From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id ED6D4D597CF
	for <linux-mm@archiver.kernel.org>; Wed, 13 Nov 2024 03:31:45 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 50DC56B00AB; Tue, 12 Nov 2024 22:31:45 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 494BE6B00AC; Tue, 12 Nov 2024 22:31:45 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2E77A6B00AD; Tue, 12 Nov 2024 22:31:45 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 0E9A26B00AB
	for <linux-mm@kvack.org>; Tue, 12 Nov 2024 22:31:45 -0500 (EST)
Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id B503FABFD8
	for <linux-mm@kvack.org>; Wed, 13 Nov 2024 03:31:44 +0000 (UTC)
X-FDA: 82779644388.20.68F6B0C
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25])
	by imf07.hostedemail.com (Postfix) with ESMTP id 02B1B40011
	for <linux-mm@kvack.org>; Wed, 13 Nov 2024 03:30:42 +0000 (UTC)
Authentication-Results: imf07.hostedemail.com;
	dkim=pass header.d=amazon.com header.s=amazon201209 header.b="EGUlZt/L";
	dmarc=pass (policy=quarantine) header.from=amazon.com;
	spf=pass (imf07.hostedemail.com: domain of "prvs=04027130a=derekmn@amazon.com" designates 72.21.196.25 as permitted sender) smtp.mailfrom="prvs=04027130a=derekmn@amazon.com"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1731468615;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=/bYsay7vg1weqenJRpb4pqt79mASw+nrIHAtGk1mYk0=;
	b=VtGVvJ2KMFgwIQ/bp20EE1PqwsOXG2bqs6IYqSfvTgj8iZoUOGwp4/qvwjmsfmvymTMH2R
	gg0ZoLQMXP1OPYcbDXuekjD/hEPaRYP63Wtu7CP4FbhYq93+gQTLI8pI9SrpXYmc0PrtPg
	LbV5X2rpGe/FvS2X6gDz8ILpMnj5jCo=
ARC-Authentication-Results: i=1;
	imf07.hostedemail.com;
	dkim=pass header.d=amazon.com header.s=amazon201209 header.b="EGUlZt/L";
	dmarc=pass (policy=quarantine) header.from=amazon.com;
	spf=pass (imf07.hostedemail.com: domain of "prvs=04027130a=derekmn@amazon.com" designates 72.21.196.25 as permitted sender) smtp.mailfrom="prvs=04027130a=derekmn@amazon.com"
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1731468615; a=rsa-sha256;
	cv=none;
	b=h/L8KkiLrlhA+yeCGSDP880qnDxfXe8GKGnVERQ+HANJgcKmaym2/chVwOiB1cKSon+Dy9
	jhVz38ZlarYhoQhRJVW37dWAF9gJpUvXoCgRV7OxpMtX7oJb+YuXlG2BlmYBOT3vRovYML
	RU8Mj2hdI8aHcj7AmyugaTy7GqGzN8E=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209;
  t=1731468702; x=1763004702;
  h=message-id:date:mime-version:to:cc:references:subject:
   from:in-reply-to:content-transfer-encoding;
  bh=/bYsay7vg1weqenJRpb4pqt79mASw+nrIHAtGk1mYk0=;
  b=EGUlZt/L+qWFy1Fxjpb04vEhRbUlfsUsWBKiS9teyrcKmSU2S9IJiJok
   bn7aMOgMMNNo6kaogPHkWFCGVN5oFckA65KX5Hsi6kzDAd7jjRPiseuAA
   7AaFg6frSf+rjMpokX+3Y7kMgbGED2jTll3esXVdIgp+6A1FMWWgU7+5I
   E=;
X-IronPort-AV: E=Sophos;i="6.12,149,1728950400"; 
   d="scan'208";a="442195777"
Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.124.125.6])
  by smtp-border-fw-2101.iad2.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Nov 2024 03:31:38 +0000
Received: from EX19MTAUWC002.ant.amazon.com [10.0.21.151:35392]
 by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.13.112:2525] with esmtp (Farcaster)
 id 1975e212-552a-4756-aa4f-791440302fe9; Wed, 13 Nov 2024 03:31:37 +0000 (UTC)
X-Farcaster-Flow-ID: 1975e212-552a-4756-aa4f-791440302fe9
Received: from EX19D003UWC002.ant.amazon.com (10.13.138.169) by
 EX19MTAUWC002.ant.amazon.com (10.250.64.143) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34;
 Wed, 13 Nov 2024 03:31:37 +0000
Received: from [192.168.205.1] (10.106.101.35) by
 EX19D003UWC002.ant.amazon.com (10.13.138.169) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.35;
 Wed, 13 Nov 2024 03:31:34 +0000
Message-ID: <96c24397-b081-4570-adb2-8d4443f3359c@amazon.com>
Date: Tue, 12 Nov 2024 20:31:29 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: <elena.reshetova@intel.com>
CC: <ackerleytng@google.com>, <agordeev@linux.ibm.com>,
	<aou@eecs.berkeley.edu>, <borntraeger@linux.ibm.com>, <bp@alien8.de>,
	<canellac@amazon.at>, <catalin.marinas@arm.com>, <chenhuacai@kernel.org>,
	<corbet@lwn.net>, <dave.hansen@intel.com>, <dave.hansen@linux.intel.com>,
	<david@redhat.com>, <derekmn@amazon.com>, <gerald.schaefer@linux.ibm.com>,
	<gor@linux.ibm.com>, <graf@amazon.com>, <hca@linux.ibm.com>, <hpa@zytor.com>,
	<jgowans@amazon.com>, <jthoughton@google.com>, <kalyazin@amazon.com>,
	<kernel@xen0n.name>, <kvm@vger.kernel.org>,
	<linux-arm-kernel@lists.infradead.org>, <linux-doc@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, <linux-kselftest@vger.kernel.org>,
	<linux-mm@kvack.org>, <linux-riscv@lists.infradead.org>,
	<linux-s390@vger.kernel.org>, <linux-trace-kernel@vger.kernel.org>,
	<loongarch@lists.linux.dev>, <luto@kernel.org>,
	<mathieu.desnoyers@efficios.com>, <mhiramat@kernel.org>, <mingo@redhat.com>,
	<mlipp@amazon.at>, <palmer@dabbelt.com>, <paul.walmsley@sifive.com>,
	<pbonzini@redhat.com>, <peterz@infradead.org>, <quic_eberman@quicinc.com>,
	<rostedt@goodmis.org>, <roypat@amazon.co.uk>, <rppt@kernel.org>,
	<seanjc@google.com>, <shuah@kernel.org>, <svens@linux.ibm.com>,
	<tabba@google.com>, <tglx@linutronix.de>, <vannapurve@google.com>,
	<will@kernel.org>, <x86@kernel.org>, <xmarcalx@amazon.com>
References: <DM8PR11MB57505F62D149EF153F89B8BAE75D2@DM8PR11MB5750.namprd11.prod.outlook.com>
Subject: RE: [RFC PATCH v3 0/6] Direct Map Removal for guest_memfd
Content-Language: en-US
From: "Manwaring, Derek" <derekmn@amazon.com>
In-Reply-To: <DM8PR11MB57505F62D149EF153F89B8BAE75D2@DM8PR11MB5750.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.106.101.35]
X-ClientProxiedBy: EX19D038UWB003.ant.amazon.com (10.13.139.157) To
 EX19D003UWC002.ant.amazon.com (10.13.138.169)
X-Rspam-User: 
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: 02B1B40011
X-Stat-Signature: ou9fuqm9iae4fpe9iw4tg8qyyzatj3u3
X-HE-Tag: 1731468642-65347
X-HE-Meta: U2FsdGVkX18qLDGOjpaFl2PCbgHaUt3iO1rxniCCNPP/76C20quXoCB56DibaC4c2GZmTR2IS9LqNjPsgZopv+wAzuod5KxuMm9kvVaLDPvNB9ePmrNXypZ2lAt2AvIiSVlFMQWq8AL4o8vBdpGe8h3ouUYRVIMB+cmGoc5CWzmVwjg1NMUmtLNm6yvPSjbjgZF9v3ekMFIzMFoM01a8nVNryuZmn6P0rs+yhtQQhzy2a4S56KNIvGX7rHp3eDcOq2wGdFZF0hKH2srMZPZnbQ4yZ0ppT0t665oAWOI6+9kAufUhjppjZ62pHZrbrSfQaFTmbSJ/gBvE6hWj54/v4SXudGtLTzBUik0RV1zUgJAD6HRUIbiaBSP94CChrP/1KjXz8vyjATdw3uFTN/lOxBun6F5xT0tEl409sa8GvrKURAYZme3anW6iIZzoBHixX3Q9UtSd/uOk3xnH6Ma9Ha9W4WNmTj3PTk/Ycti0EPPtjvXNTwAFj2qDXH64fUC34vX1XhAtOFi7kQESJK5x/eHOUnxJTk2T4BV1Ur27wxgtHBDmwBi5dHK07BYZenx0qPcXZm9GX5rxXDWsGy1egLCZu6QAcFORgtqarf+vY6tVb8avIr5pZNUnDmgLc2cayFyZiVVkgoUZQvj2Gr+J1fmSJLqc5xJTcYWwlyxmtS8mS81EloYoH6bwAIzSk+iZws5nPOgivrmSW8Uu9S2qRJZk7zh6DkbPcYMQLkC8km4DJuMX4cctDcN04i6Bi1XSN1B04UspqPiACIm4GNYlNJyfTuotRoOCLuo/JHx+b61QdFaNWZlLDnpvLizY0iyRAcnfqs7yWjUPRGVhSfxvf95hBcEfwScRQcUpITbItuCqN2vpo8xCA0suxmJHMxhEqin/TtPH6neI18QU1ZpnsvFifUdeRQ2TWn9OQcpAJpk/fmvHPwFtP9mWVeFA9hdFChgp66GcNr8M8hJ2Bn8
 r2mQRWJI
 0XZHBaoW9ehRcIU5k2vBNN6eBgc0S1AqWyZTTCtr9WOipaSJPyxDjzgDa8IYE4W5mgx7itsbxnKvUdCP1/E5I2gP2P+ACH3uS5IIoJFT0MMNz+n2jx0EnheGzJIL27b3wrNd6F8nYitFOjSbax+BZwAXxN20f9LjbXFrYIxFAFPsBfs1nJ2X7n0VLA7HjaewTmTZKcZyvv1w8ms0gSDVszM52ZySxuEhK4JtxlzKMy4ZzWRvaeYJITFvnbmBDDO2l9ZEco2sd8TgJ4xUmiSZuPgVJqlx+HTqZIL/4QK1gke/RYmdMZCsxB9l6/3fX0kqwxIqy1DakccSRLM0/5GFPx2ieIVccqnI6XuJEwqwM41aEAd8RAk4k4f4VxHlXNQJNm5818afMZMASAPmL7lPKbhiEJeBIhYPGTm4lXGPK79XmMQ9UY0/rKByaOQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.011051, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On 2024-11-08 at 10:36, Elena Reshetova wrote:
> On 2024-11-06 at 17:04, Derek Manwaring wrote:
> > On 2024-11-04 at 08:33+0000, Elena Reshetova wrote:
> > > This statement *is* for integrity section. We have a separate TDX guidance
> > > on side-channels (including speculative) [3] and some speculative attacks
> > > that affect confidentiality (for example spectre v1) are listed as not covered
> > > by TDX but remaining SW responsibility (as they are now).
> >
> > Thanks for the additional info, Elena. Given that clarification, I
> > definitely see direct map removal and TDX as complementary.
>
> Jus to clarify to make sure my comment is not misunderstood.
> What I meant is that we cannot generally assume that confidentiality
> leaks from CoCo guests to host/VMM via speculative channels
> are completely impossible. Spectre V1 is a prime example of such a
> possible leak. Dave also elaborated on other potential vectors earlier.
>
> The usefulness of direct map removal for CoCo guests as a concrete
> mitigation for certain types of memory attacks must be precisely
> evaluated per each attack vector, attack vector direction (host -> guest,
> guest ->host, etc) and per each countermeasure that CoCo vendors
> provide for each such case. I don't know if there is any existing study
> that examines this for major CoCo vendors. I think this is what must
> be done for this work in order to have a strong reasoning for its usefulness.

Thanks, that makes sense. I'm a little hyperfocused on guest->host which
is the opposite direction of what is generally used for the CoCo threat
model. I think what both cases care about though is guest->guest. For
me, guest->host matters because it's a route for guest->guest (at least
in the non-CoCo world). There's some good discussion on this in David's
series on attack vector controls [1].

Like you mention, beyond direction it matters which CoCo countermeasures
are at play and how far they go during transient execution. That part is
not clear to me for the host->guest direction involving the direct map,
but agree any countermeasures like direct map removal should be
evaluated based on a better understanding of what those existing
countermeasures already cover and what attack is intended to be
mitigated.

Derek


[1] https://lore.kernel.org/lkml/LV3PR12MB92658EA6CCF18F90DAAA168394532@LV3PR12MB9265.namprd12.prod.outlook.com/