在 2021/6/3 下午9:55, Andi Kleen 写道:
Ok, but what I meant is this, if we don't read from the descriptor
ring, and validate all the other metadata supplied by the device
(used id and len). Then there should be no way for the device to
suppress the dma flags to write to the indirect descriptor ta
在 2021/6/4 上午1:33, Andy Lutomirski 写道:
On 6/2/21 5:41 PM, Andi Kleen wrote:
Only allow split mode when in a protected guest. Followon
patches harden the split mode code paths, and we don't want
an malicious host to force anything else. Also disallow
indirect mode for similar reasons.
I read th
For most Linux drivers, a report that a misbehaving device can corrupt
host memory is a bug, not a feature. If a USB device can corrupt kernel
memory, that's a serious bug. If a USB-C device can corrupt kernel
memory, that's also a serious bug, although, sadly, we probably have
lots of these
On 6/3/21 4:32 PM, Andi Kleen wrote:
>
>> We do not need an increasing pile of kludges
>
> Do you mean disabling features is a kludge?
>
> If yes I disagree with that characterization.
>
>
>> to make TDX and SEV “secure”. We need the actual loaded driver to be
>> secure. The virtio architect
在 2021/6/4 上午2:00, Andi Kleen 写道:
On 6/3/2021 10:33 AM, Andy Lutomirski wrote:
On 6/2/21 5:41 PM, Andi Kleen wrote:
Only allow split mode when in a protected guest. Followon
patches harden the split mode code paths, and we don't want
an malicious host to force anything else. Also disallow
ind
在 2021/6/4 上午3:31, Andy Lutomirski 写道:
On Thu, Jun 3, 2021, at 11:00 AM, Andi Kleen wrote:
On 6/3/2021 10:33 AM, Andy Lutomirski wrote:
On 6/2/21 5:41 PM, Andi Kleen wrote:
Only allow split mode when in a protected guest. Followon
patches harden the split mode code paths, and we don't want
a
We do not need an increasing pile of kludges
Do you mean disabling features is a kludge?
If yes I disagree with that characterization.
to make TDX and SEV “secure”. We need the actual loaded driver to be secure.
The virtio architecture is full of legacy nonsense,
and there is no good re
On Thu, Jun 3, 2021, at 12:53 PM, Andi Kleen wrote:
>
> > Tell that to every crypto downgrade attack ever.
>
> That's exactly what this patch addresses.
>
> >
> > I see two credible solutions:
> >
> > 1. Actually harden the virtio driver.
> That's exactly what this patchkit, and the alternativ
Tell that to every crypto downgrade attack ever.
That's exactly what this patch addresses.
I see two credible solutions:
1. Actually harden the virtio driver.
That's exactly what this patchkit, and the alternative approaches, like
Jason's, are doing.
2. Have a new virtio-modern driver a
On Thu, Jun 3, 2021, at 11:00 AM, Andi Kleen wrote:
>
> On 6/3/2021 10:33 AM, Andy Lutomirski wrote:
> > On 6/2/21 5:41 PM, Andi Kleen wrote:
> >> Only allow split mode when in a protected guest. Followon
> >> patches harden the split mode code paths, and we don't want
> >> an malicious host to
On 6/3/2021 10:33 AM, Andy Lutomirski wrote:
On 6/2/21 5:41 PM, Andi Kleen wrote:
Only allow split mode when in a protected guest. Followon
patches harden the split mode code paths, and we don't want
an malicious host to force anything else. Also disallow
indirect mode for similar reasons.
I
On 6/2/21 5:41 PM, Andi Kleen wrote:
> Only allow split mode when in a protected guest. Followon
> patches harden the split mode code paths, and we don't want
> an malicious host to force anything else. Also disallow
> indirect mode for similar reasons.
I read this as "the virtio driver is buggy.
Ok, but what I meant is this, if we don't read from the descriptor
ring, and validate all the other metadata supplied by the device (used
id and len). Then there should be no way for the device to suppress
the dma flags to write to the indirect descriptor table.
Or do you have an example ho
在 2021/6/3 上午10:56, Andi Kleen 写道:
I agree, but I want to know why indirect descriptor needs to be
disabled. The table can't be wrote by the device since it's not
coherent swiotlb mapping.
I had all kinds of problems with uninitialized entries in the indirect
table. So I gave up on it an
I agree, but I want to know why indirect descriptor needs to be
disabled. The table can't be wrote by the device since it's not
coherent swiotlb mapping.
I had all kinds of problems with uninitialized entries in the indirect
table. So I gave up on it and concluded it would be too difficul
在 2021/6/3 上午9:48, Andi Kleen 写道:
So we will see huge performance regression without indirect
descriptor. We need to consider to address this.
A regression would be when some existing case would be slower.
That's not the case because the behavior for the existing cases does
not change.
A
So we will see huge performance regression without indirect
descriptor. We need to consider to address this.
A regression would be when some existing case would be slower.
That's not the case because the behavior for the existing cases does not
change.
Anyways when there are performance pr
When running under TDX the virtio host is untrusted. The bulk
of the kernel memory is encrypted and protected, but the virtio
ring is in special shared memory that is shared with the
untrusted host.
This means virtio needs to be hardened against any attacks from
the host through the ring. Of cours
在 2021/6/3 上午8:41, Andi Kleen 写道:
When running under TDX the virtio host is untrusted. The bulk
of the kernel memory is encrypted and protected, but the virtio
ring is in special shared memory that is shared with the
untrusted host.
This means virtio needs to be hardened against any attacks fro
19 matches
Mail list logo
