Re: Linux guest kernel threat model for Confidential Computing

From: Dr. David Alan Gilbert
Date: Thu Feb 09 2023 - 14:48:59 EST

Next message: Linus Torvalds: "Re: copy on write for splice() from file to pipe?"
Previous message: Matthias Kaehlcke: "Re: [PATCH] arm64: dts: qcom: sc7280: Adjust zombie PWM frequency"
In reply to: Thomas Gleixner: "Re: Linux guest kernel threat model for Confidential Computing"
Next in thread: Michael S. Tsirkin: "Re: Linux guest kernel threat model for Confidential Computing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Thomas Gleixner (tglx@xxxxxxxxxxxxx) wrote:
> On Wed, Feb 08 2023 at 18:02, David Alan Gilbert wrote:
> > * Greg Kroah-Hartman (gregkh@xxxxxxxxxxxxxxxxxxx) wrote:
> >> Anyway, you all are just spinning in circles now. I'll just mute this
> >> thread until I see an actual code change as it seems to be full of
> >> people not actually sending anything we can actually do anything with.
>
> There have been random patchs posted which finally caused this
> discussion to start. Wrong order obviously :)
>
> > I think the challenge will be to come up with non-intrusive, minimal
> > changes; obviously you don't want stuff shutgunned everywhere.
>
> That has been tried by doing random surgery, e.g. caching some
> particular PCI config value. While that might not look intrusive on the
> first glance, these kind of punctual changes are the begin of a whack a
> mole game and will end up in an uncoordinated maze of tiny mitigations
> which make the code harder to maintain.
>
> The real challenge is to come up with threat classes and mechanisms
> which squash the whole class. Done right, e.g. caching a range of config
> space values (or all of it) might give a benefit even for the bare metal
> or general virtualization case.

Yeh, reasonable.

> That's quite some work, but its much more palatable than a trickle of
> "fixes" when yet another source of trouble has been detected by a tool
> or human inspection.
>
> It's also more future proof because with the current approach of
> scratching the itch of the day the probability that the just "mitigated"
> issue comes back due to unrelated changes is very close to 100%.
>
> It's not any different than any other threat class problem.

I wonder if trying to group/categorise the output of Intel's
tool would allow common problematic patterns to be found to then
try and come up with more concrete fixes for whole classes of issues.

Dave

> Thanks,
>
> tglx
>
>
--
Dr. David Alan Gilbert / dgilbert@xxxxxxxxxx / Manchester, UK

Next message: Linus Torvalds: "Re: copy on write for splice() from file to pipe?"
Previous message: Matthias Kaehlcke: "Re: [PATCH] arm64: dts: qcom: sc7280: Adjust zombie PWM frequency"
In reply to: Thomas Gleixner: "Re: Linux guest kernel threat model for Confidential Computing"
Next in thread: Michael S. Tsirkin: "Re: Linux guest kernel threat model for Confidential Computing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]