Re: [PATCH] KVM: arm64: Use different pointer authentication keys for pKVM

From: Mostafa Saleh
Date: Mon Jun 12 2023 - 05:27:19 EST

Next message: tip-bot2 for Borislav Petkov (AMD): "[tip: x86/microcode] x86/microcode/AMD: Load late on both threads too"
Previous message: Petr Oros: "Re: [RFC PATCH v8 06/10] netdev: expose DPLL pin handle for netdevice"
In reply to: Will Deacon: "Re: [PATCH] KVM: arm64: Use different pointer authentication keys for pKVM"
Next in thread: Oliver Upton: "Re: [PATCH] KVM: arm64: Use different pointer authentication keys for pKVM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 08, 2023 at 10:55:26PM +0100, Will Deacon wrote:
> On Mon, May 29, 2023 at 11:17:51AM +0000, Mostafa Saleh wrote:
> > On Fri, May 26, 2023 at 08:47:52PM +0000, Oliver Upton wrote:
> > > On Tue, May 16, 2023 at 02:15:31PM +0000, Mostafa Saleh wrote:
> > > > When the kernel is compiled with CONFIG_ARM64_PTR_AUTH_KERNEL, it
> > > > uses Armv8.3-Pauth for return address protection for the kernel code
> > > > including nvhe code in EL2.
> > > >
> > > > Same keys are used in both kernel(EL1) and nvhe code(EL2), this is
> > > > fine for nvhe but not when running in protected mode(pKVM) as the host
> > > > can't be trusted.
> > >
> > > But we trust it enough to hand pKVM a fresh set of keys before firing
> > > off? I understand there is some degree of initialization required to get
> > > pKVM off the ground, but I question in this case if key handoff is
> > > strictly necessary.
> > >
> > > There are potentially other sources of random directly available at EL2,
> > > such as the SMCCC TRNG ABI or FEAT_RNG. Should pKVM prefer one of these
> > > random implementations and only fall back to host-provided keys if
> > > absolutely necessary?
> > >
> > According to my understanding, the kernel is still completely trusted at
> > this point (it sets the initial page table for the hypervisor), so I
> > believe it should be fine to trust it for ptrauth keys. However, I agree,
> > it would be better if the hypervisor can get its own keys through
> > firmware/hardware if supported. I will add this in V2.
>
> I appreciate the sentiment, but I think we should avoid adding additional
> complexity here if it adds no security benefit. If nothing else, it adds
> pointless overhead, but beyond that it gives the false illusion of a
> security boundary.
>
> Prior to deprivilege, the kernel can write to the hypervisor text, modify
> its stage-1 page-table and change its data values. I think the pointer
> auth keys are the least of our worries if it's compromised...

Thanks a lot Will for explaining this.

Oliver, what do you think for V2, about it including FEAT_RNG/TRNG in EL2?

Thanks,
Mostafa

Next message: tip-bot2 for Borislav Petkov (AMD): "[tip: x86/microcode] x86/microcode/AMD: Load late on both threads too"
Previous message: Petr Oros: "Re: [RFC PATCH v8 06/10] netdev: expose DPLL pin handle for netdevice"
In reply to: Will Deacon: "Re: [PATCH] KVM: arm64: Use different pointer authentication keys for pKVM"
Next in thread: Oliver Upton: "Re: [PATCH] KVM: arm64: Use different pointer authentication keys for pKVM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]