From: Junaid Shahid <junaids@google.com>
To: Borislav Petkov <bp@alien8.de>, Brendan Jackman <jackmanb@google.com>
Cc: akpm@linux-foundation.org, dave.hansen@linux.intel.com,
yosryahmed@google.com, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
peterz@infradead.org, seanjc@google.com, tglx@linutronix.de,
x86@kernel.org
Subject: Re: [PATCH RFC v2 03/29] mm: asi: Introduce ASI core API
Date: Fri, 14 Mar 2025 18:34:32 -0700 [thread overview]
Message-ID: <5aa114f7-3efb-4dab-8579-cb9af4abd3c0@google.com> (raw)
In-Reply-To: <20250314131419.GJZ9Qrq8scAtDyBUcg@fat_crate.local>
On 3/14/25 6:14 AM, Borislav Petkov wrote:
> On Fri, Feb 28, 2025 at 08:43:55AM +0000, Brendan Jackman wrote:
>> (otherwise if we get an NMI between asi_enter() and
>> asi_start_critical(), and that causes a #PF, we will start the
>> critical section in the wrong address space and ASI won't do its job).
>> So, we are somewhat forced to mix up a. and b. from above.
>
> I don't understand: asi_enter() can be interrupted by an NMI at any random
> point. How is the current, imbalanced interface not vulnerable to this
> scenario?
>
The reason this isn't a problem with the current asi_enter() is because there
the equivalent of asi_start_critical() happens _before_ the address space
switch. That ensures that even if an NMI arrives in the middle of asi_enter(),
the NMI epilog will switch to the restricted address space and there is no
window where an NMI (or any other interrupt/exception for that matter) would
result in going into vmenter with an unrestricted address space.
So
asi_enter();
asi_start_critical();
vmenter();
asi_end_critical();
is broken as there is a problematic window between asi_enter() and
asi_start_critical() as Brendan pointed out.
However,
asi_start_critical();
asi_enter();
vmenter();
asi_end_critical();
would work perfectly fine.
Perhaps that might be the way to refactor the API?
Thanks,
Junaid
next prev parent reply other threads:[~2025-03-15 1:34 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 18:40 [PATCH RFC v2 00/29] Address Space Isolation (ASI) Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 01/29] mm: asi: Make some utility functions noinstr compatible Brendan Jackman
2025-01-16 0:18 ` Borislav Petkov
2025-01-16 10:27 ` Borislav Petkov
2025-01-16 13:22 ` Brendan Jackman
2025-01-16 14:02 ` Borislav Petkov
2025-01-10 18:40 ` [PATCH RFC v2 02/29] x86: Create CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION Brendan Jackman
2025-01-16 16:43 ` Borislav Petkov
2025-03-01 7:23 ` Mike Rapoport
2025-03-05 13:12 ` Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 03/29] mm: asi: Introduce ASI core API Brendan Jackman
2025-02-19 10:55 ` Borislav Petkov
2025-02-19 13:50 ` Brendan Jackman
2025-02-19 13:53 ` Brendan Jackman
2025-02-27 12:06 ` Borislav Petkov
2025-02-28 8:43 ` Brendan Jackman
2025-03-14 13:14 ` Borislav Petkov
2025-03-15 1:34 ` Junaid Shahid [this message]
2025-03-15 12:36 ` Borislav Petkov
2025-03-17 11:40 ` Brendan Jackman
2025-03-18 0:50 ` Junaid Shahid
2025-03-18 13:03 ` Brendan Jackman
2025-03-18 22:48 ` Junaid Shahid
2025-03-19 15:23 ` Borislav Petkov
2025-01-10 18:40 ` [PATCH RFC v2 04/29] mm: asi: Add infrastructure for boot-time enablement Brendan Jackman
2025-03-19 17:29 ` Borislav Petkov
2025-03-19 18:47 ` Yosry Ahmed
2025-03-20 10:44 ` Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 05/29] mm: asi: ASI support in interrupts/exceptions Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 06/29] mm: asi: Use separate PCIDs for restricted address spaces Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 07/29] mm: asi: Make __get_current_cr3_fast() ASI-aware Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 08/29] mm: asi: Avoid warning from NMI userspace accesses in ASI context Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 09/29] mm: asi: ASI page table allocation functions Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 10/29] mm: asi: asi_exit() on PF, skip handling if address is accessible Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 11/29] mm: asi: Functions to map/unmap a memory range into ASI page tables Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 12/29] mm: asi: Add basic infrastructure for global non-sensitive mappings Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 13/29] mm: Add __PAGEFLAG_FALSE Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 14/29] mm: asi: Map non-user buddy allocations as nonsensitive Brendan Jackman
2025-01-10 18:40 ` [PATCH TEMP WORKAROUND RFC v2 15/29] mm: asi: Workaround missing partial-unmap support Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 16/29] mm: asi: Map kernel text and static data as nonsensitive Brendan Jackman
2025-01-17 11:23 ` Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 17/29] mm: asi: Map vmalloc/vmap " Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 18/29] mm: asi: Map dynamic percpu memory " Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 19/29] mm: asi: Stabilize CR3 in switch_mm_irqs_off() Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 20/29] mm: asi: Make TLB flushing correct under ASI Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 21/29] KVM: x86: asi: Restricted address space for VM execution Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 22/29] mm: asi: exit ASI before accessing CR3 from C code where appropriate Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 23/29] mm: asi: exit ASI before suspend-like operations Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 24/29] mm: asi: Add infrastructure for mapping userspace addresses Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 25/29] mm: asi: Restricted execution fore bare-metal processes Brendan Jackman
2025-02-28 15:32 ` Yosry Ahmed
2025-03-20 15:55 ` Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 26/29] x86: Create library for flushing L1D for L1TF Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 27/29] mm: asi: Add some mitigations on address space transitions Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 28/29] x86/pti: Disable PTI when ASI is on Brendan Jackman
2025-01-10 18:40 ` [PATCH RFC v2 29/29] mm: asi: Stop ignoring asi=on cmdline flag Brendan Jackman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5aa114f7-3efb-4dab-8579-cb9af4abd3c0@google.com \
--to=junaids@google.com \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=jackmanb@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterz@infradead.org \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yosryahmed@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox