The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: "Michael S. Tsirkin" <mst@redhat.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "David Hildenbrand (Arm)" <david@kernel.org>,
	"Hari Mishal" <harimishal1@gmail.com>,
	"Jason Wang" <jasowangio@gmail.com>,
	"Xuan Zhuo" <xuanzhuo@linux.alibaba.com>,
	"Eugenio Pérez" <eperezma@redhat.com>,
	virtualization@lists.linux.dev, linux-kernel@vger.kernel.org,
	elena.reshetova@intel.com, carlos.bilbao.osdev@gmail.com
Subject: Re: [PATCH v2 1/4] virtio-mem: validate device-reported block size
Date: Fri, 17 Jul 2026 06:10:41 -0400	[thread overview]
Message-ID: <20260717060822-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <2026071746-deviation-clad-1712@gregkh>

On Fri, Jul 17, 2026 at 11:14:23AM +0200, Greg Kroah-Hartman wrote:
> On Fri, Jul 17, 2026 at 04:59:32AM -0400, Michael S. Tsirkin wrote:
> > On Fri, Jul 17, 2026 at 10:39:40AM +0200, David Hildenbrand (Arm) wrote:
> > > On 7/17/26 07:48, Michael S. Tsirkin wrote:
> > > > On Thu, Jul 16, 2026 at 05:59:05PM +0200, David Hildenbrand (Arm) wrote:
> > > >>> Or do we just always trust virtio mem devices explicitly?
> > > >>
> > > >> It's hard for me to understand where we draw the line, really.
> > > >>
> > > >> But maybe MST can clarify what we care about in virtio world where the
> > > >> hypervisor is fully in charge of the device,
> > > > 
> > > > Generally:
> > > > - The guest is expected to whitelist drivers (most drivers have not
> > > >   been audited).
> > > 
> > > But even if you audited your driver, who makes sure that we consider all ways
> > > where the device could mess with us?
> > 
> > A lot of this is up to a correct setup. For example, make sure all
> > filesystems are encrypted and refuse to mount unencrypted ones.
> > 
> > > Something feels off here.
> > > 
> > > Handling selected out-of-spec scenarios like this feels like a band-aid. Happy
> > > to be corrected.
> > 
> > Well Documentation/security/snp-tdx-threat-model.rst puts it like this:
> > 	It is important to note
> > 	that this doesn’t imply that the host or VMM are intentionally
> > 	malicious, but that there exists a security value in having a small CoCo
> > 	VM TCB.
> > 
> > and
> > 
> > 	While traditionally the host has unlimited access to guest data and can
> > 	leverage this access to attack the guest, the CoCo systems mitigate such
> > 	attacks by adding security features like guest data confidentiality and
> > 	integrity protection.
> > 
> > 
> > now, when we are talking about "mitigation" it is indeed becoming a bit
> > murky.
> > 
> > 
> > For me, a rule of thumb I came up with is that if the validation happens
> > to also be helful for users e.g. to work around buggy devices,
> > or maybe because we feel failing gracefully is nice because this
> > will allow to later make use of this config and old drivers will
> > fail but at least not panic, then it is good to include.
> 
> Why not do what USB does?  Don't trust the device until AFTER probe()
> succeeds?  All of the needed checking should happen before then, as that
> is a "slow path" so lots of validation and the like can happen at that
> point.
> 
> After that, during the normal data paths, after the driver is bound,
> trust it all you want as attempting to validate every single packet is
> just going to be impossible.
> 
> thanks,
> 
> greg k-h

People do expect that data path validation at this point.

-- 
MST


  reply	other threads:[~2026-07-17 10:10 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-15 14:22 [PATCH 0/4] virtio: validate device-reported values across drivers Hari Mishal
2026-07-15 14:22 ` [PATCH 1/4] virtio-mem: validate device-reported block size Hari Mishal
2026-07-15 15:57   ` Michael S. Tsirkin
2026-07-15 16:41   ` [PATCH v2 " Hari Mishal
2026-07-16  8:55     ` David Hildenbrand (Arm)
2026-07-16 14:18       ` Greg Kroah-Hartman
2026-07-16 15:59         ` David Hildenbrand (Arm)
2026-07-17  5:03           ` Greg Kroah-Hartman
2026-07-17  5:48           ` Michael S. Tsirkin
2026-07-17  8:39             ` David Hildenbrand (Arm)
2026-07-17  8:59               ` Michael S. Tsirkin
2026-07-17  9:14                 ` Greg Kroah-Hartman
2026-07-17 10:10                   ` Michael S. Tsirkin [this message]
2026-07-17 10:15                     ` Greg Kroah-Hartman
2026-07-17 10:21                       ` David Hildenbrand (Arm)
2026-07-17 10:28                         ` Michael S. Tsirkin
2026-07-17 10:44                         ` Greg Kroah-Hartman
2026-07-17 11:00                           ` David Hildenbrand (Arm)
2026-07-17 10:23                       ` Michael S. Tsirkin
2026-07-17 10:46                         ` Greg Kroah-Hartman
2026-07-17 10:52                           ` Michael S. Tsirkin
2026-07-17 12:07                             ` Greg Kroah-Hartman
2026-07-17 13:08                               ` Michael S. Tsirkin
2026-07-15 14:22 ` [PATCH 2/4] virtio_input: validate device-reported multitouch slot count Hari Mishal
2026-07-15 15:50   ` Michael S. Tsirkin
2026-07-15 16:07     ` Hari Mishal
2026-07-15 16:11       ` Michael S. Tsirkin
2026-07-15 18:25         ` Dmitry Torokhov
     [not found]           ` <CAMmC+=DXS=xs0CZyf+N-71NT8D51xQYatBv=dfVQC1aBohDdmA@mail.gmail.com>
     [not found]             ` <alkTnRb9qhgcMGGi@google.com>
2026-07-16 17:33               ` Dmitry Torokhov
2026-07-15 16:41   ` [PATCH v2 " Hari Mishal
2026-07-15 14:22 ` [PATCH 3/4] virtio_console: avoid NULL portdev dereference in in_intr() Hari Mishal
2026-07-15 14:22 ` [PATCH 4/4] virtio_console: take a kref in find_port_by_vq() to fix port UAF Hari Mishal
2026-07-15 14:42   ` [PATCH v2 " Hari Mishal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260717060822-mutt-send-email-mst@kernel.org \
    --to=mst@redhat.com \
    --cc=carlos.bilbao.osdev@gmail.com \
    --cc=david@kernel.org \
    --cc=elena.reshetova@intel.com \
    --cc=eperezma@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=harimishal1@gmail.com \
    --cc=jasowangio@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=virtualization@lists.linux.dev \
    --cc=xuanzhuo@linux.alibaba.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox