Re: [RFCv1 7/7] KVM: unmap guest memory using poisoned pages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02.04.21 17:26, Kirill A. Shutemov wrote:
TDX architecture aims to provide resiliency against confidentiality and
integrity attacks. Towards this goal, the TDX architecture helps enforce
the enabling of memory integrity for all TD-private memory.

The CPU memory controller computes the integrity check value (MAC) for
the data (cache line) during writes, and it stores the MAC with the
memory as meta-data. A 28-bit MAC is stored in the ECC bits.

Checking of memory integrity is performed during memory reads. If
integrity check fails, CPU poisones cache line.

On a subsequent consumption (read) of the poisoned data by software,
there are two possible scenarios:

  - Core determines that the execution can continue and it treats
    poison with exception semantics signaled as a #MCE

  - Core determines execution cannot continue,and it does an unbreakable
    shutdown

For more details, see Chapter 14 of Intel TDX Module EAS[1]

As some of integrity check failures may lead to system shutdown host
kernel must not allow any writes to TD-private memory. This requirment
clashes with KVM design: KVM expects the guest memory to be mapped into
host userspace (e.g. QEMU).

So what you are saying is that if QEMU would write to such memory, it could crash the kernel? What a broken design.

"As some of integrity check failures may lead to system shutdown host" -- usually we expect to recover from an MCE by killing the affected process, which would be the right thing to do here.

How can it happen that "Core determines execution cannot continue,and it does an unbreakable shutdown". Who is "Core"? CPU "core", MM "core" ? And why would it decide to do a shutdown instead of just killing the process?

--
Thanks,

David / dhildenb






[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux