Re: [PATCH v2 2/5] x86/tdx: Add validation of userspace MMIO instructions

From: Alexey Gladkov
Date: Thu Aug 08 2024 - 11:56:30 EST

Next message: David Hildenbrand: "Re: [PATCH v2 1/4] mm: free zapped tail pages when splitting isolated thp"
Previous message: David Hildenbrand: "Re: [PATCH v2 4/4] mm: split underutilized THPs"
In reply to: Alexey Gladkov: "Re: [PATCH v2 2/5] x86/tdx: Add validation of userspace MMIO instructions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Aug 06, 2024 at 11:41:57AM +0000, Reshetova, Elena wrote:
> > On Tue, Aug 06, 2024 at 10:18:20AM +0300, kirill.shutemov@xxxxxxxxxxxxxxx
> > wrote:
> > > On Mon, Aug 05, 2024 at 10:40:55PM +0000, Edgecombe, Rick P wrote:
> > > > On Mon, 2024-08-05 at 15:29 +0200, Alexey Gladkov (Intel) wrote:
> > > > > +       vaddr = (unsigned long)insn_get_addr_ref(&insn, regs);
> > > > > +
> > > > > +       if (user_mode(regs)) {
> > > > > +               if (mmap_read_lock_killable(current->mm))
> > > > > +                       return -EINTR;
> > > > > +
> > > > > +               ret = valid_vaddr(ve, mmio, size, vaddr);
> > > > > +               if (ret)
> > > > > +                       goto unlock;
> > > > > +       }
> > > > > +
> > > >
> > > > In the case of user MMIO, if the user instruction + MAX_INSN_SIZE
> > straddles a
> > > > page, then the "fetch" in the kernel could trigger a #VE. In this case the
> > > > kernel would handle this second #VE as a !user_mode() MMIO I guess.
> > > >
> > > > Would something prevent the same munmap() checks needing to happen
> > for that
> > > > second kernel #VE? If not, I wonder if the munmap() protection logic
> > should also
> > > > trigger for any userspace range ve->gpa as well.
> > >
> > > That's an interesting scenario, but I think we are fine.
> > >
> > > The fetch is copy_from_user() which is "REP; MOVSB" on all TDX platforms.
> > > Kernel rejects MOVS instruction emulation for !user_mode() with -EFAULT.
> >
> > But MOVS will be used only if X86_FEATURE_FSRM feature is present.
> > Otherwise rep_movs_alternative will be used, which uses MOVB.
> >
> > I know that X86_FEATURE_FSRM appeared since Ice Lake, but still.
>
> This is how the X86_FEATURE_FSRM cpuid bit is treated under TDX:
>
> {
> "MSB": "4",
> "LSB": "4",
> "Field Size": "1",
> "Field Name": "Fast Short REP MOV",
> "Configuration Details": "TD_PARAMS.CPUID_CONFIG",
> "Bit or Field Virtualization Type": "Configured & Native",
> "Virtualization Details": null
> },
>
> Which means VMM has the way to overwrite the native platform value
> and set it to "0", so we must account for both cases.

I have added a patch that does not allow access to userspace addresses if
we are in a kernel space context.

--
Rgrds, legion

Next message: David Hildenbrand: "Re: [PATCH v2 1/4] mm: free zapped tail pages when splitting isolated thp"
Previous message: David Hildenbrand: "Re: [PATCH v2 4/4] mm: split underutilized THPs"
In reply to: Alexey Gladkov: "Re: [PATCH v2 2/5] x86/tdx: Add validation of userspace MMIO instructions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]