From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C8B523290BB for ; Sat, 18 Apr 2026 12:11:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776514302; cv=none; b=ALrP6LiqFxDDxtVQhPbS8/SI68Q38/lMW/8EtovOoWVruHfjB2dEiGJq0rLnNOxSKUBc4a8wNciN0S7x4UFk4nSvJtKEhlxm8eJZDU34hrj8X7d6sxDQk64Lrtqz8htsngqUVuxNlp906M66H3Lin3UlBt2H1vivMuV5aK2BRDs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776514302; c=relaxed/simple; bh=3IMpqVTehU5fBs/5C0IiMz73ggjcJQ9kIjIUzNHZoL4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=V6DJPkSoTdI6WY024vx/9UJZTB12v6MmLTWNoc1cnDSSE0xTna+DzAuUSVvBDkEGquwOrHdyYcMSY3o7HPrS6nuz8IiO9Voophas9OXe2bh4WMwIQOIlzhYCivN0XDLP8OpkHknIJrZYoiNCFnmg9b61kJM2i8BjyuxZAEHasYs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Su5dyfSB; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=bqkSQHfl; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Su5dyfSB"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="bqkSQHfl" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1776514299; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=R2nMnTR8v0UWC8QSBtF5XWm7KZoT5rFuVXyMC3JV+oM=; b=Su5dyfSByIjNEqhAUQ/5ujOUSAu5YxC6BD8Jo9K0vekJxzpHv5p5zPT0GiYL7Ee+jln9Ny PkG9IbUzzgBMmCkuqf/DczuP018pyIc0nVwrHkc0Cfjh2YlaSUec8UKrjhajQ7grIP5wyp 84eKq+pYS23E/M8tsdh54KTY7OAFHdQ= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-440-GKhQiYvjPP-uo87OY7JLdA-1; Sat, 18 Apr 2026 08:11:38 -0400 X-MC-Unique: GKhQiYvjPP-uo87OY7JLdA-1 X-Mimecast-MFC-AGG-ID: GKhQiYvjPP-uo87OY7JLdA_1776514297 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-43d77286244so943054f8f.1 for ; Sat, 18 Apr 2026 05:11:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1776514297; x=1777119097; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=R2nMnTR8v0UWC8QSBtF5XWm7KZoT5rFuVXyMC3JV+oM=; b=bqkSQHflbRqVGq0+JwulrJnCkkQSITrOZji3k3Mueorey9f2mFG1izwuC/J8tvyMr2 PHmHXEQ9L+zlRpPaqrkUQO/OBx7DiyeyuffQh+ay1ezoSzX8WQlBidwyKYlKgn3USMsZ rddD3VyTWJ3vpPuVXv66menJeNjO46Bsdv2TIuchpibZuSuCRFEPQZkQ7HROgZ+DQsqF Wm+Z9XFjCsEEBvAeVPlT5f8enVjIGNYpuZ4fTsS3E0ugjwX1aDQLsYd/HxX0ivRDOEdN Fuqc3G5h54T8cVfQPYAesg9csX3vQ7nkK/lZS6GMWX7MRB033xzTfO65/kZnYnPEn4R0 Bgtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776514297; x=1777119097; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=R2nMnTR8v0UWC8QSBtF5XWm7KZoT5rFuVXyMC3JV+oM=; b=VwVMPwnxH2uYnB/qZAPzmBv5DGDuKMY29uIJXgmY/Wven4vX7P0LuEd5y4KOzcwm1j 4NvIoErbvL5ZXcOLbjW2bziexcfVPBrXH2HYskU/eEXDTthUkC/dePyv4UoTGGbGXSIq QU61g+5GVGc1HcJrsjmjFirB3tXIV8+ID2SXF7+uQkTTLEh/MT5LLg2MHrf8DNVaKDGC zDNNO0x7zqhW0XI0Wrt7CIKo/fe0EbnhMok8ZMROCSRz/8AQftlHFc1qoNyWhh8rnlM9 x+Lg/FCcCE6U97hbWcJID9rZLNRzjy66Mubnc7Srby/3fFxrO6vGewqKL55zh0GWWeqP S0tQ== X-Forwarded-Encrypted: i=1; AFNElJ9Oc07TbqvVqrY5N37LzsR32zz8DHz/GsjNZ6qtGrafuGDtDFKGuzI4CeqQ9dYi2fAnwbzc87W+ltu7KWc=@vger.kernel.org X-Gm-Message-State: AOJu0Yy0tXKheecXINei80JWO5YarlQ2OWdUqd+6snFMz7ownFwDIO5S YzpwLj2PZ8MzlGbcLwizSdYavvfyVMcAJoPC8kXCjlrOAyQOkvb2yeMYgEZkwQHhRy3blpdD2IA a/YbZJHLuf4GqQPWZjY6mN/VIHdiaBHzNnXP9CSAJJ8iH9Ve78ukiTsJkr90HSv72Hw== X-Gm-Gg: AeBDieuNlOQpIFvA5U8xNY/5JDQvrWFyN9/eECjNuAw5yBZekcF+HxqXwddTa39PODN as0SD2Km0HgYW8aFXuADjusEnRmUzu3J6Mn791sVGqRY1SE7aBhP9Y28QM/F81H29fQT2X7fHsg G9b0LImveFC1Fz/aYMuesq+qRyHviUdT4+o1eyYEpqiD7LEpOEvZA3ZW8+Y0GcdnQuq4/x85l2g oWs0JDtqBl2HHiJKTcJ9JQ4s2bHPQoNQiCVC3AQcJp7TNHJSJBd5FbM9NRMQ4cClLAo0faOLf3j 7iDNolRyzP/aEEffxmfG4noff6Jn9y/14jBeW7patYbDPCwP67CmWqTqP+YihtnW1zYlqlyyt+E XXpFUtu0BzzMdc5Vt42WgfQVppeirdt6HaJj1cmK2k9wjgN9iwu8XPg== X-Received: by 2002:a05:6000:230b:b0:43d:7cb5:43b2 with SMTP id ffacd0b85a97d-43fe3db3150mr9934360f8f.15.1776514297251; Sat, 18 Apr 2026 05:11:37 -0700 (PDT) X-Received: by 2002:a05:6000:230b:b0:43d:7cb5:43b2 with SMTP id ffacd0b85a97d-43fe3db3150mr9934293f8f.15.1776514296726; Sat, 18 Apr 2026 05:11:36 -0700 (PDT) Received: from redhat.com (IGLD-80-230-25-21.inter.net.il. [80.230.25.21]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4cb135asm14049130f8f.6.2026.04.18.05.11.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Apr 2026 05:11:36 -0700 (PDT) Date: Sat, 18 Apr 2026 08:11:33 -0400 From: "Michael S. Tsirkin" To: Michael Bommarito Cc: Olivia Mackall , Herbert Xu , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Jason Wang , virtualization@lists.linux.dev Subject: Re: [PATCH] hwrng: virtio: reject invalid used.len from the device Message-ID: <20260418080446-mutt-send-email-mst@kernel.org> References: <20260418000020.1847122-1-michael.bommarito@gmail.com> <20260417201129-mutt-send-email-mst@kernel.org> <20260417202330-mutt-send-email-mst@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Fri, Apr 17, 2026 at 08:47:09PM -0400, Michael Bommarito wrote: > On Fri, Apr 17, 2026 at 8:31 PM Michael S. Tsirkin wrote: > > Actionable meaning what? > > Well, between the BLAKE2 pass and the fact that 99% of guests already > shouldn't trust what's above, I agree that actionable doesn't mean > much to most people, not even for breaking KASLR. > > But after doing some research, I realized that SEV-SNP/TDX guests that > expect lockdown=confidentiality might actually expect otherwise under > that security model. Still not a lot to work with, but more than just > correctness in those cases, and those might be the environments that > care the most. Sorry this went over my head. We are talking about a device where guest trusts host to feed it randomness, enabling it is already a questionable enterprise for SEV-SNP/TDX. So what does it matter whether guest gets by data from host directly or by tricking it into feeding its own data to it? It's all supposed to be securely mixed with the cpu rng, right? I am not arguing we should not fix it, I am trying to figure out the actual security impact. > > Maybe clamp at sizeof(vi->data) then? 0 might break buggy devices that > > were working earlier. > > Or just clamp where it's used, for clarity. > > And maybe we need the array_index dance, given > > you are worried about malicious. > > Happy to send a v2 with those changes but I can only test on a 1-2 TDX > variants at home and don't have access to an EPYC bare metal box, so > not very confident about your buggy device point I am not sure why this matters. -- MST