From: Dan Williams <dan.j.williams@intel.com>
To: Nikolay Borisov <nik.borisov@suse.com>,
Dan Williams <dan.j.williams@intel.com>,
Kees Cook <kees@kernel.org>
Cc: Dave Hansen <dave.hansen@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Naveen N Rao <naveen@kernel.org>, <linux-kernel@vger.kernel.org>,
<x86@kernel.org>, <linux-coco@lists.linux.dev>,
Dave Hansen <dave.hansen@linux.intel.com>,
Borislav Petkov <bp@alien8.de>,
Vishal Annapurve <vannapurve@google.com>,
Kirill Shutemov <kirill.shutemov@linux.intel.com>,
Kevin Loughlin <kevinloughlin@google.com>,
Michal Hocko <mhocko@suse.com>
Subject: Re: [RFC PATCH] x86/sev: Disallow userspace access to BIOS region for SEV-SNP guests
Date: Thu, 10 Apr 2025 13:07:11 -0700 [thread overview]
Message-ID: <67f824ef211cf_71fe294e@dwillia2-xfh.jf.intel.com.notmuch> (raw)
In-Reply-To: <e11e9b17-a9e0-4f3d-964f-c8b656403f65@suse.com>
Nikolay Borisov wrote:
>
>
> On 10.04.25 г. 22:20 ч., Dan Williams wrote:
> > Nikolay Borisov wrote:
> > [..]
> >>>> Can't we simply treat return value of 2 for range_is_allowed the same way as
> >>>> if 0 was returned in mmap_mem and simply fail the call with -EPERM?
> >>>
> >>> The historical concern was that EPERM would break old tools. I don't
> >>> have any current evidence either way, though.
> >>
> >> Right, but we are only about to return 2 in a TVM context, so chances of
> >> running old tools are slim to none. Also it's perfectly valid to have
> >> mmap fail for a number of reasons, so old tools should be equipped with
> >> handling it returning -EPERM, no ?
> >
> > In practice that is yet another return code since the caller does not
> > know why the "2" is being returned and it is not clear how safe it is to
> > now start denying mmap in the !TVM case. So, perhaps something like this:
> >
>
> What I meant by "returning 2" is returning 2 from the call to
> range_is_allowed in mmap_mem and handling this value inside mmap_mem,
> not returning 2 to user space :)
Oh, no, I was not confused about that, just the conflict that "2" means
that mmap is ok currently.
> In essence something along the lines of:
>
>
>
> diff --git a/drivers/char/mem.c b/drivers/char/mem.c
> index 169eed162a7f..8273066b6637 100644
> --- a/drivers/char/mem.c
> +++ b/drivers/char/mem.c
> @@ -359,7 +359,8 @@ static int mmap_mem(struct file *file, struct
> vm_area_struct *vma)
> if (!private_mapping_ok(vma))
> return -ENOSYS;
>
> - if (!range_is_allowed(vma->vm_pgoff, size))
> + int ret = range_is_allowed(vma->vm_pgoff, size);
> + if (!ret || ret == 2)
> return -EPERM;
Right, the issue is that this potentially breaks userspace that had
glommed onto the idea that it can always mmap BIOS data even if the R/W
path returns zeros.
It is arguably a bug that we allow that bypass, but it has been shipping
for a while. I think it is reasonable for TVMs to try to shut this down
completely, but the question is whether doing this instead:
if (!ret || ret == 3)
...allows the TVM case to not disturb legacy expectations?
However, my vote is to special case 2 as EPERM as you have it here.
Because, if that works, it solves both the TVM need and silently closes
this weird hole hopefully before userspace actually starts depending on
it. We can always switch to 3 or do the work to map zeros if that proves
to be a regression.
prev parent reply other threads:[~2025-04-10 20:07 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 12:02 [RFC PATCH] x86/sev: Disallow userspace access to BIOS region for SEV-SNP guests Naveen N Rao (AMD)
2025-04-03 19:06 ` Dan Williams
2025-04-07 13:13 ` Naveen N Rao
2025-04-08 13:43 ` Tom Lendacky
2025-04-08 21:19 ` Dave Hansen
2025-04-08 23:55 ` Dan Williams
2025-04-09 16:02 ` Nikolay Borisov
2025-04-09 17:06 ` Dan Williams
2025-04-09 17:39 ` Kees Cook
2025-04-09 18:39 ` Dan Williams
2025-04-10 12:03 ` Nikolay Borisov
2025-04-10 16:32 ` Kees Cook
2025-04-10 16:39 ` Nikolay Borisov
2025-04-10 19:20 ` Dan Williams
2025-04-10 19:27 ` Nikolay Borisov
2025-04-10 20:07 ` Dan Williams [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67f824ef211cf_71fe294e@dwillia2-xfh.jf.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=kees@kernel.org \
--cc=kevinloughlin@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
--cc=naveen@kernel.org \
--cc=nik.borisov@suse.com \
--cc=thomas.lendacky@amd.com \
--cc=vannapurve@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox