Re: [RFC PATCH] x86/sev: Disallow userspace access to BIOS region for SEV-SNP guests

public inbox for linux-coco@lists.linux.dev
 help / color / mirror / Atom feed

From: Nikolay Borisov <nik.borisov@suse.com>
To: Dan Williams <dan.j.williams@intel.com>, Kees Cook <kees@kernel.org>
Cc: Dave Hansen <dave.hansen@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Naveen N Rao <naveen@kernel.org>,
	linux-kernel@vger.kernel.org, x86@kernel.org,
	linux-coco@lists.linux.dev,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Borislav Petkov <bp@alien8.de>,
	Vishal Annapurve <vannapurve@google.com>,
	Kirill Shutemov <kirill.shutemov@linux.intel.com>,
	Kevin Loughlin <kevinloughlin@google.com>,
	Michal Hocko <mhocko@suse.com>
Subject: Re: [RFC PATCH] x86/sev: Disallow userspace access to BIOS region for SEV-SNP guests
Date: Thu, 10 Apr 2025 22:27:21 +0300	[thread overview]
Message-ID: <e11e9b17-a9e0-4f3d-964f-c8b656403f65@suse.com> (raw)
In-Reply-To: <67f819faa4e0b_71fe294e1@dwillia2-xfh.jf.intel.com.notmuch>



On 10.04.25 г. 22:20 ч., Dan Williams wrote:
> Nikolay Borisov wrote:
> [..]
>>>> Can't we simply treat return value of 2 for range_is_allowed the same way as
>>>> if 0 was returned in mmap_mem and simply fail the call with -EPERM?
>>>
>>> The historical concern was that EPERM would break old tools. I don't
>>> have any current evidence either way, though.
>>
>> Right, but we are only about to return 2 in a TVM context, so chances of
>> running old tools are slim to none. Also it's perfectly valid to have
>> mmap fail for a number of reasons, so old tools should be equipped with
>> handling it returning -EPERM, no ?
> 
> In practice that is yet another return code since the caller does not
> know why the "2" is being returned and it is not clear how safe it is to
> now start denying mmap in the !TVM case. So, perhaps something like this:
> 

What I meant by "returning 2" is returning 2 from the call to 
range_is_allowed in mmap_mem and handling this value inside mmap_mem, 
not returning 2 to user space :) In essence something along the lines of:



diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 169eed162a7f..8273066b6637 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -359,7 +359,8 @@ static int mmap_mem(struct file *file, struct 
vm_area_struct *vma)
         if (!private_mapping_ok(vma))
                 return -ENOSYS;

-       if (!range_is_allowed(vma->vm_pgoff, size))
+       int ret = range_is_allowed(vma->vm_pgoff, size);
+       if (!ret || ret == 2)
                 return -EPERM;

         if (!phys_mem_access_prot_allowed(file, vma->vm_pgoff, size,


> enum devmem_policy {
> 	DEVMEM_DENY,
> 	DEVMEM_ALLOW,
> 	DEVMEM_ZERO_RW, /* XXX: fix mmap_mem to install zeroes? */
> 	DEVMEM_ZERO_RW_DENY_MMAP,
> };
> 
> The hope is that legacy tools are either fine with open() failures due
> to the prevalance of lockdown, fine with read/write of zeroes to BIOS
> data due to the prevalance of CONFIG_STRICT_DEVMEM, or otherwise would
> not notice / break when mmap() starts failing for BIOS data in the TVM
> case. The !TVM case continues with the current gap for mmap.
> 
> Or, rip the bandaid and do this to see who screams:
> 
> enum devmem_policy {
> 	DEVMEM_DENY,
> 	DEVMEM_ALLOW,
> 	DEVMEM_ZERO_RW_DENY_MMAP,
> };
>

next prev parent reply	other threads:[~2025-04-10 19:27 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-03 12:02 [RFC PATCH] x86/sev: Disallow userspace access to BIOS region for SEV-SNP guests Naveen N Rao (AMD)
2025-04-03 19:06 ` Dan Williams
2025-04-07 13:13   ` Naveen N Rao
2025-04-08 13:43     ` Tom Lendacky
2025-04-08 21:19       ` Dave Hansen
2025-04-08 23:55         ` Dan Williams
2025-04-09 16:02           ` Nikolay Borisov
2025-04-09 17:06             ` Dan Williams
2025-04-09 17:39           ` Kees Cook
2025-04-09 18:39             ` Dan Williams
2025-04-10 12:03               ` Nikolay Borisov
2025-04-10 16:32                 ` Kees Cook
2025-04-10 16:39                   ` Nikolay Borisov
2025-04-10 19:20                     ` Dan Williams
2025-04-10 19:27                       ` Nikolay Borisov [this message]
2025-04-10 20:07                         ` Dan Williams

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:169eed162a7 dfblob:8273066b663 )
 OR (
bs:"Re: [RFC PATCH] x86/sev: Disallow userspace access to BIOS region for SEV-SNP guests" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e11e9b17-a9e0-4f3d-964f-c8b656403f65@suse.com \
    --to=nik.borisov@suse.com \
    --cc=bp@alien8.de \
    --cc=dan.j.williams@intel.com \
    --cc=dave.hansen@intel.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=kees@kernel.org \
    --cc=kevinloughlin@google.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhocko@suse.com \
    --cc=naveen@kernel.org \
    --cc=thomas.lendacky@amd.com \
    --cc=vannapurve@google.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox