Re: AMD SEV-SNP/Intel TDX: validation of memory pages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Feb 16, 2021, at 7:59 AM, Paolo Bonzini <pbonzini@xxxxxxxxxx> wrote:
> 
> On 16/02/21 15:46, Peter Zijlstra wrote:
>>> On Tue, Feb 16, 2021 at 06:27:41AM -0800, Andi Kleen wrote:
>>> I think the IST solution should at least be explored before
>>> dismissing it. It might be simpler than anything else (like
>>> using new APIs)
>> Have you seen the trainwreck bonzini proposed?
> 
> You had been suspiciously silent...

Can one of you point me at the original proposal?

> 
>> The very simplest thing is saying no to TDX.
>> That 'solution' also hard relies on #VE not nesting more than once, so
>> lovely things like: #VE -> #DB -> #VE -> #NMI -> #VE, or #VE -> NMI ->
>> #VE -> #MC -> #VE or any number of other possible 'fun' combinations
>> _must_ not happen.
> 
> ... but no, this is not how it works.  It is actually guaranteed that #VE does not nest more than once, and that's the big difference with NMIs.
> 
> Let's look at the first case you listed, this is what would happen:
> 
> 
> #VE handler starts on stack 1
> First #VE processing...
> clear VE-in-progress flag in the info block (allowing reentrancy)
>    #DB handler starts
>        nested #VE handler starts on stack 2
>        outer #VE handler marks stack 1 for reexecution
>        nested #VE handler ends ***
>    #DB handler ends
> #VE handler IRETs back to the start of the handler itself
> Second #VE processing starts (also on stack 1)
> clear VE-in-progress flag in the info block
>    #NMI handler
>        nested #VE handler starts on stack 2
>        outer #VE handler marks stack 1 for reexecution
>        nested #VE handler ends ***
>    #NMI handler ends
> #VE handler IRETs back to the start of the handler itself

This sounds suspiciously like the current NMI code. I want to look at the code. If nothing else, I suspect it’s busted wrt CET, but the current NMI code definitely has bugs.  For example, if we are about to IRET from NMI and we get #VE in the IRET insn itself and then get a new NMI inside the #VE, we are toast.

> Third #VE processing starts (also on stack 1)
> clear VE-in-progress flag in the info block
> #VE handler IRETs back to the caller
> 
> 
> Two things of note:
> 
> - note that at the points marked *** the nested #VE handler has not allowed another exception to come.  That only happens in the outer handler.
> 
> - the inner handler does nothing but telling the outer handler to rerun.  The way it does it is certainly not pretty, because it has to work at any instruction boundary, but at its heart it's basically a do{}while loop.
> 
> Paolo
> 
>> And yes, I know #MC isn't supported just now, but the above would
>> mandate it never be supported _ever_, because otherwise the IST hack
>> crumbles.
>> Again, repeat after me: ISTs are a part of the problem.
>> So how about fixing TDX instead of forcing us to do horrible fragile
>> things we all know will end up in tears?
> 





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux