Re: [PATCH V4 7/7] KVM, pkeys: disable PKU feature without ept

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2016/3/9 15:50, Xiao Guangrong wrote:


On 03/09/2016 03:41 PM, Yang Zhang wrote:
On 2016/3/9 15:21, Xiao Guangrong wrote:


On 03/09/2016 02:37 PM, Yang Zhang wrote:
On 2016/3/9 13:51, Xiao Guangrong wrote:


On 03/08/2016 06:02 PM, Paolo Bonzini wrote:


On 08/03/2016 10:32, Xiao Guangrong wrote:
On 03/08/2016 04:47 PM, Paolo Bonzini wrote:
Some XSAVE features (currently only MPX, but in the future PKRU
too)
will force eagerfpu on, see fpu__init_system_ctx_switch:

          if (xfeatures_mask & XFEATURE_MASK_EAGER) {
                  if (eagerfpu == DISABLE) {
                          xfeatures_mask &= ~XFEATURE_MASK_EAGER;

So if the kernel parameter, eagerfpu is set to "off", then eager is
not
enabled, so PKRU can not work in KVM?

Yes.  Neither PKRU nor MPX.

Er... I noticed fpregs is not switched if the CPU is running in KVM
module
(vcpu is not scheduled out and does not exit to userspace), that is
why
read_pkru() can be used to read guest's PKRU in the patch 4.

However, then guest can fully control the access of userspace's
memory if
CR4.PKRU is enabled on host and KVM needs to access QEMU's memory
to do
some
emulation anyway. Is it really safe?

I think it depends on how we understand the guest uses Pkeys. From my
point, guest only wants to
protect the pages from guest's view, not kvm. So the access from KVM
should be totally transparent
to guest. And should not be aware by guest. For modification, i think
current KVM only touch the DMA
buffer which is setup by guest driver. It's guest responsibility to
ensure the pages he want to
protect are not used as DMA buffer.


No really. A example is KVM need to read guest memory to emulate some
instructions.

This is the access case. I don't think guest is interesting in such
access.

See below.



More worse, the pkey-bits on pte entry is different between guest and
host (they
are using different page tables) so guest can not know what index in
PKRU will be
used by KVM. A evil guest can use it to attack host...

Can you give a example how a evil guest can attack host?

One question is if host and guest are both using pkeys, how to handle
this case? I don't see current
patch consider this case?

This is exact what i said...

Ah...I thought you are asking whether we should let guest aware the access from hypervisor. Sorry to misread your mail.


Currently, this patchset did not recover host's PKRU then host will use
guest's PKRU to do memory access.

This definitely wrong. Besides, should we consider host's setting when guest is running?

--
best regards
yang
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux