Re: [PATCH v11 21/28] sev/i386: add debug encrypt and decrypt commands

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Brijesh Singh (brijesh.singh@xxxxxxx) wrote:
> 
> 
> On 03/07/2018 11:27 AM, Dr. David Alan Gilbert wrote:
> 
> [...]
> 
> > > +{
> > > +    SEVState *s = (SEVState *)handle;
> > > +
> > > +    /* If policy does not allow debug then no need to register ops */
> > > +    if (s->policy & SEV_POLICY_NODBG) {
> > > +        return;
> > > +    }
> > 
> > So what happens if someone tries to use a gdb or monitor command when
> > policy didn't allow debug?  Does it end up with an obvious error
> > somehow?
> > 
> 
> In those cases caller will get encrypted bytes, leading to unintelligible
> data. It can sometime translate into  obvious errors e.g caller tries to
> walk guest pagtable and it gets garbage and will have trouble dumping the
> pgtables etc. Many times qemu calls ldphys_* functions to access the data it
> may get tricky to report the errors.

So would it make sense to have something like:

sev_mem_cant_read(uint8_t *dst, const uint8_t *src, uint32_t len, MemTxAttrs attrs)
{
    error_report("SEV Guest policy does not allow debug access");

    return -EPERM;
}

void
sev_set_debug_ops(void *handle, MemoryRegion *mr)
{
    SEVState *s = (SEVState *)handle;

    /* If policy does not allow debug then no need to register ops */
    if (s->policy & SEV_POLICY_NODBG) {
        sev_ops.read = sev_mem_cant_read;
        sev_ops.write = sev_mem_cant_write;
    } else {
        sev_ops.read = sev_mem_read;
        sev_ops.write = sev_mem_write;
    }

Dave

> 
> -Brijesh
--
Dr. David Alan Gilbert / dgilbert@xxxxxxxxxx / Manchester, UK



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux