Re: [PATCH Part2 v5 00/45] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support

From: Joerg Roedel
Date: Mon Nov 15 2021 - 11:52:21 EST

Next message: Andrea Righi: "[PATCH] selftests/seccomp: fix check of fds being assigned"
Previous message: Rob Clark: "Re: [PATCH 2/2] drm/msm: Restore error return on invalid fence"
In reply to: Sean Christopherson: "Re: [PATCH Part2 v5 00/45] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support"
Next in thread: Brijesh Singh: "Re: [PATCH Part2 v5 00/45] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Nov 13, 2021 at 06:28:16PM +0000, Sean Christopherson wrote:
> Another issue is that the host kernel, which despite being "untrusted", absolutely
> should be acting in the best interests of the guest. Allowing userspace to inject
> #VC, e.g. to attempt to attack the guest by triggering a spurious PVALIDATE, means
> the kernel is failing miserably on that front.

Well, no. The kernel is only a part of the hypervisor, KVM userspace is
another. It is possible today for the userspace part(s) to interact in bad
ways with the guest and trick or kill it. Allowing user-space to cause a
#VC in the guest is no different from that.

Regards,

--
Jörg Rödel
jroedel@xxxxxxx

SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev

Next message: Andrea Righi: "[PATCH] selftests/seccomp: fix check of fds being assigned"
Previous message: Rob Clark: "Re: [PATCH 2/2] drm/msm: Restore error return on invalid fence"
In reply to: Sean Christopherson: "Re: [PATCH Part2 v5 00/45] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support"
Next in thread: Brijesh Singh: "Re: [PATCH Part2 v5 00/45] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]