From: Juergen Gross <jgross@suse.com>
To: Nikolay Borisov <nik.borisov@suse.com>, dave.hansen@linux.intel.com
Cc: kirill.shutemov@linux.intel.com, linux-coco@lists.linux.dev,
x86@kernel.org, linux-kernel@vger.kernel.org,
vannapurve@google.com
Subject: Re: [RFC PATCH] /dev/mem: Disable /dev/mem under TDX guest
Date: Tue, 18 Mar 2025 12:53:16 +0100 [thread overview]
Message-ID: <24826c2b-f1d2-408a-b8d1-63e1882b0fd0@suse.com> (raw)
In-Reply-To: <20250318113604.297726-1-nik.borisov@suse.com>
[-- Attachment #1.1.1: Type: text/plain, Size: 1935 bytes --]
On 18.03.25 12:36, Nikolay Borisov wrote:
> If a piece of memory is read from /dev/mem that falls outside of the
> System Ram region i.e bios data region the kernel creates a shared
> mapping via xlate_dev_mem_ptr() (this behavior was introduced by
> 9aa6ea69852c ("x86/tdx: Make pages shared in ioremap()"). This results
> in a region having both a shared and a private mapping.
>
> Subsequent accesses to this region via the private mapping induce a
> SEPT violation and a crash of the VMM. In this particular case the
> scenario was a userspace process reading something from the bios data
> area at address 0x497 which creates a shared mapping, and a followup
> reboot accessing __va(0x472) which access pfn 0 via the private mapping
> causing mayhem.
>
> Fix this by simply forbidding access to /dev/mem when running as an TDX
> guest.
>
> Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
> ---
>
> Sending this now to hopefully spur up discussion as to how to handle the described
> scenario. This was hit on the GCP cloud and was causing their hypervisor to crash.
>
> I guess the most pressing question is what will be the most sensible approach to
> eliminate such situations happening in the future:
>
> 1. Should we forbid getting a descriptor to /dev/mem (this patch)
> 2. Skip creating /dev/mem altogether3
> 3. Possibly tinker with internals of ioremap to ensure that no memory which is
> backed by kvm memslots is remapped as shared.
> 4. Eliminate the access to 0x472 from the x86 reboot path, after all we don't
> really have a proper bios at that address.
> 5. Something else ?
I think a crash of the VMM must be avoided, otherwise we have a security
issue due to one TDX guest being able to DoS the complete host.
I'd rather crash the guest for which the SEPT violation was detected (is
this possible? If not, don't allow it to run any longer maybe?)
Juergen
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3743 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]
next prev parent reply other threads:[~2025-03-18 11:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-18 11:36 [RFC PATCH] /dev/mem: Disable /dev/mem under TDX guest Nikolay Borisov
2025-03-18 11:53 ` Juergen Gross [this message]
2025-03-18 11:56 ` Nikolay Borisov
2025-03-18 12:23 ` Kirill A. Shutemov
2025-03-18 12:53 ` Nikolay Borisov
2025-03-18 13:27 ` Kirill A. Shutemov
2025-03-18 14:21 ` Nikolay Borisov
2025-03-20 9:38 ` Kirill A. Shutemov
2025-03-18 14:48 ` Dave Hansen
2025-03-18 17:56 ` Nikolay Borisov
2025-03-18 19:06 ` Dan Williams
2025-03-24 9:59 ` Nikolay Borisov
2025-03-25 18:16 ` Dan Williams
2025-03-28 10:51 ` Nikolay Borisov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=24826c2b-f1d2-408a-b8d1-63e1882b0fd0@suse.com \
--to=jgross@suse.com \
--cc=dave.hansen@linux.intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=nik.borisov@suse.com \
--cc=vannapurve@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox