From: Dan Williams <dan.j.williams@intel.com>
To: Nikolay Borisov <nik.borisov@suse.com>, Kees Cook <kees@kernel.org>
Cc: Dan Williams <dan.j.williams@intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Naveen N Rao <naveen@kernel.org>, <linux-kernel@vger.kernel.org>,
<x86@kernel.org>, <linux-coco@lists.linux.dev>,
Dave Hansen <dave.hansen@linux.intel.com>,
Borislav Petkov <bp@alien8.de>,
Vishal Annapurve <vannapurve@google.com>,
Kirill Shutemov <kirill.shutemov@linux.intel.com>,
Kevin Loughlin <kevinloughlin@google.com>,
Michal Hocko <mhocko@suse.com>
Subject: Re: [RFC PATCH] x86/sev: Disallow userspace access to BIOS region for SEV-SNP guests
Date: Thu, 10 Apr 2025 12:20:26 -0700 [thread overview]
Message-ID: <67f819faa4e0b_71fe294e1@dwillia2-xfh.jf.intel.com.notmuch> (raw)
In-Reply-To: <e67bbcf2-02f4-4ce1-8ad0-b1f1381c65fb@suse.com>
Nikolay Borisov wrote:
[..]
> >> Can't we simply treat return value of 2 for range_is_allowed the same way as
> >> if 0 was returned in mmap_mem and simply fail the call with -EPERM?
> >
> > The historical concern was that EPERM would break old tools. I don't
> > have any current evidence either way, though.
>
> Right, but we are only about to return 2 in a TVM context, so chances of
> running old tools are slim to none. Also it's perfectly valid to have
> mmap fail for a number of reasons, so old tools should be equipped with
> handling it returning -EPERM, no ?
In practice that is yet another return code since the caller does not
know why the "2" is being returned and it is not clear how safe it is to
now start denying mmap in the !TVM case. So, perhaps something like this:
enum devmem_policy {
DEVMEM_DENY,
DEVMEM_ALLOW,
DEVMEM_ZERO_RW, /* XXX: fix mmap_mem to install zeroes? */
DEVMEM_ZERO_RW_DENY_MMAP,
};
The hope is that legacy tools are either fine with open() failures due
to the prevalance of lockdown, fine with read/write of zeroes to BIOS
data due to the prevalance of CONFIG_STRICT_DEVMEM, or otherwise would
not notice / break when mmap() starts failing for BIOS data in the TVM
case. The !TVM case continues with the current gap for mmap.
Or, rip the bandaid and do this to see who screams:
enum devmem_policy {
DEVMEM_DENY,
DEVMEM_ALLOW,
DEVMEM_ZERO_RW_DENY_MMAP,
};
next prev parent reply other threads:[~2025-04-10 19:20 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 12:02 [RFC PATCH] x86/sev: Disallow userspace access to BIOS region for SEV-SNP guests Naveen N Rao (AMD)
2025-04-03 19:06 ` Dan Williams
2025-04-07 13:13 ` Naveen N Rao
2025-04-08 13:43 ` Tom Lendacky
2025-04-08 21:19 ` Dave Hansen
2025-04-08 23:55 ` Dan Williams
2025-04-09 16:02 ` Nikolay Borisov
2025-04-09 17:06 ` Dan Williams
2025-04-09 17:39 ` Kees Cook
2025-04-09 18:39 ` Dan Williams
2025-04-10 12:03 ` Nikolay Borisov
2025-04-10 16:32 ` Kees Cook
2025-04-10 16:39 ` Nikolay Borisov
2025-04-10 19:20 ` Dan Williams [this message]
2025-04-10 19:27 ` Nikolay Borisov
2025-04-10 20:07 ` Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67f819faa4e0b_71fe294e1@dwillia2-xfh.jf.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=kees@kernel.org \
--cc=kevinloughlin@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
--cc=naveen@kernel.org \
--cc=nik.borisov@suse.com \
--cc=thomas.lendacky@amd.com \
--cc=vannapurve@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox