* [PATCH v1 1/1] s390/uv: Panic if the security of the system cannot be guaranteed.
@ 2024-08-01 11:25 Claudio Imbrenda
2024-08-01 13:20 ` Janosch Frank
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Claudio Imbrenda @ 2024-08-01 11:25 UTC (permalink / raw)
To: linux-kernel
Cc: kvm, linux-s390, hca, agordeev, gor, borntraeger, svens, frankja,
seiden, nsg, nrb
The return value uv_set_shared() and uv_remove_shared() (which are
wrappers around the share() function) is not always checked. The system
integrity of a protected guest depends on the Share and Unshare UVCs
being successful. This means that any caller that fails to check the
return value will compromise the security of the protected guest.
No code path that would lead to such violation of the security
guarantees is currently exercised, since all the areas that are shared
never get unshared during the lifetime of the system. This might
change and become an issue in the future.
The Share and Unshare UVCs can only fail in case of hypervisor
misbehaviour (either a bug or malicious behaviour). In such cases there
is no reasonable way forward, and the system needs to panic.
This patch replaces the return at the end of the share() function with
a panic, to guarantee system integrity.
Fixes: 5abb9351dfd9 ("s390/uv: introduce guest side ultravisor code")
Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
---
arch/s390/include/asm/uv.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/s390/include/asm/uv.h b/arch/s390/include/asm/uv.h
index 0b5f8f3e84f1..153d93468b77 100644
--- a/arch/s390/include/asm/uv.h
+++ b/arch/s390/include/asm/uv.h
@@ -441,7 +441,10 @@ static inline int share(unsigned long addr, u16 cmd)
if (!uv_call(0, (u64)&uvcb))
return 0;
- return -EINVAL;
+ pr_err("%s UVC failed (rc: 0x%x, rrc: 0x%x), possible hypervisor bug.\n",
+ uvcb.header.cmd == UVC_CMD_SET_SHARED_ACCESS ? "Share" : "Unshare",
+ uvcb.header.rc, uvcb.header.rrc);
+ panic("System security cannot be guaranteed unless the system panics now.\n");
}
/*
--
2.45.2
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH v1 1/1] s390/uv: Panic if the security of the system cannot be guaranteed.
2024-08-01 11:25 [PATCH v1 1/1] s390/uv: Panic if the security of the system cannot be guaranteed Claudio Imbrenda
@ 2024-08-01 13:20 ` Janosch Frank
2024-08-05 10:46 ` Claudio Imbrenda
2024-08-02 12:40 ` Steffen Eiden
2024-08-02 13:11 ` Christian Borntraeger
2 siblings, 1 reply; 5+ messages in thread
From: Janosch Frank @ 2024-08-01 13:20 UTC (permalink / raw)
To: Claudio Imbrenda, linux-kernel
Cc: kvm, linux-s390, hca, agordeev, gor, borntraeger, svens, seiden,
nsg, nrb
On 8/1/24 1:25 PM, Claudio Imbrenda wrote:
> The return value uv_set_shared() and uv_remove_shared() (which are
> wrappers around the share() function) is not always checked. The system
> integrity of a protected guest depends on the Share and Unshare UVCs
> being successful. This means that any caller that fails to check the
> return value will compromise the security of the protected guest.
>
> No code path that would lead to such violation of the security
> guarantees is currently exercised, since all the areas that are shared
> never get unshared during the lifetime of the system. This might
> change and become an issue in the future.
For people wondering what the effects might be, this is the important
paragraph to read. Fortunately we're currently not unsharing anything.
Claudio already stated that there's no way out of this but I want to
reiterate on this. The hypervisor has to mess up quite badly to force a
rc > 0 for the guest. Likewise the guest has to mess up memory
management to achieve a rc > 0.
The only time where the cause of the rc can be fixed is when the
hypervisor is malicious and tracks its changes. In all other cases we
won't know why we ended up with a rc and it makes sense to stop the VM
before something worse happens.
@Claudio:
The patch subject is a bit non-specific.
How about:
"s390/uv: Panic for set and remove shared access UVC errors"
With that fixed:
Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1 1/1] s390/uv: Panic if the security of the system cannot be guaranteed.
2024-08-01 13:20 ` Janosch Frank
@ 2024-08-05 10:46 ` Claudio Imbrenda
0 siblings, 0 replies; 5+ messages in thread
From: Claudio Imbrenda @ 2024-08-05 10:46 UTC (permalink / raw)
To: Janosch Frank
Cc: linux-kernel, kvm, linux-s390, hca, agordeev, gor, borntraeger,
svens, seiden, nsg, nrb
On Thu, 1 Aug 2024 15:20:30 +0200
Janosch Frank <frankja@linux.ibm.com> wrote:
> On 8/1/24 1:25 PM, Claudio Imbrenda wrote:
> > The return value uv_set_shared() and uv_remove_shared() (which are
> > wrappers around the share() function) is not always checked. The system
> > integrity of a protected guest depends on the Share and Unshare UVCs
> > being successful. This means that any caller that fails to check the
> > return value will compromise the security of the protected guest.
> >
> > No code path that would lead to such violation of the security
> > guarantees is currently exercised, since all the areas that are shared
> > never get unshared during the lifetime of the system. This might
> > change and become an issue in the future.
>
> For people wondering what the effects might be, this is the important
> paragraph to read. Fortunately we're currently not unsharing anything.
>
> Claudio already stated that there's no way out of this but I want to
> reiterate on this. The hypervisor has to mess up quite badly to force a
> rc > 0 for the guest. Likewise the guest has to mess up memory
> management to achieve a rc > 0.
>
> The only time where the cause of the rc can be fixed is when the
> hypervisor is malicious and tracks its changes. In all other cases we
> won't know why we ended up with a rc and it makes sense to stop the VM
> before something worse happens.
>
>
> @Claudio:
> The patch subject is a bit non-specific.
> How about:
> "s390/uv: Panic for set and remove shared access UVC errors"
feel free to fix the subject when picking (unless you really want me to
send a v2)
>
> With that fixed:
> Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1 1/1] s390/uv: Panic if the security of the system cannot be guaranteed.
2024-08-01 11:25 [PATCH v1 1/1] s390/uv: Panic if the security of the system cannot be guaranteed Claudio Imbrenda
2024-08-01 13:20 ` Janosch Frank
@ 2024-08-02 12:40 ` Steffen Eiden
2024-08-02 13:11 ` Christian Borntraeger
2 siblings, 0 replies; 5+ messages in thread
From: Steffen Eiden @ 2024-08-02 12:40 UTC (permalink / raw)
To: Claudio Imbrenda, linux-kernel
Cc: kvm, linux-s390, hca, agordeev, gor, borntraeger, svens, frankja,
nsg, nrb
On 8/1/24 1:25 PM, Claudio Imbrenda wrote:
> The return value uv_set_shared() and uv_remove_shared() (which are
> wrappers around the share() function) is not always checked. The system
> integrity of a protected guest depends on the Share and Unshare UVCs
> being successful. This means that any caller that fails to check the
> return value will compromise the security of the protected guest.
>
> No code path that would lead to such violation of the security
> guarantees is currently exercised, since all the areas that are shared
> never get unshared during the lifetime of the system. This might
> change and become an issue in the future.
>
> The Share and Unshare UVCs can only fail in case of hypervisor
> misbehaviour (either a bug or malicious behaviour). In such cases there
> is no reasonable way forward, and the system needs to panic.
>
> This patch replaces the return at the end of the share() function with
> a panic, to guarantee system integrity.
>
> Fixes: 5abb9351dfd9 ("s390/uv: introduce guest side ultravisor code")
> Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
> ---
> arch/s390/include/asm/uv.h | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/arch/s390/include/asm/uv.h b/arch/s390/include/asm/uv.h
> index 0b5f8f3e84f1..153d93468b77 100644
> --- a/arch/s390/include/asm/uv.h
> +++ b/arch/s390/include/asm/uv.h
> @@ -441,7 +441,10 @@ static inline int share(unsigned long addr, u16 cmd)
>
> if (!uv_call(0, (u64)&uvcb))
> return 0;
> - return -EINVAL;
> + pr_err("%s UVC failed (rc: 0x%x, rrc: 0x%x), possible hypervisor bug.\n",
> + uvcb.header.cmd == UVC_CMD_SET_SHARED_ACCESS ? "Share" : "Unshare",
> + uvcb.header.rc, uvcb.header.rrc);
> + panic("System security cannot be guaranteed unless the system panics now.\n");
> }
>
> /*
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH v1 1/1] s390/uv: Panic if the security of the system cannot be guaranteed.
2024-08-01 11:25 [PATCH v1 1/1] s390/uv: Panic if the security of the system cannot be guaranteed Claudio Imbrenda
2024-08-01 13:20 ` Janosch Frank
2024-08-02 12:40 ` Steffen Eiden
@ 2024-08-02 13:11 ` Christian Borntraeger
2 siblings, 0 replies; 5+ messages in thread
From: Christian Borntraeger @ 2024-08-02 13:11 UTC (permalink / raw)
To: Claudio Imbrenda, linux-kernel
Cc: kvm, linux-s390, hca, agordeev, gor, svens, frankja, seiden, nsg,
nrb
Am 01.08.24 um 13:25 schrieb Claudio Imbrenda:
> The return value uv_set_shared() and uv_remove_shared() (which are
> wrappers around the share() function) is not always checked. The system
> integrity of a protected guest depends on the Share and Unshare UVCs
> being successful. This means that any caller that fails to check the
> return value will compromise the security of the protected guest.
>
> No code path that would lead to such violation of the security
> guarantees is currently exercised, since all the areas that are shared
> never get unshared during the lifetime of the system. This might
> change and become an issue in the future.
>
> The Share and Unshare UVCs can only fail in case of hypervisor
> misbehaviour (either a bug or malicious behaviour). In such cases there
> is no reasonable way forward, and the system needs to panic.
>
> This patch replaces the return at the end of the share() function with
> a panic, to guarantee system integrity.
>
> Fixes: 5abb9351dfd9 ("s390/uv: introduce guest side ultravisor code")
> Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
> ---
> arch/s390/include/asm/uv.h | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/arch/s390/include/asm/uv.h b/arch/s390/include/asm/uv.h
> index 0b5f8f3e84f1..153d93468b77 100644
> --- a/arch/s390/include/asm/uv.h
> +++ b/arch/s390/include/asm/uv.h
> @@ -441,7 +441,10 @@ static inline int share(unsigned long addr, u16 cmd)
>
> if (!uv_call(0, (u64)&uvcb))
> return 0;
> - return -EINVAL;
> + pr_err("%s UVC failed (rc: 0x%x, rrc: 0x%x), possible hypervisor bug.\n",
> + uvcb.header.cmd == UVC_CMD_SET_SHARED_ACCESS ? "Share" : "Unshare",
> + uvcb.header.rc, uvcb.header.rrc);
> + panic("System security cannot be guaranteed unless the system panics now.\n");
> }
>
> /*
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-08-05 10:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-01 11:25 [PATCH v1 1/1] s390/uv: Panic if the security of the system cannot be guaranteed Claudio Imbrenda
2024-08-01 13:20 ` Janosch Frank
2024-08-05 10:46 ` Claudio Imbrenda
2024-08-02 12:40 ` Steffen Eiden
2024-08-02 13:11 ` Christian Borntraeger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox