Set kvm_readonly_mem_enabled to false for TDX VM, Xiaoyao Li, 2022/08/02
- [PATCH v1 20/40] i386/tdvf: Introduce function to parse TDVF metadata, Xiaoyao Li, 2022/08/02
  - Re: [PATCH v1 20/40] i386/tdvf: Introduce function to parse TDVF metadata, Gerd Hoffmann, 2022/08/26

Prev by Date: Re: EBUSY when using NVMe Block Driver with multiple devices in the same IOMMU group
Next by Date: [PATCH 0/7] configure: fix misc shellcheck warnings
Previous by thread: Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
Next by thread: Re: [PATCH v1 15/40] i386/tdx: Add property sept-ve-disable for tdx-guest object
Index(es):
- Date
- Thread