[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation

To: Nicolas Saenz Julienne <nsaenz@xxxxxxxxxx>
From: Mickaël Salaün <mic@xxxxxxxxxxx>
Date: Tue, 14 May 2024 14:23:42 +0200
Cc: Sean Christopherson <seanjc@xxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>, "H . Peter Anvin" <hpa@xxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>, Wanpeng Li <wanpengli@xxxxxxxxxxx>, Rick P Edgecombe <rick.p.edgecombe@xxxxxxxxx>, Alexander Graf <graf@xxxxxxxxxx>, Angelina Vu <angelinavu@xxxxxxxxxxxxxxxxxxx>, Anna Trikalinou <atrikalinou@xxxxxxxxxxxxx>, Chao Peng <chao.p.peng@xxxxxxxxxxxxxxx>, Forrest Yuan Yu <yuanyu@xxxxxxxxxx>, James Gowans <jgowans@xxxxxxxxxx>, James Morris <jamorris@xxxxxxxxxxxxxxxxxxx>, John Andersen <john.s.andersen@xxxxxxxxx>, "Madhavan T . Venkataraman" <madvenka@xxxxxxxxxxxxxxxxxxx>, Marian Rotariu <marian.c.rotariu@xxxxxxxxx>, Mihai Donțu <mdontu@xxxxxxxxxxxxxxx>, Nicușor Cîțu <nicu.citu@xxxxxxxxxx>, Thara Gopinath <tgopinath@xxxxxxxxxxxxx>, Trilok Soni <quic_tsoni@xxxxxxxxxxx>, Wei Liu <wei.liu@xxxxxxxxxx>, Will Deacon <will@xxxxxxxxxx>, Yu Zhang <yu.c.zhang@xxxxxxxxxxxxxxx>, Ștefan Șicleru <ssicleru@xxxxxxxxxxxxxxx>, dev@xxxxxxxxxxxxxxxxxxxxxxxxx, kvm@xxxxxxxxxxxxxxx, linux-hardening@xxxxxxxxxxxxxxx, linux-hyperv@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, qemu-devel@xxxxxxxxxx, virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx, x86@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 14 May 2024 12:24:00 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, May 10, 2024 at 10:07:00AM +0000, Nicolas Saenz Julienne wrote:
> On Tue May 7, 2024 at 4:16 PM UTC, Sean Christopherson wrote:
> > > If yes, that would indeed require a *lot* of work for something we're not
> > > sure will be accepted later on.
> >
> > Yes and no.  The AWS folks are pursuing VSM support in KVM+QEMU, and SVSM 
> > support
> > is trending toward the paired VM+vCPU model.  IMO, it's entirely feasible to
> > design KVM support such that much of the development load can be shared 
> > between
> > the projects.  And having 2+ use cases for a feature (set) makes it _much_ 
> > more
> > likely that the feature(s) will be accepted.
> 
> Since Sean mentioned our VSM efforts, a small update. We were able to
> validate the concept of one KVM VM per VTL as discussed in LPC. Right
> now only for single CPU guests, but are in the late stages of bringing
> up MP support. The resulting KVM code is small, and most will be
> uncontroversial (I hope). If other obligations allow it, we plan on
> having something suitable for review in the coming months.

Looks good!

> 
> Our implementation aims to implement all the VSM spec necessary to run
> with Microsoft Credential Guard. But note that some aspects necessary
> for HVCI are not covered, especially the ones that depend on MBEC
> support, or some categories of secure intercepts.

We already implemented support for MBEC, so that should not be an issue.
We just need to find the best interface to configure it.

> 
> Development happens
> https://github.com/vianpl/{linux,qemu,kvm-unit-tests} and the vsm-next
> branch, but I'd advice against looking into it until we add some order
> to the rework. Regardless, feel free to get in touch.

Thanks for the update.

Could we schedule a PUCK meeting to synchronize and help each other?
What about June 12?

Follow-Ups:
- Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
  - From: Nicolas Saenz Julienne
- Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
  - From: Sean Christopherson

References:
- [RFC PATCH v3 0/5] Hypervisor-Enforced Kernel Integrity - CR pinning
  - From: Mickaël Salaün
- [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
  - From: Mickaël Salaün
- Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
  - From: Sean Christopherson
- Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
  - From: Mickaël Salaün
- Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
  - From: Sean Christopherson
- Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
  - From: Mickaël Salaün
- Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
  - From: Sean Christopherson
- Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
  - From: Nicolas Saenz Julienne

Prev by Date: [xen-unstable test] 185993: tolerable FAIL
Next by Date: Re: [PATCH V3 (resend) 07/19] xen/x86: Add support for the PMAP
Previous by thread: Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
Next by thread: Re: [RFC PATCH v3 3/5] KVM: x86: Add notifications for Heki policy configuration and violation
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.