Re: [PATCH 0/2] Support userspace hypercalls for TDX

public inbox for linux-coco@lists.linux.dev
 help / color / mirror / Atom feed

From: Tim Merrifield <tim.merrifield@broadcom.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>,
	Xin Li <xin3.li@intel.com>, Ard Biesheuvel <ardb@kernel.org>,
	Kai Huang <kai.huang@intel.com>,
	Kevin Loughlin <kevinloughlin@google.com>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Kees Cook <kees@kernel.org>, Mike Rapoport <rppt@kernel.org>,
	Brian Gerst <brgerst@gmail.com>,
	linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org,
	Ajay Kaher <ajay.kaher@broadcom.com>,
	Alexey Makhalov <alexey.makhalov@broadcom.com>,
	Broadcom internal kernel review list
	<bcm-kernel-feedback-list@broadcom.com>,
	virtualization@lists.linux.dev, alex.james@broadcom.com,
	doug.covelli@broadcom.com, jeffrey.sheldon@broadcom.com
Subject: Re: [PATCH 0/2] Support userspace hypercalls for TDX
Date: Fri, 5 Jul 2024 11:55:39 -0700	[thread overview]
Message-ID: <20240705185529.GA16769@prme-hs2-i1009> (raw)
In-Reply-To: <20240704130505.GT11386@noisy.programming.kicks-ass.net>

On Thu, Jul 04, 2024 at 03:05:05PM +0200, Peter Zijlstra wrote:
> And how are we to ascertain the software using these hooks is deemed
> secure? What security risks are there for the kernel if a malicious
> userspace process asks for these rights?
> 
> The kernel must assume malice on the part of userspace.

Thanks, Peter.

I don't believe there are any additional security risks for the kernel
itself being introduced here. The kernel is only responsible for
copying to and from userspace registers for the hypercall, and
executing the TDCALL. A similar approach already exists for AMD SEV
(see vc_handle_vmmcall), which does not restrict VMMCALL in the way
that TDX restricts VMCALL.

In the case of a malicious binary running in a TDX VM, if it wants to
communicate with the untrusted hypervisor or other software outside
of the TD, there are several existing mechanisms it could use, not
just a VMCALL. I guess the point here is that if the userspace
program is malicious, is anything gained by restricting VMCALL?

This patchset really only handles the case where a trusted guest
wants to limit access to VMCALL to binaries that self identify as
hardened against potential host attacks.

     prev parent reply	other threads:[~2024-07-05 18:55 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-03 23:35 [PATCH 0/2] Support userspace hypercalls for TDX Tim Merrifield
2024-07-03 23:36 ` [PATCH 1/2] x86/tdx: Add prctl to allow userlevel TDX hypercalls Tim Merrifield
2024-07-08 12:19   ` Kirill A . Shutemov
2024-07-23  5:04     ` Tim Merrifield
2024-07-23  9:10       ` Kirill A . Shutemov
2024-07-03 23:36 ` [PATCH 2/2] x86/vmware: VMware support for TDX userspace hypercalls Tim Merrifield
2024-07-08 12:23   ` Kirill A . Shutemov
2024-07-04  0:18 ` [PATCH 0/2] Support userspace hypercalls for TDX Dave Hansen
2024-07-05 16:04   ` Tim Merrifield
2024-07-04 13:05 ` Peter Zijlstra
2024-07-05 18:55   ` Tim Merrifield [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240705185529.GA16769@prme-hs2-i1009 \
    --to=tim.merrifield@broadcom.com \
    --cc=ajay.kaher@broadcom.com \
    --cc=alex.james@broadcom.com \
    --cc=alexey.makhalov@broadcom.com \
    --cc=ardb@kernel.org \
    --cc=bcm-kernel-feedback-list@broadcom.com \
    --cc=bp@alien8.de \
    --cc=brgerst@gmail.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=doug.covelli@broadcom.com \
    --cc=hpa@zytor.com \
    --cc=jeffrey.sheldon@broadcom.com \
    --cc=kai.huang@intel.com \
    --cc=kees@kernel.org \
    --cc=kevinloughlin@google.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=rick.p.edgecombe@intel.com \
    --cc=rppt@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=tzimmermann@suse.de \
    --cc=virtualization@lists.linux.dev \
    --cc=x86@kernel.org \
    --cc=xin3.li@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox