[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen

To: Julien Grall <julien@xxxxxxx>, "Smith, Jackson" <rsmith@xxxxxxxxxxxxxxxxxxxxx>
From: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 13 Dec 2022 17:22:32 -0500
Cc: "Brookes, Scott" <sbrookes@xxxxxxxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "bertrand.marquis@xxxxxxx" <bertrand.marquis@xxxxxxx>, "jbeulich@xxxxxxxx" <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, "christopher.w.clark@xxxxxxxxx" <christopher.w.clark@xxxxxxxxx>
Delivery-date: Tue, 13 Dec 2022 22:22:41 +0000
Feedback-id: iac594737:Fastmail
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Dec 13, 2022 at 08:55:28PM +0000, Julien Grall wrote:
> On 13/12/2022 19:48, Smith, Jackson wrote:
> > Hi Xen Developers,
> 
> Hi Jackson,
> 
> Thanks for sharing the prototype with the community. Some questions/remarks
> below.

[snip]

> > With this technique, we protect the integrity and confidentiality of
> > guest memory. However, a compromised hypervisor can still read/write
> > register state during traps, or refuse to schedule a guest, denying
> > service. We also recognize that because this technique precludes
> > modifying Xen's page tables after startup, it may not be compatible
> > with all of Xen's potential use cases. On the other hand, there are
> > some uses cases (in particular statically defined embedded systems)
> > where our technique could be adopted with minimal friction.
> 
> From what you wrote, this sounds very much like the project Citrix and
> Amazon worked on called "Secret-free hypervisor" with a twist. In your case,
> you want to prevent the hypervisor to map/unmap the guest memory.
> 
> You can find some details in [1]. The code is x86 only, but I don't see any
> major blocker to port it on arm64.

Is there any way the secret-free hypervisor code could be upstreamed?
My understanding is that it would enable guests to use SMT without
risking the host, which would be amazing.

> >     Virtualized MMIO on arm needs to decode certain load/store
> >     instructions
> 
> On Arm, this can be avoided of the guest OS is not using such instruction.
> In fact they were only added to cater "broken" guest OS.
> 
> Also, this will probably be a lot more difficult on x86 as, AFAIK, there is
> no instruction syndrome. So you will need to decode the instruction in order
> to emulate the access.

Is requiring the guest to emulate such instructions itself an option?
μXen, SEV-SNP, and TDX all do this.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
  - From: Julien Grall
- Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
  - From: Julien Grall

References:
- [RFC 0/4] Adding Virtual Memory Fuses to Xen
  - From: Smith, Jackson
- Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
  - From: Julien Grall

Prev by Date: Re: [RFC 3/4] Add xen superpage splitting support to arm
Next by Date: [PATCH v2 00/14] Make PAT handling less brittle
Previous by thread: Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
Next by thread: Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.