mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-12-22 13:45:20 +00:00
tdx: Set the SEPT_VE_DISABLE attribute
This is required for booting Linux: From: https://lore.kernel.org/all/20221028141220.29217-3-kirill.shutemov@linux.intel.com/ """ Virtualization Exceptions (#VE) are delivered to TDX guests due to specific guest actions such as using specific instructions or accessing a specific MSR. Notable reason for #VE is access to specific guest physical addresses. It requires special security considerations as it is not fully in control of the guest kernel. VMM can remove a page from EPT page table and trigger #VE on access. The primary use-case for #VE on a memory access is MMIO: VMM removes page from EPT to trigger exception in the guest which allows guest to emulate MMIO with hypercalls. MMIO only happens on shared memory. All conventional kernel memory is private. This includes everything from kernel stacks to kernel text. Handling exceptions on arbitrary accesses to kernel memory is essentially impossible as handling #VE may require access to memory that also triggers the exception. TDX module provides mechanism to disable #VE delivery on access to private memory. If SEPT_VE_DISABLE TD attribute is set, private EPT violation will not be reflected to the guest as #VE, but will trigger exit to VMM. Make sure the attribute is set by VMM. Panic otherwise. There's small window during the boot before the check where kernel has early #VE handler. But the handler is only for port I/O and panic as soon as it sees any other #VE reason. SEPT_VE_DISABLE makes SEPT violation unrecoverable and terminating the TD is the only option. Kernel has no legitimate use-cases for #VE on private memory. It is either a guest kernel bug (like access of unaccepted memory) or malicious/buggy VMM that removes guest page that is still in use. In both cases terminating TD is the right thing to do. """ With this change Cloud Hypervisor can boot the current Linux guest kernel. Reported-By: Jiaqi Gao <jiaqi.gao@intel.com Signed-off-by: Rob Bradford <robert.bradford@intel.com>
This commit is contained in:
parent
c6eb69caba
commit
69e8f60b91
@ -746,6 +746,8 @@ impl vm::Vm for KvmVm {
|
||||
///
|
||||
#[cfg(feature = "tdx")]
|
||||
fn tdx_init(&self, cpuid: &[CpuIdEntry], max_vcpus: u32) -> vm::Result<()> {
|
||||
const TDX_ATTR_SEPT_VE_DISABLE: usize = 28;
|
||||
|
||||
let mut cpuid: Vec<kvm_bindings::kvm_cpuid_entry2> =
|
||||
cpuid.iter().map(|e| (*e).into()).collect();
|
||||
cpuid.resize(256, kvm_bindings::kvm_cpuid_entry2::default());
|
||||
@ -763,7 +765,7 @@ impl vm::Vm for KvmVm {
|
||||
cpuid_entries: [kvm_bindings::kvm_cpuid_entry2; 256],
|
||||
}
|
||||
let data = TdxInitVm {
|
||||
attributes: 0,
|
||||
attributes: 1 << TDX_ATTR_SEPT_VE_DISABLE,
|
||||
max_vcpus,
|
||||
padding: 0,
|
||||
mrconfigid: [0; 6],
|
||||
|
Loading…
Reference in New Issue
Block a user