RE: [外部邮件] Re: [PATCH] virt/coco/sev-guest: Don't free decrypted memory

From: Li,Rongqing
Date: Tue Jun 18 2024 - 06:44:54 EST

Next message: Simon Horman: "Re: [net-next PATCH v5 09/10] octeontx2-pf: Add representors for sdp MAC"
Previous message: kernel test robot: "Re: [PATCH] of: reserved_mem: Restructure code to call reserved mem init functions earlier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On 6/14/24 00:10, Li RongQing wrote:
> > In CoCo VMs, it is possible for the untrusted host to cause
> > set_memory_decrypted() to fail such that an error is returned and the
> > resulting memory is shared. Callers need to take care
>
> Can you explain how it would fail or where in the call path it would fail?
> Are you referring to the the Page State Change being performed by the host but
> it returns a failure?
>
> As long as the encryption bit hasn't been cleared in any of the guest pagetables
> for the page range, then there should not be an issue. When the page is
> referenced it will generate a #NPF and the host will have to make that page a
> private page in order for forward progress to be made. But, that page will
> already have been PVALIDATEd previously, so the resulting #VC for the page no
> longer being PVALIDATEd will allow the guest to detect the malicious hypervisor
> and terminate.
>
> If we fail during the __change_page_attr_set_clr() call and we get a mix of
> pagetable entries that could be a problem, so leaking the pages would be best in
> that case.
>
> And since the failure reason isn't clear after the call, leaking the pages is
> probably the safest thing.

your explanation is very clear ; I will rewrite this changelog

thank you very much,

-Li

Next message: Simon Horman: "Re: [net-next PATCH v5 09/10] octeontx2-pf: Add representors for sdp MAC"
Previous message: kernel test robot: "Re: [PATCH] of: reserved_mem: Restructure code to call reserved mem init functions earlier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]