* GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
@ 2014-08-26 23:58 Andy Lutomirski
2014-08-27 7:00 ` Paolo Bonzini
2014-08-28 14:17 ` Gleb Natapov
0 siblings, 2 replies; 8+ messages in thread
From: Andy Lutomirski @ 2014-08-26 23:58 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Theodore Ts'o, H. Peter Anvin, kvm list,
linux-kernel@vger.kernel.org, Kees Cook, X86 ML, Daniel Borkmann,
Srivatsa Vaddagiri, Raghavendra K T, Gleb Natapov, Bandan Das,
Andrew Honig, KY Srinivasan, Haiyang Zhang, Konrad Rzeszutek Wilk,
Alok Kataria, virtualization
hpa pointed out that the ABI that I chose (an MSR from the KVM range
and a KVM cpuid bit) is unnecessarily KVM-specific. It would be nice
to allocate an MSR that everyone involved can agree on and, rather
than relying on a cpuid bit, just have the guest probe for the MSR.
This leads to a few questions:
1. How do we allocate an MSR? (For background, this would be an MSR
that either returns 64 bits of best-effort cryptographically secure
random data or fails with #GP.)
2. For KVM, what's the right way to allow QEMU to turn the feature on
and off? Is this even necessary? KVM currently doesn't seem to allow
QEMU to turn any of its MSRs off; it just allows QEMU to ask it to
stop advertising support.
3. QEMU people, can you please fix your RDMSR emulation to send #GP on
failure? I can work around it for this MSR in the Linux code, but for
Pete's sake... :(
Thanks,
Andy
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
2014-08-26 23:58 GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm) Andy Lutomirski
@ 2014-08-27 7:00 ` Paolo Bonzini
2014-08-27 7:07 ` H. Peter Anvin
2014-08-28 14:17 ` Gleb Natapov
1 sibling, 1 reply; 8+ messages in thread
From: Paolo Bonzini @ 2014-08-27 7:00 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Raghavendra K T, Theodore Ts'o, Kees Cook, kvm list,
Konrad Rzeszutek Wilk, Gleb Natapov, Andrew Honig, Haiyang Zhang,
X86 ML, Bandan Das, linux-kernel@vger.kernel.org,
Srivatsa Vaddagiri, Daniel Borkmann, H. Peter Anvin, Alok Kataria,
virtualization
Il 27/08/2014 01:58, Andy Lutomirski ha scritto:
> hpa pointed out that the ABI that I chose (an MSR from the KVM range
> and a KVM cpuid bit) is unnecessarily KVM-specific. It would be nice
> to allocate an MSR that everyone involved can agree on and, rather
> than relying on a cpuid bit, just have the guest probe for the MSR.
>
> This leads to a few questions:
>
> 1. How do we allocate an MSR? (For background, this would be an MSR
> that either returns 64 bits of best-effort cryptographically secure
> random data or fails with #GP.)
Ask Intel? :)
> 2. For KVM, what's the right way to allow QEMU to turn the feature on
> and off? Is this even necessary? KVM currently doesn't seem to allow
> QEMU to turn any of its MSRs off; it just allows QEMU to ask it to
> stop advertising support.
Note that QEMU is not involved in the implementation of your feature,
only in advertising it. You could look at CPUID at runtime, but that
would mean teaching KVM to look for the KVMKVMKVM\0\0\0 signature in the
CPUID data supplied by userspace. I don't think this is particularly
useful.
> 3. QEMU people, can you please fix your RDMSR emulation to send #GP on
> failure? I can work around it for this MSR in the Linux code, but for
> Pete's sake... :(
Sure, I will look at it. Though I expect it was done because of MSRs
that are missing in QEMU (similar to how Linux doesn't #GP if compiled
with pvops).
Paolo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
2014-08-27 7:00 ` Paolo Bonzini
@ 2014-08-27 7:07 ` H. Peter Anvin
0 siblings, 0 replies; 8+ messages in thread
From: H. Peter Anvin @ 2014-08-27 7:07 UTC (permalink / raw)
To: Paolo Bonzini, Andy Lutomirski
Cc: Raghavendra K T, Theodore Ts'o, Kees Cook, kvm list,
Konrad Rzeszutek Wilk, Gleb Natapov, Andrew Honig, Haiyang Zhang,
X86 ML, Bandan Das, linux-kernel@vger.kernel.org,
Srivatsa Vaddagiri, Daniel Borkmann, Alok Kataria, virtualization
On 08/27/2014 12:00 AM, Paolo Bonzini wrote:
> Il 27/08/2014 01:58, Andy Lutomirski ha scritto:
>> hpa pointed out that the ABI that I chose (an MSR from the KVM range
>> and a KVM cpuid bit) is unnecessarily KVM-specific. It would be nice
>> to allocate an MSR that everyone involved can agree on and, rather
>> than relying on a cpuid bit, just have the guest probe for the MSR.
>>
>> This leads to a few questions:
>>
>> 1. How do we allocate an MSR? (For background, this would be an MSR
>> that either returns 64 bits of best-effort cryptographically secure
>> random data or fails with #GP.)
>
> Ask Intel? :)
I'm going to poke around internally. Intel might as a matter of policy
be reluctant to assign an MSR index specifically for software use, but
I'll try to find out.
-hpa
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
2014-08-26 23:58 GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm) Andy Lutomirski
2014-08-27 7:00 ` Paolo Bonzini
@ 2014-08-28 14:17 ` Gleb Natapov
2014-08-28 16:22 ` Andy Lutomirski
1 sibling, 1 reply; 8+ messages in thread
From: Gleb Natapov @ 2014-08-28 14:17 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Paolo Bonzini, Theodore Ts'o, H. Peter Anvin, kvm list,
linux-kernel@vger.kernel.org, Kees Cook, X86 ML, Daniel Borkmann,
Srivatsa Vaddagiri, Raghavendra K T, Bandan Das, Andrew Honig,
KY Srinivasan, Haiyang Zhang, Konrad Rzeszutek Wilk, Alok Kataria,
virtualization
On Tue, Aug 26, 2014 at 04:58:34PM -0700, Andy Lutomirski wrote:
> hpa pointed out that the ABI that I chose (an MSR from the KVM range
> and a KVM cpuid bit) is unnecessarily KVM-specific. It would be nice
> to allocate an MSR that everyone involved can agree on and, rather
> than relying on a cpuid bit, just have the guest probe for the MSR.
>
CPUID part allows feature to be disabled for machine compatibility purpose
during migration. Of course interface can explicitly state that one successful
use of the MSR does not mean that next use will not result in a #GP, but that
doesn't sound very elegant and is different from any other MSR out there.
--
Gleb.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
2014-08-28 14:17 ` Gleb Natapov
@ 2014-08-28 16:22 ` Andy Lutomirski
2014-08-28 19:46 ` Paolo Bonzini
0 siblings, 1 reply; 8+ messages in thread
From: Andy Lutomirski @ 2014-08-28 16:22 UTC (permalink / raw)
To: Gleb Natapov
Cc: Paolo Bonzini, X86 ML, kvm list, Daniel Borkmann,
linux-kernel@vger.kernel.org, Linux Virtualization,
H. Peter Anvin, KY Srinivasan, Alok Kataria, Andrew Honig,
Raghavendra K T, Haiyang Zhang, Bandan Das, Theodore Ts'o,
Srivatsa Vaddagiri, Konrad Rzeszutek Wilk, Kees Cook
On Aug 28, 2014 7:17 AM, "Gleb Natapov" <gleb@kernel.org> wrote:
>
> On Tue, Aug 26, 2014 at 04:58:34PM -0700, Andy Lutomirski wrote:
> > hpa pointed out that the ABI that I chose (an MSR from the KVM range
> > and a KVM cpuid bit) is unnecessarily KVM-specific. It would be nice
> > to allocate an MSR that everyone involved can agree on and, rather
> > than relying on a cpuid bit, just have the guest probe for the MSR.
> >
> CPUID part allows feature to be disabled for machine compatibility purpose
> during migration. Of course interface can explicitly state that one successful
> use of the MSR does not mean that next use will not result in a #GP, but that
> doesn't sound very elegant and is different from any other MSR out there.
>
Is there a non-cpuid interface between QEMU and KVM for this?
AFAICT, even turning off cpuid bits for things like async pf doesn't
actually disable the MSRs (which is arguably an attack surface issue).
--Andy
> --
> Gleb.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
2014-08-28 16:22 ` Andy Lutomirski
@ 2014-08-28 19:46 ` Paolo Bonzini
2014-08-29 0:13 ` Andy Lutomirski
0 siblings, 1 reply; 8+ messages in thread
From: Paolo Bonzini @ 2014-08-28 19:46 UTC (permalink / raw)
To: Andy Lutomirski, Gleb Natapov
Cc: Raghavendra K T, Theodore Ts'o, Kees Cook, kvm list,
Konrad Rzeszutek Wilk, Bandan Das, Andrew Honig, Haiyang Zhang,
X86 ML, linux-kernel@vger.kernel.org, Linux Virtualization,
Daniel Borkmann, Srivatsa Vaddagiri, H. Peter Anvin, Alok Kataria
Il 28/08/2014 18:22, Andy Lutomirski ha scritto:
> Is there a non-cpuid interface between QEMU and KVM for this?
No.
> AFAICT, even turning off cpuid bits for things like async pf doesn't
> actually disable the MSRs (which is arguably an attack surface issue).
No, it doesn't. You cannot disable instructions even if you hide CPUID
bits, so KVM just extends this to MSRs (both native and paravirtual). It
sometimes helps too, for example with a particular guest OS that does
not necessary check CPUID for bits that are always present on Apple
hardware...
Paolo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
2014-08-28 19:46 ` Paolo Bonzini
@ 2014-08-29 0:13 ` Andy Lutomirski
2014-08-29 6:36 ` Paolo Bonzini
0 siblings, 1 reply; 8+ messages in thread
From: Andy Lutomirski @ 2014-08-29 0:13 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Gleb Natapov, Raghavendra K T, Theodore Ts'o, Kees Cook,
kvm list, Konrad Rzeszutek Wilk, Bandan Das, Andrew Honig,
Haiyang Zhang, X86 ML, linux-kernel@vger.kernel.org,
Linux Virtualization, Daniel Borkmann, Srivatsa Vaddagiri,
H. Peter Anvin, Alok Kataria
On Thu, Aug 28, 2014 at 12:46 PM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> Il 28/08/2014 18:22, Andy Lutomirski ha scritto:
>> Is there a non-cpuid interface between QEMU and KVM for this?
>
> No.
Hmm. Then, assuming that someone manages to allocate a
cross-hypervisor MSR number for this, what am I supposed to do in the
KVM code? Just make it available unconditionally? I don't see why
that wouldn't work reliably, but it seems like an odd design.
>
>> AFAICT, even turning off cpuid bits for things like async pf doesn't
>> actually disable the MSRs (which is arguably an attack surface issue).
>
> No, it doesn't. You cannot disable instructions even if you hide CPUID
> bits, so KVM just extends this to MSRs (both native and paravirtual). It
> sometimes helps too, for example with a particular guest OS that does
> not necessary check CPUID for bits that are always present on Apple
> hardware...
But I bet that no one assumes that KVM paravirt MSRs are available
even if the feature bit isn't set.
Also, the one and only native feature flag I tested (rdtscp) actually
does work: RDTSCP seems to send #UD if QEMU is passed -cpu
host,-rdtscp.
--Andy
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm)
2014-08-29 0:13 ` Andy Lutomirski
@ 2014-08-29 6:36 ` Paolo Bonzini
0 siblings, 0 replies; 8+ messages in thread
From: Paolo Bonzini @ 2014-08-29 6:36 UTC (permalink / raw)
To: Andy Lutomirski
Cc: Gleb Natapov, Raghavendra K T, Theodore Ts'o, Kees Cook,
kvm list, Konrad Rzeszutek Wilk, Bandan Das, Andrew Honig,
Haiyang Zhang, X86 ML, linux-kernel@vger.kernel.org,
Linux Virtualization, Daniel Borkmann, Srivatsa Vaddagiri,
H. Peter Anvin, Alok Kataria
Il 29/08/2014 02:13, Andy Lutomirski ha scritto:
> Hmm. Then, assuming that someone manages to allocate a
> cross-hypervisor MSR number for this, what am I supposed to do in the
> KVM code? Just make it available unconditionally? I don't see why
> that wouldn't work reliably, but it seems like an odd design.
The odd part of it is what Gleb mentioned.
> Also, the one and only native feature flag I tested (rdtscp) actually
> does work: RDTSCP seems to send #UD if QEMU is passed -cpu
> host,-rdtscp.
True, and I'm not sure why. There are a couple others. I was thinking
more of things like SSE, AVX or DE (that affects the availability of a
bit in CR4).
Paolo
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-08-29 6:37 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-26 23:58 GET_RNG_SEED hypercall ABI? (Re: [PATCH v5 0/5] random,x86,kvm: Rework arch RNG seeds and get some from kvm) Andy Lutomirski
2014-08-27 7:00 ` Paolo Bonzini
2014-08-27 7:07 ` H. Peter Anvin
2014-08-28 14:17 ` Gleb Natapov
2014-08-28 16:22 ` Andy Lutomirski
2014-08-28 19:46 ` Paolo Bonzini
2014-08-29 0:13 ` Andy Lutomirski
2014-08-29 6:36 ` Paolo Bonzini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).