From: "Michael S. Tsirkin" <mst@redhat.com>
To: Michael Bommarito <michael.bommarito@gmail.com>
Cc: Olivia Mackall <olivia@selenic.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
Jason Wang <jasowang@redhat.com>,
virtualization@lists.linux.dev
Subject: Re: [PATCH] hwrng: virtio: reject invalid used.len from the device
Date: Sat, 18 Apr 2026 08:11:33 -0400 [thread overview]
Message-ID: <20260418080446-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <CAJJ9bXweZ2k+F5A7rOWSodzTN6UYOP3rf2oBbrVirOuof0tqNg@mail.gmail.com>
On Fri, Apr 17, 2026 at 08:47:09PM -0400, Michael Bommarito wrote:
> On Fri, Apr 17, 2026 at 8:31 PM Michael S. Tsirkin <mst@redhat.com> wrote:
> > Actionable meaning what?
>
> Well, between the BLAKE2 pass and the fact that 99% of guests already
> shouldn't trust what's above, I agree that actionable doesn't mean
> much to most people, not even for breaking KASLR.
>
> But after doing some research, I realized that SEV-SNP/TDX guests that
> expect lockdown=confidentiality might actually expect otherwise under
> that security model. Still not a lot to work with, but more than just
> correctness in those cases, and those might be the environments that
> care the most.
Sorry this went over my head. We are talking about a device where guest
trusts host to feed it randomness, enabling it is already a questionable
enterprise for SEV-SNP/TDX. So what does it matter whether guest gets by
data from host directly or by tricking it into feeding its own data to
it? It's all supposed to be securely mixed with the cpu rng, right?
I am not arguing we should not fix it, I am trying to figure out
the actual security impact.
> > Maybe clamp at sizeof(vi->data) then? 0 might break buggy devices that
> > were working earlier.
> > Or just clamp where it's used, for clarity.
> > And maybe we need the array_index dance, given
> > you are worried about malicious.
>
> Happy to send a v2 with those changes but I can only test on a 1-2 TDX
> variants at home and don't have access to an EPYC bare metal box, so
> not very confident about your buggy device point
I am not sure why this matters.
--
MST
next prev parent reply other threads:[~2026-04-18 12:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-18 0:00 [PATCH] hwrng: virtio: reject invalid used.len from the device Michael Bommarito
2026-04-18 0:13 ` Michael S. Tsirkin
2026-04-18 0:18 ` Michael Bommarito
2026-04-18 0:31 ` Michael S. Tsirkin
2026-04-18 0:47 ` Michael Bommarito
2026-04-18 12:11 ` Michael S. Tsirkin [this message]
2026-04-18 15:06 ` [PATCH v2] hwrng: virtio: clamp device-reported used.len at copy_data() Michael Bommarito
2026-04-18 17:18 ` Michael S. Tsirkin
2026-04-18 17:25 ` Michael Bommarito
2026-04-18 17:38 ` Michael S. Tsirkin
2026-04-18 17:56 ` Michael Bommarito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260418080446-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=jasowang@redhat.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.bommarito@gmail.com \
--cc=olivia@selenic.com \
--cc=virtualization@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox