Re: [RFC KVM 24/27] kvm/isolation: KVM page fault handler

From: Alexandre Chartre
Date: Mon May 13 2019 - 12:23:46 EST




On 5/13/19 6:02 PM, Andy Lutomirski wrote:
On Mon, May 13, 2019 at 7:39 AM Alexandre Chartre
<alexandre.chartre@xxxxxxxxxx> wrote:

The KVM page fault handler handles page fault occurring while using
the KVM address space by switching to the kernel address space and
retrying the access (except if the fault occurs while switching
to the kernel address space). Processing of page faults occurring
while using the kernel address space is unchanged.

Page fault log is cleared when creating a vm so that page fault
information doesn't persist when qemu is stopped and restarted.

Are you saying that a page fault will just exit isolation? This
completely defeats most of the security, right? Sure, it still helps
with side channels, but not with actual software bugs.


Yes, page fault exit isolation so that the faulty instruction can be retried
with the full kernel address space. When exiting isolation, we also want to
kick the sibling hyperthread and pinned it so that it can't steal secret while
we use the kernel address page, but that's not implemented in this serie
(see TODO comment in kvm_isolation_exit() in patch 25 "kvm/isolation:
implement actual KVM isolation enter/exit").

alex.