Re: [PATCH 0/2] Support userspace hypercalls for TDX

virtualization.lists.linux-foundation.org archive mirror
 help / color / mirror / Atom feed

From: Peter Zijlstra <peterz@infradead.org>
To: Tim Merrifield <tim.merrifield@broadcom.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>,
	Xin Li <xin3.li@intel.com>, Ard Biesheuvel <ardb@kernel.org>,
	Kai Huang <kai.huang@intel.com>,
	Kevin Loughlin <kevinloughlin@google.com>,
	Thomas Zimmermann <tzimmermann@suse.de>,
	Rick Edgecombe <rick.p.edgecombe@intel.com>,
	Kees Cook <kees@kernel.org>, Mike Rapoport <rppt@kernel.org>,
	Brian Gerst <brgerst@gmail.com>,
	linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org,
	Ajay Kaher <ajay.kaher@broadcom.com>,
	Alexey Makhalov <alexey.amakhalov@broadcom.com>,
	Broadcom internal kernel review list
	<bcm-kernel-feedback-list@broadcom.com>,
	virtualization@lists.linux.dev, alex.james@broadcom.com,
	doug.covelli@broadcom.com, jeffrey.sheldon@broadcom.com
Subject: Re: [PATCH 0/2] Support userspace hypercalls for TDX
Date: Thu, 4 Jul 2024 15:05:05 +0200	[thread overview]
Message-ID: <20240704130505.GT11386@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <cover.1720046911.git.tim.merrifield@broadcom.com>

On Wed, Jul 03, 2024 at 11:35:59PM +0000, Tim Merrifield wrote:
> VMCALL and VMMCALL instructions are used by x86 guests to request services
> from the host VMM. Both VMCALL and VMMCALL are not restricted to CPL 0.
> This allows userspace software like open-vm-tools to communicate directly
> with the VMM.
> 
> In the context of confidential VMs, direct communication with the host may
> violate the security model. Existing binaries that make use of hypercalls
> and are not hardened against malicious hypervisors can become a possible
> attack surface. For this reason, user-level VMCALLs are not currently
> forwarded to the host on TDX VMs. This breaks any user-level software that
> use these instructions.
> 
> But if user-level software is aware of the risks and has been hardened to
> address any known violations of the security model, then it seems
> reasonable to allow hypercalls from this process to proceed.

And how are we to ascertain the software using these hooks is deemed
secure? What security risks are there for the kernel if a malicious
userspace process asks for these rights?

The kernel must assume malice on the part of userspace.

next prev parent reply	other threads:[~2024-07-04 13:05 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-03 23:35 [PATCH 0/2] Support userspace hypercalls for TDX Tim Merrifield
2024-07-03 23:36 ` [PATCH 1/2] x86/tdx: Add prctl to allow userlevel TDX hypercalls Tim Merrifield
2024-07-08 12:19   ` Kirill A . Shutemov
2024-07-23  5:04     ` Tim Merrifield
2024-07-23  9:10       ` Kirill A . Shutemov
2024-07-03 23:36 ` [PATCH 2/2] x86/vmware: VMware support for TDX userspace hypercalls Tim Merrifield
2024-07-08 12:23   ` Kirill A . Shutemov
2024-07-04  0:18 ` [PATCH 0/2] Support userspace hypercalls for TDX Dave Hansen
2024-07-05 16:04   ` Tim Merrifield
2024-07-04 13:05 ` Peter Zijlstra [this message]
2024-07-05 18:55   ` Tim Merrifield

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240704130505.GT11386@noisy.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=ajay.kaher@broadcom.com \
    --cc=alex.james@broadcom.com \
    --cc=alexey.amakhalov@broadcom.com \
    --cc=ardb@kernel.org \
    --cc=bcm-kernel-feedback-list@broadcom.com \
    --cc=bp@alien8.de \
    --cc=brgerst@gmail.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=doug.covelli@broadcom.com \
    --cc=hpa@zytor.com \
    --cc=jeffrey.sheldon@broadcom.com \
    --cc=kai.huang@intel.com \
    --cc=kees@kernel.org \
    --cc=kevinloughlin@google.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=rick.p.edgecombe@intel.com \
    --cc=rppt@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=tim.merrifield@broadcom.com \
    --cc=tzimmermann@suse.de \
    --cc=virtualization@lists.linux.dev \
    --cc=x86@kernel.org \
    --cc=xin3.li@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).