From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F5A3C7EE23 for ; Tue, 16 May 2023 23:04:11 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BE904900006; Tue, 16 May 2023 19:04:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B99A2900003; Tue, 16 May 2023 19:04:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A6115900006; Tue, 16 May 2023 19:04:10 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 986F6900003 for ; Tue, 16 May 2023 19:04:10 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 36DB7A0444 for ; Tue, 16 May 2023 23:04:10 +0000 (UTC) X-FDA: 80797648260.09.AE8CDF9 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by imf02.hostedemail.com (Postfix) with ESMTP id 3652380014 for ; Tue, 16 May 2023 23:04:06 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=PdPmqqB9; spf=pass (imf02.hostedemail.com: domain of dave.hansen@intel.com designates 192.55.52.115 as permitted sender) smtp.mailfrom=dave.hansen@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684278248; a=rsa-sha256; cv=none; b=Zx1kVmBe+lXlDskijFDFb5QaaJWD9ksXWaNrUUk766cidfvl/RNy84gIAmpjMvqBTTu7I8 7dge3ZS1RW29P2f2LqKm9GTcfFU/Z20jKMEi4JyBEpv8L4LqVwChklXavaorUvnUM2hheH wQ0pHnStOCky4VZApw4+gHfA67UplC4= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=PdPmqqB9; spf=pass (imf02.hostedemail.com: domain of dave.hansen@intel.com designates 192.55.52.115 as permitted sender) smtp.mailfrom=dave.hansen@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684278248; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=jufmqKpYlPeNIgsIzsoUkQD/vklogjj/wEpiP9yvG4c=; b=GedW2nUQDIi/9X5juWQg+tGQm506UnvTq3mCt6RRqUdBZr6MPhKkya66nnsU5M7C1PVuuT EJAVonOmhbHtpO+gsCibP0cbNF9JKeG22olalOIyaxXr7XKx1tv83oRuVfXgfUxRmHRDa8 Fz/q8sCwQqz+uSB6K12mgQCnEnipNKo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1684278247; x=1715814247; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=cpPm6dizOpzAe28lnc0LmN8v78c+WYJi5K9EK5t9WLY=; b=PdPmqqB9Xl5FCxFJeA8uhSi7MLU3F8SLDDQAgA1SujJ7dLxvpBNugpRo 4SeXG18CF3d7bMsr4NkFreep6DQCuIweu/1Kdq9rs1k5Sc3+XZx8F/fvY S+QvBtP/FnBDG6TiWzjbmQH9ss86jV8qtcMR6X+Vw97Xng6KS+nw5Zyx0 C43v8McA6KkN/ESW2aLJH66FDotRfKClte+hztIOQTaoS5eoBZqzi/OvZ XwRYIkzTATIfEQK3suJsG+zKxioV4n6B1ZajauIvMRO0+PJvkTQ3mX/Ej Cb4qPAB4V5U+tOSgswXikzk6G4VS8fLdzSnrIItLZWDhzryxus62jujTF A==; X-IronPort-AV: E=McAfee;i="6600,9927,10712"; a="351640963" X-IronPort-AV: E=Sophos;i="5.99,280,1677571200"; d="scan'208";a="351640963" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2023 16:04:05 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10712"; a="875825066" X-IronPort-AV: E=Sophos;i="5.99,280,1677571200"; d="scan'208";a="875825066" Received: from mtpanu-mobl1.amr.corp.intel.com (HELO [10.212.203.6]) ([10.212.203.6]) by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2023 16:04:04 -0700 Message-ID: <24a961b4-5385-0949-045b-c3da137042a2@intel.com> Date: Tue, 16 May 2023 16:04:04 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCHv11 6/9] efi/unaccepted: Avoid load_unaligned_zeropad() stepping into unaccepted memory Content-Language: en-US To: "Kirill A. Shutemov" , Ard Biesheuvel Cc: Borislav Petkov , Andy Lutomirski , Sean Christopherson , Andrew Morton , Joerg Roedel , Andi Kleen , Kuppuswamy Sathyanarayanan , David Rientjes , Vlastimil Babka , Tom Lendacky , Thomas Gleixner , Peter Zijlstra , Paolo Bonzini , Ingo Molnar , Dario Faggioli , Mike Rapoport , David Hildenbrand , Mel Gorman , marcelo.cerri@canonical.com, tim.gardner@canonical.com, khalid.elmously@canonical.com, philip.cox@canonical.com, aarcange@redhat.com, peterx@redhat.com, x86@kernel.org, linux-mm@kvack.org, linux-coco@lists.linux.dev, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Dave Hansen References: <20230513220418.19357-1-kirill.shutemov@linux.intel.com> <20230513220418.19357-7-kirill.shutemov@linux.intel.com> <20230516183352.5fvmqca34cjcv462@box.shutemov.name> From: Dave Hansen In-Reply-To: <20230516183352.5fvmqca34cjcv462@box.shutemov.name> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspam-User: X-Stat-Signature: 1kxykkx31hju6umifw3mj36pbwr7ukbh X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 3652380014 X-HE-Tag: 1684278246-624096 X-HE-Meta: U2FsdGVkX1+ALXT1Nl0eLAV+VtsdCM8eF4SpJXXvi3ijKUgICMHumgTtcSbhQDtjw8N/dnWwEFCxgLL3weIs/xrBjMWVGAYqszBrmGPCie7bvPMM+RxFvZc2KAay4yVunD2Z+b4UdAcQvbmjoyCsl3uQzBgfXCRvnVEk8uifasjFSbEzX382MQTIo/ZxS0Virw0qcAlG1RDNnLb1hp4XstQ6jxmYUJhMexNOdTN5TmWV2XtuYxBVo3ZJp3OU5X+8k7KCft98YDN3xmZJi9ob1zzE6KTsjSmEN6czypUzl37p54SjIFijYdPeW1/yDVwv6XuDSetSZQXLn8YUxFIHg/kxnlsOR8ndEv/z6eHaiRE0u32NUKESYLnpyvkCgzhgZD9BV/oLi6Il8wC8eiBNCbfH7x9fXPw6mmCjvZ+QJfPRtahVQlam5WD6MBA6f3Mnc2a4gdc8t42kESWemEeu537XeGykU14bffM537PRUUBu8FxryOF3t+rP8vtM50N4V97jm7zkSKhe5mIhaAffKDzj5F0Qa8rCTdhxISyw96RfHomB1JJ+1GLfahVnN7UL47hn17BvxysKsMoJLN1Xta1c3nPd036QqsW7kmZ/JccwXYYQKfq/1XApf92m1H7CDNMMdzltZWtN7M6MKpVM3z5ynOHg1kCvH0WQDVY5ZlwIKCtRfMM+HE5ite/o9iKeuF1RozHnzq0LEX2CT//tD+mJe6qRRIZPbU6mwIx/ZGX8o3kqqt0Cyk6qttFwfqO9W78CPlov3c1Ee7ChmJsYP535y5Lfcj4HDKV8jjLMDQkd0pj8dmbzQrmkhtyfRwxnRaD5GLw0fvxPv0ZL9LRB7J7mataNLe9WQoSVZ3JNWxxya9vaO39bHG5ZJz5GBfWzxYjW0FGyIHKG1akGqZKDnDrEFJduMJc04ACdYmHK6t/57xeocjgRRgbnYtGgIyOg/Jwe06c6lspW2udbOw6 EzjqygZa 7JmY72dBlZKCfwdO20I4lbMEIjOPyVqbE8a5cj/7sfTqYpioZuJRIwb+SXLX+15jJXGYRbQa3+5maRWqV/nQ1gcvNB5vwCWhF1sMi9w1ZVeqQlTpPBrblflmsUZm7PznQ6eq/Ahd6Htid3dygBiB2fGkzNxOPELhA/9uFpwfPiUHl/z/kNbU3OmkHVhLsVb7NcqF0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 5/16/23 11:33, Kirill A. Shutemov wrote: > For context: there's a way configure TDX environment to trigger #VE on > such accesses and it is default. But Linux requires such #VEs to be > disabled as it opens attack vector from the host to the guest: host can > pull any private page from under kernel at any point and trigger such #VE. > If it happens in just a right time in syscall gap or NMI entry code it can > be exploitable. I'm kinda uncomfortable with saying it's exploitable. It really boils down to not wanting to deal with managing a new IST exception. While the NMI IST implementation is about as good as we can get it, I believe there are still holes in it (even if we consider only how it interacts with #MC). The more IST users we add, the more holes there are. You add the fact that an actual adversary can induce the exceptions instead of (rare and mostly random) radiation that causes #MC, and it makes me want to either curl up in a little ball or pursue a new career. So, exploitable? Dunno. Do I want to touch an #VE/IST implementation? No way, not with a 10 foot pole.