From: Ackerley Tng <ackerleytng@google.com>
To: kvm@vger.kernel.org, linux-api@vger.kernel.org,
linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, qemu-devel@nongnu.org
Cc: aarcange@redhat.com, ak@linux.intel.com,
akpm@linux-foundation.org, arnd@arndb.de, bfields@fieldses.org,
bp@alien8.de, chao.p.peng@linux.intel.com, corbet@lwn.net,
dave.hansen@intel.com, david@redhat.com, ddutile@redhat.com,
dhildenb@redhat.com, hpa@zytor.com, hughd@google.com,
jlayton@kernel.org, jmattson@google.com, joro@8bytes.org,
jun.nakajima@intel.com, kirill.shutemov@linux.intel.com,
linmiaohe@huawei.com, luto@kernel.org,
mail@maciej.szmigiero.name, mhocko@suse.com,
michael.roth@amd.com, mingo@redhat.com, naoya.horiguchi@nec.com,
pbonzini@redhat.com, qperret@google.com, rppt@kernel.org,
seanjc@google.com, shuah@kernel.org, steven.price@arm.com,
tabba@google.com, tglx@linutronix.de, vannapurve@google.com,
vbabka@suse.cz, vkuznets@redhat.com, wanpengli@tencent.com,
wei.w.wang@intel.com, x86@kernel.org,
yu.c.zhang@linux.intel.com,
Ackerley Tng <ackerleytng@google.com>
Subject: [RFC PATCH 03/10] KVM: selftests: Test that VM private memory should not be readable from host
Date: Thu, 16 Mar 2023 00:30:56 +0000 [thread overview]
Message-ID: <48490641ce981c31ea58c11ad478ff85cd0dd156.1678926164.git.ackerleytng@google.com> (raw)
In-Reply-To: <cover.1678926164.git.ackerleytng@google.com>
After VM memory is remapped as private memory and guest has written to
private memory, request the host to read the corresponding hva for
that private memory.
The host should not be able to read the value in private memory.
This selftest shows that private memory contents of the guest are not
accessible to host userspace via the HVA.
Signed-off-by: Ackerley Tng <ackerleytng@google.com>
---
.../kvm/x86_64/private_mem_conversions_test.c | 54 ++++++++++++++++---
1 file changed, 48 insertions(+), 6 deletions(-)
diff --git a/tools/testing/selftests/kvm/x86_64/private_mem_conversions_test.c b/tools/testing/selftests/kvm/x86_64/private_mem_conversions_test.c
index ef9894340a2b..f2c1e4450b0e 100644
--- a/tools/testing/selftests/kvm/x86_64/private_mem_conversions_test.c
+++ b/tools/testing/selftests/kvm/x86_64/private_mem_conversions_test.c
@@ -47,6 +47,16 @@ static void memcmp_h(uint8_t *mem, uint8_t pattern, size_t size)
pattern, i, mem[i]);
}
+static void memcmp_ne_h(uint8_t *mem, uint8_t pattern, size_t size)
+{
+ size_t i;
+
+ for (i = 0; i < size; i++)
+ TEST_ASSERT(mem[i] != pattern,
+ "Expected not to find 0x%x at offset %lu but got 0x%x",
+ pattern, i, mem[i]);
+}
+
/*
* Run memory conversion tests with explicit conversion:
* Execute KVM hypercall to map/unmap gpa range which will cause userspace exit
@@ -64,8 +74,14 @@ static void memcmp_h(uint8_t *mem, uint8_t pattern, size_t size)
#define GUEST_STAGE(o, s) { .offset = o, .size = s }
-#define GUEST_SYNC4(gpa, size, current_pattern, new_pattern) \
- ucall(UCALL_SYNC, 4, gpa, size, current_pattern, new_pattern)
+#define UCALL_RW_SHARED (0xca11 - 0)
+#define UCALL_R_PRIVATE (0xca11 - 1)
+
+#define REQUEST_HOST_RW_SHARED(gpa, size, current_pattern, new_pattern) \
+ ucall(UCALL_RW_SHARED, 4, gpa, size, current_pattern, new_pattern)
+
+#define REQUEST_HOST_R_PRIVATE(gpa, size, expected_pattern) \
+ ucall(UCALL_R_PRIVATE, 3, gpa, size, expected_pattern)
static void guest_code(void)
{
@@ -86,7 +102,7 @@ static void guest_code(void)
/* Memory should be shared by default. */
memset((void *)DATA_GPA, ~init_p, DATA_SIZE);
- GUEST_SYNC4(DATA_GPA, DATA_SIZE, ~init_p, init_p);
+ REQUEST_HOST_RW_SHARED(DATA_GPA, DATA_SIZE, ~init_p, init_p);
memcmp_g(DATA_GPA, init_p, DATA_SIZE);
for (i = 0; i < ARRAY_SIZE(stages); i++) {
@@ -113,6 +129,12 @@ static void guest_code(void)
kvm_hypercall_map_private(gpa, size);
memset((void *)gpa, p2, size);
+ /*
+ * Host should not be able to read the values written to private
+ * memory
+ */
+ REQUEST_HOST_R_PRIVATE(gpa, size, p2);
+
/*
* Verify that the private memory was set to pattern two, and
* that shared memory still holds the initial pattern.
@@ -133,11 +155,20 @@ static void guest_code(void)
continue;
kvm_hypercall_map_shared(gpa + j, PAGE_SIZE);
- GUEST_SYNC4(gpa + j, PAGE_SIZE, p1, p3);
+ REQUEST_HOST_RW_SHARED(gpa + j, PAGE_SIZE, p1, p3);
memcmp_g(gpa + j, p3, PAGE_SIZE);
}
+ /*
+ * Even-number pages are still mapped as private, host should
+ * not be able to read those values.
+ */
+ for (j = 0; j < size; j += PAGE_SIZE) {
+ if (!((j >> PAGE_SHIFT) & 1))
+ REQUEST_HOST_R_PRIVATE(gpa + j, PAGE_SIZE, p2);
+ }
+
/*
* Convert the entire region back to shared, explicitly write
* pattern three to fill in the even-number frames before
@@ -145,7 +176,7 @@ static void guest_code(void)
*/
kvm_hypercall_map_shared(gpa, size);
memset((void *)gpa, p3, size);
- GUEST_SYNC4(gpa, size, p3, p4);
+ REQUEST_HOST_RW_SHARED(gpa, size, p3, p4);
memcmp_g(gpa, p4, size);
/* Reset the shared memory back to the initial pattern. */
@@ -209,7 +240,18 @@ static void test_mem_conversions(enum vm_mem_backing_src_type src_type)
switch (get_ucall(vcpu, &uc)) {
case UCALL_ABORT:
REPORT_GUEST_ASSERT_4(uc, "%lx %lx %lx %lx");
- case UCALL_SYNC: {
+ case UCALL_R_PRIVATE: {
+ uint8_t *hva = addr_gpa2hva(vm, uc.args[0]);
+ uint64_t size = uc.args[1];
+
+ /*
+ * Try to read hva for private gpa from host, should not
+ * be able to read private data
+ */
+ memcmp_ne_h(hva, uc.args[2], size);
+ break;
+ }
+ case UCALL_RW_SHARED: {
uint8_t *hva = addr_gpa2hva(vm, uc.args[0]);
uint64_t size = uc.args[1];
--
2.40.0.rc2.332.ga46443480c-goog
next prev parent reply other threads:[~2023-03-16 0:31 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-16 0:30 [RFC PATCH 00/10] Additional selftests for restrictedmem Ackerley Tng
2023-03-16 0:30 ` [RFC PATCH 01/10] KVM: selftests: Test error message fixes for memfd_restricted selftests Ackerley Tng
2023-03-16 0:30 ` [RFC PATCH 02/10] KVM: selftests: Test that ftruncate to non-page-aligned size on a restrictedmem fd should fail Ackerley Tng
2023-03-16 0:30 ` Ackerley Tng [this message]
2023-03-16 0:30 ` [RFC PATCH 04/10] KVM: selftests: Exercise restrictedmem allocation and truncation code after KVM invalidation code has been unbound Ackerley Tng
2023-03-16 0:30 ` [RFC PATCH 05/10] KVM: selftests: Generalize private_mem_conversions_test for parallel execution Ackerley Tng
2023-03-16 0:30 ` [RFC PATCH 06/10] KVM: selftests: Default private_mem_conversions_test to use 1 memslot for test data Ackerley Tng
2023-03-16 0:31 ` [RFC PATCH 07/10] KVM: selftests: Add vm_userspace_mem_region_add_with_restrictedmem Ackerley Tng
2023-03-16 0:31 ` [RFC PATCH 08/10] KVM: selftests: Default private_mem_conversions_test to use 1 restrictedmem file for test data Ackerley Tng
2023-03-16 0:31 ` [RFC PATCH 09/10] KVM: selftests: Add tests around sharing a restrictedmem fd Ackerley Tng
2023-03-16 0:31 ` [RFC PATCH 10/10] KVM: selftests: Test KVM exit behavior for private memory/access Ackerley Tng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48490641ce981c31ea58c11ad478ff85cd0dd156.1678926164.git.ackerleytng@google.com \
--to=ackerleytng@google.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bfields@fieldses.org \
--cc=bp@alien8.de \
--cc=chao.p.peng@linux.intel.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=david@redhat.com \
--cc=ddutile@redhat.com \
--cc=dhildenb@redhat.com \
--cc=hpa@zytor.com \
--cc=hughd@google.com \
--cc=jlayton@kernel.org \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=jun.nakajima@intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=linmiaohe@huawei.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mail@maciej.szmigiero.name \
--cc=mhocko@suse.com \
--cc=michael.roth@amd.com \
--cc=mingo@redhat.com \
--cc=naoya.horiguchi@nec.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qperret@google.com \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=shuah@kernel.org \
--cc=steven.price@arm.com \
--cc=tabba@google.com \
--cc=tglx@linutronix.de \
--cc=vannapurve@google.com \
--cc=vbabka@suse.cz \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=wei.w.wang@intel.com \
--cc=x86@kernel.org \
--cc=yu.c.zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox