Andy Lutomirski
2021-Feb-18 17:49 UTC
[PATCH 2/3] x86/sev-es: Check if regs->sp is trusted before adjusting #VC IST stack
On Thu, Feb 18, 2021 at 3:25 AM Joerg Roedel <joro at 8bytes.org> wrote:> > Hi Andy, > > On Wed, Feb 17, 2021 at 10:09:46AM -0800, Andy Lutomirski wrote: > > Can you get rid of the linked list hack while you're at it? This code > > is unnecessarily convoluted right now, and it seems to be just asking > > for weird bugs. Just stash the old value in a local variable, please. > > Yeah, the linked list is not really necessary right now, because of the > way nested NMI handling works and given that these functions are only > used in the NMI handler right now. > The whole #VC handling code was written with future requirements in > mind, like what is needed when debugging registers get virtualized and > #HV gets enabled. > Until its clear whether __sev_es_ist_enter/exit() is needed in any of > these paths, I'd like to keep the linked list for now. It is more > complicated but allows nesting.I don't understand what this means. The whole entry mechanism on x86 is structured so that we call a C function *and return from that C function without longjmp-like magic* with the sole exception of unwind_stack_do_exit(). This means that you can match up enters and exits, and that unwind_stack_do_exit() needs to unwind correctly. In the former case, it's normal C and we can use normal local variables. In the latter case, we know exactly what state we're trying to restore and we can restore it directly without any linked lists or similar. What do you have in mind that requires a linked list?> > > Meanwhile, I'm pretty sure I can break this whole scheme if the > > hypervisor is messing with us. As a trivial example, the sequence > > SYSCALL gap -> #VC -> NMI -> #VC will go quite poorly. > > I don't see how this would break, can you elaborate? > > What I think happens is: > > SYSCALL gap (RSP is from userspace and untrusted) > > -> #VC - Handler on #VC IST stack detects that it interrupted > the SYSCALL gap and switches to the task stack. >Can you point me to exactly what code you're referring to? I spent a while digging through the code and macro tangle and I can't find this.> > -> NMI - Now running on NMI IST stack. Depending on whether the > stack switch in the #VC handler already happened, the #VC IST > entry is adjusted so that a subsequent #VC will not overwrite > the interrupted handlers stack frame. > > -> #VC - Handler runs on the adjusted #VC IST stack and switches > itself back to the NMI IST stack. This is safe wrt. nested > NMIs as long as nested NMIs itself are safe. > > As a rule of thumb, think of the #VC handler as trying to be a non-IST > handler by switching itself to the interrupted stack or the task stack. > If it detects that this is not possible (which can't happen right now, > but with SNP), it will kill the guest.I will try to think of this, but it's hard, since I can't find the code :) I found this comment: * With the current implementation it is always possible to switch to a safe * stack because #VC exceptions only happen at known places, like intercepted * instructions or accesses to MMIO areas/IO ports. They can also happen with * code instrumentation when the hypervisor intercepts #DB, but the critical * paths are forbidden to be instrumented, so #DB exceptions currently also * only happen in safe places. Unless AMD is more magic than I realize, the MOV SS bug^Wfeature means that #DB is *not* always called in safe places. But I *thnk* the code you're talking about is this: /* * If the entry is from userspace, switch stacks and treat it as * a normal entry. */ testb $3, CS-ORIG_RAX(%rsp) jnz .Lfrom_usermode_switch_stack_\@ which does not run on #VC from kernel code.> It needs to be IST, even without SNP, because #DB is IST too. When the > hypervisor intercepts #DB then any #DB exception will be turned into > #VC, so #VC needs to be handled anywhere a #DB can happen.Eww.> > And with SNP we need to be able to at least detect a malicious HV so we > can reliably kill the guest. Otherwise the HV could potentially take > control over the guest's execution flow and make it reveal its secrets.True. But is the rest of the machinery to be secure against EFLAGS.IF violations and such in place yet?> > Regards, > > Joerg
Joerg Roedel
2021-Feb-18 19:21 UTC
[PATCH 2/3] x86/sev-es: Check if regs->sp is trusted before adjusting #VC IST stack
On Thu, Feb 18, 2021 at 09:49:06AM -0800, Andy Lutomirski wrote:> I don't understand what this means. The whole entry mechanism on x86 > is structured so that we call a C function *and return from that C > function without longjmp-like magic* with the sole exception of > unwind_stack_do_exit(). This means that you can match up enters and > exits, and that unwind_stack_do_exit() needs to unwind correctly. In > the former case, it's normal C and we can use normal local variables. > In the latter case, we know exactly what state we're trying to restore > and we can restore it directly without any linked lists or similar.Okay, the unwinder will likely get confused by this logic.> What do you have in mind that requires a linked list?Cases when there are multiple IST vectors besides NMI that can hit while the #VC handler is still on its own IST stack. #MCE comes to mind, but that is broken anyway. At some point #VC itself will be one of them, but when that happens the code will kill the machine. This leaves #HV in the list, and I am not sure how that is going to be handled yet. I think the goal is that the #HV handler is not allowed to cause any #VC exception. In that case the linked-list logic will not be needed.> > I don't see how this would break, can you elaborate? > > > > What I think happens is: > > > > SYSCALL gap (RSP is from userspace and untrusted) > > > > -> #VC - Handler on #VC IST stack detects that it interrupted > > the SYSCALL gap and switches to the task stack. > > > > Can you point me to exactly what code you're referring to? I spent a > while digging through the code and macro tangle and I can't find this.See the entry code in arch/x86/entry/entry_64.S, macro idtentry_vc. It creates the assembly code for the handler. At some point it calls vc_switch_off_ist(), which is a C function in arch/x86/kernel/traps.c. This function tries to find a new stack for the #VC handler. The first thing it does is checking whether the exception came from the SYSCALL gap and just uses the task stack in that case. Then it will check for other kernel stacks which are safe to switch to. If that fails it uses the fall-back stack (VC2), which will direct the handler to a separate function which, for now, just calls panic(). Not safe are the entry or unknown stacks. The function then copies pt_regs and returns the new stack pointer to assembly code, which then writes it to %RSP.> Unless AMD is more magic than I realize, the MOV SS bug^Wfeature means > that #DB is *not* always called in safe places.You are right, forgot about this. The MOV SS bug can very well trigger a #VC(#DB) exception from the syscall gap.> > And with SNP we need to be able to at least detect a malicious HV so we > > can reliably kill the guest. Otherwise the HV could potentially take > > control over the guest's execution flow and make it reveal its secrets. > > True. But is the rest of the machinery to be secure against EFLAGS.IF > violations and such in place yet?Not sure what you mean by EFLAGS.IF violations, probably enabling IRQs while in the #VC handler? The #VC handler _must_ _not_ enable IRQs anywhere in its call-path. If that ever happens it is a bug. Regards, Joerg