On 11/22/21 1:14 PM, Dave Hansen wrote:
On 11/22/21 11:06 AM, Brijesh Singh wrote:
3. Kernel accesses guest private memory via a kernel mapping. This one
is tricky. These probably *do* result in a panic() today, but
ideally shouldn't.
KVM has defined some helper functions to maps and unmap the guest pages.
Those helper functions do the GPA to PFN lookup before calling the
kmap(). Those helpers are enhanced such that it check the RMP table
before the kmap() and acquire a lock to prevent a page state change
until the kunmap() is called. So, in the current implementation, we
should *not* see a panic() unless there is a KVM driver bug that didn't
use the helper functions or a bug in the helper function itself.
I don't think this is really KVM specific.
Think of a remote process doing ptrace(PTRACE_POKEUSER) or pretty much
any generic get_user_pages() instance. As long as the memory is mapped
into the page tables, you're exposed to users that walk the page tables.
How do we, for example, prevent ptrace() from inducing a panic()?
In the current approach, this access will induce a panic(). In general,
supporting the ptrace() for the encrypted VM region is going to be
difficult. The upcoming TDX work to unmap the guest memory region from
the current process page table can easily extend for the SNP to cover
the current limitations.
thanks