From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D6D238F65C for ; Fri, 17 Jul 2026 08:59:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784278783; cv=none; b=edxRYoDBmM/9sTxyvw6gd2WPJmx/CB7FXVCz8d09y8UF8rO0DjPgPOULADDkgcnyn9sV9GlOuNOqXPbN9CtdI3l/V0wQ0Q+rw336TnvsCdnxwPt3v8mqL4UBC4R6D6Mq03FzpTgbXrSEcLjqlzyvGlkZJdGhV3WyD+7GTVlearo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784278783; c=relaxed/simple; bh=jwvQtyZYjoqO+V+d2Y/ZZu9UhfvlBMCF8Zdzofz59KM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=MfUO7X9qR0NJTetH0EAu96vxQbbXcE8A6dORbq8guy0pverybkBBDAJaI37Z+4EDRcwLh4+BZ5dccwOyceUOaKDqHWz9E8M9JCx1ALTjrwvYitf+Tvp7ZYZ89coHdPAjIaSzTuOban6MBmjWnMSFXdXG2Npi7hmKzMBiwyjXMaQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=c3xH3gz6; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=Q3Jt3FpS; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="c3xH3gz6"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="Q3Jt3FpS" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1784278780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Ws+LHWZPq7yqDvagxdcCS+KQIuEQm0ppuCBvjQYIJlY=; b=c3xH3gz6tPCm3GmcrQwfx0nCkZ+dWuFJj0FB2FzWLTbLgEOzjiSjVGMo3mmcaETIHS8wf8 7CN3Sc8jg1C8TXKLvyvapIKdyADgqeS2EB8zxOG/MaYwd8i3g3R/LY0YpC9zPLOytj9yVT 2tTKOD6GZkL7lNxBd/PQxIwdCiXzFUE= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-281-RabqJkoSO7iblG0Xpw31yg-1; Fri, 17 Jul 2026 04:59:38 -0400 X-MC-Unique: RabqJkoSO7iblG0Xpw31yg-1 X-Mimecast-MFC-AGG-ID: RabqJkoSO7iblG0Xpw31yg_1784278777 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-49545755b03so10531475e9.0 for ; Fri, 17 Jul 2026 01:59:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1784278777; x=1784883577; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :content-type:mime-version:references:message-id:subject:cc:to:from :date:from:to:cc:subject:date:message-id:reply-to:content-type; bh=Ws+LHWZPq7yqDvagxdcCS+KQIuEQm0ppuCBvjQYIJlY=; b=Q3Jt3FpSJLv30LOizNhofuVSIVoLDEs7SAhKvYvb2PB9Tdnj/9MUxnnl6gAtHmxd1+ UIAQnTXIAkoU6s8F4mXiBhxmcd97XByip1UVYj2tMqarTDuCVRo68/JUWWbOY2meYDVX inB+3/abJPIEDOxG+YT48DoivvWITtI/8GaEhewY9TiHkTGZrm6CQCK8KpTD16422p4g 3Yz74tQ77FMb2kuGTimPJfW9mAv0jZFV8Dt+jkM+VD76wKIjzXeD7J5WIxVrhRTgZduy O2RclCzyRC/vH2dD0iWqNCi10NHdgg2m60bOs7P2xFSGcG+0tBUJOtaHj7vQNQyIvobI LBeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1784278777; x=1784883577; h=in-reply-to:content-transfer-encoding:content-disposition :content-type:mime-version:references:message-id:subject:cc:to:from :date:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to:content-type; bh=Ws+LHWZPq7yqDvagxdcCS+KQIuEQm0ppuCBvjQYIJlY=; b=q0eE/oA5GWGzmHA59Noiwv5vrlvQYHEndgf/AorGXJuW+LNcV8KkheJYnaC8QC4lRd zZx9ojglguWbCC5y9ysEAKX/ra9SsJy2tVNX2GHWyfzsE9LbXfPSbvvd7KNPqz0mBIDK 6fq6suAQweFHRNfYJWpJi8hGEZeujYKcYAGBYnrNNW2z5k8tfyfg5fVoAKoWmwjZxwxk 7ue6QzVmOhXCOLtPgtZppiTWywLvrMz3uRRYACqW78z2WiUYpXFwQosDNZ/4tELR3roG LUymztBrSUGrld3j/XqPZjiYBWrG9bVW0kBBzkDBDeoJUJeCDOJrvOSong4hWGoLzXbp 6Wxg== X-Forwarded-Encrypted: i=1; AHgh+RqwidpgujLG5GUug3SQWfJApa9hfEutf0SoK+jJNpKwdVjCGgZEbjlAxgb5U80j1INxe1nVsPF1P1Kooj8=@vger.kernel.org X-Gm-Message-State: AOJu0YzIBR2RTAY7wWaUEy2n/EJCL6E1gRA0CLb1oyl/muugQX4aXwxH oiwRe/C1Gr3ACnJq8bSKm0tcf+cDFNoHQ+zKeHLImUnoG+HZSPH/CmuGzcSiMtrAAbCRMSv2ra2 hDjV4zoMF47EcJteNaht2bmveoj99xJGo/jYBq5iE4ifJGuGJMqSWHmGsxuPF2BbVaQ== X-Gm-Gg: AfdE7cmUYllCYRFkX82Ij3DYewrkWlTwYv5g2Mp+c5rx0cn9J8E63fu9WtfC1wPkfZr GybdeevuKlQvY6+l8FHXbKirtox2qgpJFpwM+HDUbVkSOSwYSnFYP4jkPiGEy7JOCDBZkChqgPN lI8SMPIz5zAJRiY+89cjDomRuSM0OzXhxSmRl/nSRDVKyVz1fO92GdLXqG7Pd1HcsepR9nxh8t9 xtd5kDRSjlNMw00HLIwizbLNrcLcizWj1cZtkNJyTewpXx2YoMuxEL1uFOk+b7vC1kLF2gBpljX FGEbFDEdjmuHc8WS7o6DqnNAOnTU7bnlNb2PGhS60VGssmF1fe8PGUaMjwnN6ppTEK8GE9uDIcn D0kKjXUUyl02PW9rREXpI5pbc X-Received: by 2002:a05:600c:1f8c:b0:493:cefc:d113 with SMTP id 5b1f17b1804b1-4954a3e6e29mr17609235e9.5.1784278776648; Fri, 17 Jul 2026 01:59:36 -0700 (PDT) X-Received: by 2002:a05:600c:1f8c:b0:493:cefc:d113 with SMTP id 5b1f17b1804b1-4954a3e6e29mr17608835e9.5.1784278775975; Fri, 17 Jul 2026 01:59:35 -0700 (PDT) Received: from redhat.com (IGLD-80-230-24-117.inter.net.il. [80.230.24.117]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4954966a033sm28237155e9.0.2026.07.17.01.59.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jul 2026 01:59:35 -0700 (PDT) Date: Fri, 17 Jul 2026 04:59:32 -0400 From: "Michael S. Tsirkin" To: "David Hildenbrand (Arm)" Cc: Greg Kroah-Hartman , Hari Mishal , Jason Wang , Xuan Zhuo , Eugenio =?iso-8859-1?Q?P=E9rez?= , virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, carlos.bilbao.osdev@gmail.com Subject: Re: [PATCH v2 1/4] virtio-mem: validate device-reported block size Message-ID: <20260717044019-mutt-send-email-mst@kernel.org> References: <20260715142337.22811-2-harimishal1@gmail.com> <20260715164139.40957-1-harimishal1@gmail.com> <2026071635-relive-flogging-2a81@gregkh> <4dda47ba-534a-4297-a25e-0d63d9167033@kernel.org> <20260717014134-mutt-send-email-mst@kernel.org> <3b32a38f-0964-45b9-9529-933abedbf69b@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3b32a38f-0964-45b9-9529-933abedbf69b@kernel.org> On Fri, Jul 17, 2026 at 10:39:40AM +0200, David Hildenbrand (Arm) wrote: > On 7/17/26 07:48, Michael S. Tsirkin wrote: > > On Thu, Jul 16, 2026 at 05:59:05PM +0200, David Hildenbrand (Arm) wrote: > >>> Or do we just always trust virtio mem devices explicitly? > >> > >> It's hard for me to understand where we draw the line, really. > >> > >> But maybe MST can clarify what we care about in virtio world where the > >> hypervisor is fully in charge of the device, > > > > Generally: > > - The guest is expected to whitelist drivers (most drivers have not > > been audited). > > But even if you audited your driver, who makes sure that we consider all ways > where the device could mess with us? A lot of this is up to a correct setup. For example, make sure all filesystems are encrypted and refuse to mount unencrypted ones. > Something feels off here. > > Handling selected out-of-spec scenarios like this feels like a band-aid. Happy > to be corrected. Well Documentation/security/snp-tdx-threat-model.rst puts it like this: It is important to note that this doesn’t imply that the host or VMM are intentionally malicious, but that there exists a security value in having a small CoCo VM TCB. and While traditionally the host has unlimited access to guest data and can leverage this access to attack the guest, the CoCo systems mitigate such attacks by adding security features like guest data confidentiality and integrity protection. now, when we are talking about "mitigation" it is indeed becoming a bit murky. For me, a rule of thumb I came up with is that if the validation happens to also be helful for users e.g. to work around buggy devices, or maybe because we feel failing gracefully is nice because this will allow to later make use of this config and old drivers will fail but at least not panic, then it is good to include. > -- > Cheers, > > David