Re: [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest

From: Andi Kleen
Date: Thu Sep 30 2021 - 15:30:45 EST

Next message: Thomas Gleixner: "Re: [PATCH -tip v11 00/27] kprobes: Fix stacktrace with kretprobes on x86"
Previous message: Thomas Gleixner: "Re: [RFC PATCH 11/13] x86/uintr: Introduce uintr_wait() syscall"
In reply to: Kuppuswamy, Sathyanarayanan: "Re: [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest"
Next in thread: Kuppuswamy, Sathyanarayanan: "Re: [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/30/2021 12:04 PM, Kuppuswamy, Sathyanarayanan wrote:

On 9/30/21 8:23 AM, Greg Kroah-Hartman wrote:

On Thu, Sep 30, 2021 at 08:18:18AM -0700, Kuppuswamy, Sathyanarayanan wrote:

On 9/30/21 6:36 AM, Dan Williams wrote:

And in particular, not all virtio drivers are hardened -
I think at this point blk and scsi drivers have been hardened - so
treating them all the same looks wrong.

My understanding was that they have been audited, Sathya?

Yes, AFAIK, it has been audited. Andi also submitted some patches
related to it. Andi, can you confirm.

What is the official definition of "audited"?

In our case (Confidential Computing platform), the host is an un-trusted
entity. So any interaction with host from the drivers will have to be
protected against the possible attack from the host. For example, if we
are accessing a memory based on index value received from host, we have
to make sure it does not lead to out of bound access or when sharing the
memory with the host, we need to make sure only the required region is
shared with the host and the memory is un-shared after use properly.

Elena can share more details, but it was achieved with static analysis
and fuzzing. Here is a presentation she is sharing about the work at the
Linux Security Summit:
https://static.sched.com/hosted_files/lssna2021/b6/LSS-HardeningLinuxGuestForCCC.pdf

Andi, can talk more about the specific driver changes that came out of this
effort.

The original virtio was quite easy to exploit because it put its free list into the shared ring buffer.

We had a patchkit to harden virtio originally, but after some discussion we instead switched to Jason Wang's patchkit to move the virtio metadata into protected memory, which fixed near all of the issues. These patches have been already merged. There is one additional patch to limit the virtio modes.

There's an ongoing effort to audit (mostly finished I believe) and fuzz the three virtio drivers (fuzzing is still ongoing).

There was also a range of changes outside virtio for code outside the device model. Most of it was just disabling it though.

-Andi

Next message: Thomas Gleixner: "Re: [PATCH -tip v11 00/27] kprobes: Fix stacktrace with kretprobes on x86"
Previous message: Thomas Gleixner: "Re: [RFC PATCH 11/13] x86/uintr: Introduce uintr_wait() syscall"
In reply to: Kuppuswamy, Sathyanarayanan: "Re: [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest"
Next in thread: Kuppuswamy, Sathyanarayanan: "Re: [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]