Re: [PATCH 19/25] KVM: VMX: Add basic handling of VM-Exit from SGX enclave

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 01, 2021, Kai Huang wrote:
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index 50810d471462..df8e338267aa 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -1570,12 +1570,18 @@ static int vmx_rtit_ctl_check(struct kvm_vcpu *vcpu, u64 data)
>  
>  static bool vmx_can_emulate_instruction(struct kvm_vcpu *vcpu, void *insn, int insn_len)
>  {
> +	if (to_vmx(vcpu)->exit_reason.enclave_mode) {
> +		kvm_queue_exception(vcpu, UD_VECTOR);

Rereading my own code, I think it would be a good idea to add a comment here
explaining that injecting #UD is technically wrong, but avoids giving guest
userspace an easy way to DoS the guest.  The EPT misconfig is a good example;
guest userspace could have executed a simple MOV <reg>, <mem> instruction, in
which case injecting a #UD is bizarre behavior.  But, the alternative is exiting
to userspace with KVM_INTERNAL_ERROR_EMULATION, which is all but guaranteed to
kill the guest.

If KVM, specifically handle_emulation_failure(), ever gains a more sophisticated
mechanism for handling userspace emulation errors, this should be updated too.

	/*
	 * Emulation of instructions in SGX enclaves is impossible as RIP does
	 * not point  tthe failing instruction, and even if it did, the code
	 * stream is inaccessible.  Inject #UD instead of exiting to userspace
	 * so that guest userspace can't DoS the guest simply by triggering
	 * emulation (enclaves are CPL3 only).
	 */

> +		return false;
> +	}
>  	return true;
>  }

...

> @@ -5384,6 +5415,9 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
>  {
>  	gpa_t gpa;
>  
> +	if (!vmx_can_emulate_instruction(vcpu, NULL, 0))
> +		return 1;
> +
>  	/*
>  	 * A nested guest cannot optimize MMIO vmexits, because we have an
>  	 * nGPA here instead of the required GPA.
> -- 
> 2.29.2
> 



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux